Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implement and manage Microsoft Entra identity and access practice sets

MS-102 Implement and manage Microsoft Entra identity and access • Complete Question Bank

MS-102 Implement and manage Microsoft Entra identity and access — All Questions With Answers

Complete MS-102 Implement and manage Microsoft Entra identity and access question bank — all 0 questions with answers and detailed explanations.

166
Questions
Free
No signup
Certifications/MS-102/Practice Test/Implement and manage Microsoft Entra identity and access/All Questions
Question 1easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A company uses Microsoft Entra ID for identity management. The security team wants to ensure that users cannot register applications in the tenant to prevent potential data leakage. Which setting should be configured?

Question 2mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use their existing on-premises passwords to log in to cloud services, while maintaining password policy enforcement on-premises. Which feature should you implement?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company uses Microsoft Entra ID with Conditional Access policies. They have a policy that requires multi-factor authentication (MFA) for all users when accessing the company's custom SaaS application. However, users from the European branch are reporting that they are prompted for MFA every time, even though they have already authenticated via a compliant device. What is the most likely cause?

Question 4easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are configuring Microsoft Entra ID Protection. You want to automatically respond to a specific risk level by requiring the user to change their password. Which risk policy should you configure?

Question 5mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

An organization is implementing Microsoft Entra Verified ID for verifiable credentials. They want to issue credentials to employees that can be used to prove employment status to third parties. Which component must be created first?

Question 6hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and has a hybrid identity with PHS. You need to ensure that when an on-premises user account is disabled, the corresponding cloud user is also blocked from signing in within 5 minutes. What should you configure?

Question 7mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A company uses Microsoft Entra ID and has enabled self-service password reset (SSPR). Users are required to register for SSPR. Management wants to ensure that users from the HR department, who handle sensitive data, must use two methods for authentication during SSPR, while other users can use one method. What is the best way to achieve this?

Question 8hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Defender for Cloud Apps. You want to set up a policy that automatically suspends a user if they download more than 100 files from SharePoint Online within 10 minutes. Which type of policy should you create?

Question 9easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are configuring Microsoft Entra ID for a new organization. The CIO wants to ensure that all external users who are invited to collaborate via Microsoft Entra B2B must go through an approval process before gaining access. Which setting should you configure?

Question 10mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are valid authentication methods in Microsoft Entra ID that can be used as part of a Conditional Access policy? (Select two.)

Question 11hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE of the following are required to configure Microsoft Entra ID Governance for automated user provisioning to a third-party SaaS application? (Select three.)

Question 12hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are valid methods to enforce device compliance in a Conditional Access policy? (Select two.)

Question 13mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are reviewing a Conditional Access policy in JSON format. The policy is applied to all users accessing Office 365 from trusted locations. What is the intended behavior of this policy?

Exhibit

Refer to the exhibit.

{
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
    "locations": {
      "includeLocations": ["AllTrusted"]
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["mfa", "compliantDevice"]
  }
}
Question 14hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are reviewing directory settings for Microsoft 365 Groups. Based on the exhibit, which statement is true?

Exhibit

Refer to the exhibit.

PowerShell output:

Get-AzureADDirectorySetting | Select-Object *

Id                                   : 1234-...
DisplayName                          : Group.Unified
TemplateId                           : 62375ab9-...
Values                               : {[EnableGroupCreation, true], [GroupCreationAllowedGroupId, ], [UsageGuidelinesUrl, ], [ClassificationDescriptions, ], [DefaultClassification, ], [PrefixSuffixNamingRequirement, ], [CustomBlockedWordsList, ], [EnableMSStandardBlockedWords, false]}
Question 15mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

An administrator runs the Azure CLI command shown in the exhibit. What is the result of this command?

Network Topology
az ad app createdisplay-name "MyApp"sign-in-audience AzureADMultipleOrgskey-type Passwordpassword "P@ssw0rd"required-resource-accesses "[{\"resourceAppId\":\"00000003-0000-0000-c000-000000000000\"Refer to the exhibit.Azure CLI command:
Question 16easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook. Which identity solution should you configure?

