20+ practice questions focused on Secure identity and access — one of the most tested topics on the Microsoft Azure Security Engineer Associate AZ-500 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Secure identity and access PracticeYour organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?
Explanation: Option A is correct because the one-time passcode (OTP) authentication method in Microsoft Entra ID allows users to sign in with a temporary code sent via SMS to their mobile device, requiring no additional app or software installation. This method is specifically designed for scenarios where users cannot or should not install the Microsoft Authenticator app, such as for guest users or in bring-your-own-device (BYOD) environments. The OTP is generated by Entra ID and delivered over the mobile network, satisfying the requirement of no extra software.
Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?
Explanation: Seamless Single Sign-On (SSO) for the domain integrates with Azure AD Application Proxy to automatically authenticate users against on-premises Active Directory without prompting for credentials. This eliminates repeated password prompts while maintaining security by leveraging Kerberos delegation and the user's existing domain session.
Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?
Explanation: Continuous Access Evaluation (CAE) is the correct feature because it enforces real-time access revocation based on critical events such as user behavior changes (e.g., account disablement, password change) and device posture shifts (e.g., device non-compliance). Unlike periodic token validation, CAE uses a near-real-time event-driven model via the Microsoft Entra ID event service and OAuth 2.0 token claims to immediately block access to sensitive applications when risk is detected.
You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?
Explanation: Option C is correct because the requirement is to block access from untrusted locations for all cloud apps except Microsoft Entra ID Administration. In Conditional Access, you include 'All cloud apps' to cover every app, then explicitly exclude 'Microsoft Entra ID Administration' to exempt it from the block. This ensures the policy applies broadly while honoring the exclusion.
Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?
Explanation: Option C is correct because configuring an access review with 'Auto-apply results' enabled in Microsoft Entra ID Governance allows you to automatically remove guest users who have not signed in for 90 days from the critical application's access. The access review can be set to evaluate sign-in activity and, upon completion, automatically apply the results (e.g., remove access) without manual intervention, fulfilling the requirement for automated removal.
+15 more Secure identity and access questions available
Practice all Secure identity and access questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Secure identity and access. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Secure identity and access questions on the AZ-500 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Secure identity and access is tested as part of the Microsoft Azure Security Engineer Associate AZ-500 blueprint. Practicing with targeted Secure identity and access questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free AZ-500 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Secure identity and access is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Secure identity and access practice session with instant scoring and detailed explanations.
Start Secure identity and access Practice →