Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsAZ-500TopicsManage identity and access
Free · No Signup RequiredMicrosoft · AZ-500

AZ-500 Manage identity and access Practice Questions

20+ practice questions focused on Manage identity and access — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Manage identity and access Practice

Exam Domains

Secure identity and accessSecure compute, storage, and databasesSecure Azure using Microsoft Defender for Cloud and Microsoft SentinelManage identity and accessSecure networkingAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Manage identity and access Questions

Practice all 20+ →
1.

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

A.Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
B.Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
C.Use Identity Protection's 'User risk policy' instead of Conditional Access
D.Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'

Explanation: Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).

2.

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

A.Set the activation maximum duration to 8 hours.
B.Enable approval workflow by adding the manager as an approver.
C.Require multi-factor authentication on activation.
D.Require justification on activation.

Explanation: Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the approval workflow and adding the manager as an approver ensures that the manager must approve each activation request, meeting the requirement for manager approval. Together, these two configurations satisfy both the time-bound and approval constraints.

3.

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

A.Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
B.In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
C.In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.
D.Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.

Explanation: Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authentication context with the 'Require compliant device' grant control, you enforce device compliance specifically during role activation. This approach ensures the device compliance check is applied only when the user activates the Global Administrator role, not during regular access.

4.

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

A.The activation approval requirement is not supported for the Global Administrator role
B.The user is a member of the approver group and is self-approving the request
C.The PIM policy has not been activated for the Global Administrator role
D.The role activation duration is set to zero, causing immediate activation

Explanation: Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.

5.

A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?

A.Trust multi-factor authentication from the partner tenant (inbound trust).
B.Trust device compliance from the partner tenant.
C.Enable a Conditional Access policy that grants access to the partner tenant.
D.Configure identity synchronization with the partner tenant.

Explanation: Option A is correct because cross-tenant access settings in Azure AD allow you to configure inbound trust for MFA from an external Azure AD tenant. When enabled, Azure AD B2B collaboration will accept the partner tenant's MFA claims, so partner users who have already satisfied MFA in their home tenant will not be prompted again when accessing your resources. This is configured under 'Cross-tenant access settings' > 'Inbound trust settings' for the specific partner tenant.

+15 more Manage identity and access questions available

Practice all Manage identity and access questions

How to master Manage identity and access for AZ-500

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Manage identity and access. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Manage identity and access questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many AZ-500 Manage identity and access questions are on the real exam?

The exact number varies per candidate. Manage identity and access is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Manage identity and access questions ensures you can handle any format or difficulty that appears.

Are these AZ-500 Manage identity and access practice questions free?

Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Manage identity and access one of the harder AZ-500 topics?

Difficulty is subjective, but Manage identity and access is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Manage identity and access practice session with instant scoring and detailed explanations.

Start Manage identity and access Practice →

Topic Info

Topic

Manage identity and access

Exam

AZ-500

Questions available

20+