Question 17mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. Users report that they are frequently prompted for multi-factor authentication (MFA) even after signing in successfully. You want to minimize these prompts while maintaining security. What should you configure?

Question 18hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are a Microsoft 365 administrator. Your organization uses Microsoft Entra ID and Microsoft Intune for device management. You need to ensure that only compliant devices can access corporate email via Microsoft Outlook on mobile devices. What should you configure?

Question 19easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization is implementing a hybrid identity solution. You want to synchronize on-premises Active Directory users to Microsoft Entra ID. Which tool should you use?

Question 20mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft Entra tenant with 5,000 users. You need to delegate the ability to reset user passwords to the helpdesk team, but only for users in the Sales department. What is the most efficient way to achieve this?

Question 21hardmultiple choice
Study the full multicast explanation →

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage administrative roles. You need to ensure that when a user activates the Global Administrator role, they must provide a justification and the activation is time-bound. Additionally, you want to require approval from the security team for this activation. What should you configure?

Question 22easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are implementing Microsoft Entra Verified ID. Which technology does it use to create decentralized digital identities?

Question 23mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has enabled Microsoft Entra Domain Services (Azure AD DS). You need to ensure that legacy applications that require NTLM authentication can still authenticate against the managed domain. What should you configure?

Question 24hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You have configured Microsoft Entra Identity Governance. You need to create an access review for all guest users in the tenant to ensure their access is still required. The review should be recurring every 90 days and should auto-remove guests if they are not approved. What should you configure?

Question 25mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are configuring Microsoft Entra ID for your organization. You need to enable passwordless authentication for users. Which TWO authentication methods are passwordless and supported by Microsoft Entra ID?

Question 26hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has strict security requirements. You need to implement a Zero Trust security model. Which THREE of the following are foundational principles of Zero Trust that should be implemented?

Question 27easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID for identity management. You are planning to implement Conditional Access policies. Which TWO components are required to create a Conditional Access policy?

Question 28hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are reviewing the following Conditional Access policy JSON in Microsoft Entra ID. What does this policy do?

Exhibit

Refer to the exhibit.\n\n{\n  \"conditions\": {\n    \"users\": {\n      \"includeUsers\": [\"All\"],\n      \"excludeUsers\": [\"Admin@contoso.com\"]\n    },\n    \"applications\": {\n      \"includeApplications\": [\"All\"]\n    },\n    \"clientAppTypes\": [\"MobileAppsAndDesktopClients\"]\n  },\n  \"grantControls\": {\n    \"builtInControls\": [\"Mfa\"],\n    \"operator\": \"OR\"\n  }\n}
Question 29mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are a Microsoft 365 administrator. You run the Get-MgPolicyCrossTenantAccessPolicyDefault cmdlet and see the exhibit output. What does this configuration imply?

Exhibit

Refer to the exhibit.\n\nPowerShell Output from Get-MgPolicyCrossTenantAccessPolicyDefault:\n\nId                        : default\nB2bCollaborationInbound   : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting\nB2bCollaborationOutbound  : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyB2BSetting\nInboundTrust              : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyInboundTrust\n                           IsMfaAccepted : True\n                           IsCompliantDeviceAccepted : False\n                           IsHybridAzureAdJoinedDeviceAccepted : False\n\nAdditionalProperties      : {{}}
Question 30easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You run the Azure CLI command shown in the exhibit. What does the output represent?

Network Topology
az ad sp listdisplay-name \"Microsoft Graph\"query \"[0].appId\" -o tsvRefer to the exhibit.Azure CLI Output:Output: 00000003-0000-0000-c000-000000000000
Question 31mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and requires users to authenticate using FIDO2 security keys. You need to ensure that users can register and manage their security keys through the My Security Info portal. Which authentication method policy setting should you enable?

Question 32hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft 365 tenant with Microsoft Entra ID. You are configuring Conditional Access policies to enforce multifactor authentication (MFA) for all users. However, you want to exclude break-glass emergency access accounts from MFA. What is the recommended best practice for managing these emergency access accounts?

Question 33easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are planning a migration from on-premises Active Directory to Microsoft Entra ID using cloud sync. You need to synchronize user passwords so that users can authenticate using their existing passwords. Which feature should you enable?

Question 34hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID Governance. You need to ensure that access reviews are automatically created for all guest users in the tenant and that reviews are sent to the guest users' managers for approval. You configure an access review policy. Which identity governance feature should you use?

Question 35mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and has a custom line-of-business application that supports SAML-based SSO. You need to configure the application to use Microsoft Entra ID as the identity provider. Which enterprise application configuration should you use?

Question 36mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires MFA for all external users. However, guest users from a partner organization are being blocked when they try to access a SharePoint Online site. You need to ensure that guest users can access the site without being prompted for MFA if they have already satisfied MFA in their home tenant. What should you configure?

Question 37hardmultiple choice
Study the full multicast explanation →

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You are implementing Privileged Identity Management (PIM) to manage access to Azure AD roles. You need to ensure that when a user activates a privileged role, the activation request must be approved by their manager and must include a ticket number. What should you configure?

Question 38easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and wants to use Microsoft's recommendation to protect against password spray attacks. Which feature should you enable?

Question 39mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires compliant devices for access to corporate resources. You need to ensure that iOS devices are compliant before accessing Exchange Online. Which Microsoft Intune policy should you configure?

Question 40hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a hybrid identity configuration with Active Directory Federation Services (AD FS). You are migrating to cloud authentication using Pass-through Authentication (PTA). Which TWO components are required for a PTA deployment?

Question 41mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and wants to implement Identity Protection to detect risky users. Which THREE risk types can be detected by Identity Protection? (Choose three.)

Question 42easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Which TWO authentication methods are considered passwordless by Microsoft? (Choose two.)

Question 43hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to connect using Exchange ActiveSync. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "policy": {
    "displayName": "Block legacy authentication",
    "state": "enabled",
    "conditions": {
      "clientAppTypes": [
        "exchangeActiveSync",
        "other"
      ],
      "signInRiskLevels": [],
      "userRiskLevels": [],
      "applications": {
        "includeApplications": [
          "All"
        ]
      },
      "users": {
        "includeUsers": [
          "All"
        ]
      }
    },
    "grantControls": {
      "builtInControls": [
        "block"
      ],
      "operator": "OR"
    }
  }
}
Question 44easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Microsoft, Google, or Facebook. What should you configure?

Question 45mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company is implementing a Zero Trust security model. You need to ensure that all user access requests to corporate resources are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID feature should you use?

Question 46hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization has a hybrid identity environment with Microsoft Entra Connect. You are planning to migrate to cloud-only authentication using Microsoft Entra Cloud Sync. However, some legacy applications still require NTLM authentication. What should you do to ensure those applications can authenticate after the migration?

Question 47easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to grant a vendor access to a specific SharePoint Online site for a limited time. The vendor does not have an account in your Microsoft Entra ID. What should you use?

Question 48mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email in Microsoft 365. Which Microsoft Entra ID feature should you combine with Intune compliance policies?

Question 49hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID Governance. You need to automate the removal of access when an employee leaves the company. The identity lifecycle should trigger access reviews and automatic deprovisioning. What should you configure?

Question 50easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to prevent users from registering security information for Microsoft Entra self-service password reset (SSPR) if they are not in a specific group. What should you configure?

Question 51mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra Conditional Access. You need to block access from countries where your company does not operate. The list of blocked countries changes frequently. What is the most efficient way to manage this?

Question 52hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company is deploying Microsoft Copilot for Microsoft 365. You need to ensure that only users who have completed a specific training course can use Copilot. What should you configure?

Question 53mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID. You need to enable users to reset their own passwords without administrator intervention. Which TWO components must be configured?

Question 54hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are designing a Microsoft Entra ID governance strategy. Which THREE features should you use to implement the principle of least privilege for administrative roles?

Question 55mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company is implementing Microsoft Entra Conditional Access. You need to require multifactor authentication (MFA) for all users except those accessing from the corporate office. Which TWO components do you need?

Question 56easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and requires that all guest users must have a mobile phone number registered for authentication. You need to enforce this requirement. What should you configure?

Question 57mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and has an app named App1 that requires permissions to read all user profiles. You need to grant admin consent for App1 to read profiles without requiring each user to consent. What should you do?

Question 58hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a custom role that grants 'microsoft.directory/applications/credentials/update' permission. A security audit reveals that a user assigned this role has modified credentials for an application. You need to prevent such actions while allowing other application updates. What should you do?

Question 59easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and wants to allow users to reset their own passwords using self-service password reset (SSPR). What is the minimum licensing required?

Question 60mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and has an application that requires users to consent to permissions. You want to allow users to consent to low-risk permissions but require admin approval for high-risk permissions. What should you configure?

Question 61hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to ensure that when a user's on-premises Active Directory account is disabled, their Microsoft Entra ID account is also disabled within 30 minutes. What should you do?

Question 62easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID. You need to ensure that users cannot reuse their last 5 passwords when changing passwords. What should you configure?

Question 63mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has an application that requires the 'User.Read.All' permission. You need to grant this permission to the application but ensure that only an administrator can consent, not users. What should you do?

Question 64hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has a custom role that includes the permission 'microsoft.directory/applications/credentials/update'. You need to create a new role that includes all permissions of the existing role except the credential update permission. What is the best approach?

Question 65mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are required to configure Microsoft Entra ID self-service password reset (SSPR) for cloud-only users? (Choose two.)

Question 66hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE of the following are valid permissions in Microsoft Entra ID custom roles? (Choose three.)

Question 67easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are features of Microsoft Entra ID Identity Protection? (Choose two.)

Question 68mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You are configuring consent for the Microsoft Graph application. Which of the following statements is true based on the JSON?

Exhibit

Refer to the exhibit.

{
  "apps": [
    {
      "appId": "00000003-0000-0000-c000-000000000000",
      "displayName": "Microsoft Graph",
      "permissions": [
        {
          "name": "User.Read.All",
          "adminConsentRequired": true,
          "userConsentPossible": false
        },
        {
          "name": "Mail.Read",
          "adminConsentRequired": false,
          "userConsentPossible": true
        }
      ]
    }
  ]
}
Question 69hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You run the PowerShell command to check the authentication method policy registration campaign. Which of the following is true?

Exhibit

Refer to the exhibit.

PS C:\> (Get-MgPolicyAuthenticationMethodPolicy).RegistrationCampaign.Email
Value   : enabled
IncludeTargets : [{"targetType":"group","id":"all_users","isSystemTarget":true}]
ExcludeTargets : []
State : enabled
Question 70easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You are configuring permissions for a daemon application that runs without a user. Which permission should you request?

Exhibit

Refer to the exhibit.

{
  "appId": "00000003-0000-0000-c000-000000000000",
  "displayName": "Microsoft Graph",
  "permissions": [
    {
      "name": "User.Read.All",
      "type": "Application",
      "adminConsentRequired": true,
      "userConsentPossible": false
    }
  ]
}
Question 71easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can access internal applications using single sign-on (SSO) without storing passwords in the cloud. Which authentication method should you implement?

Question 72mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You need to configure a conditional access policy that blocks access from devices that are not compliant with your organization's device compliance policies, as defined by Microsoft Intune. Which assignment should you configure in the policy?

Question 73hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID with P2 licenses. You need to identify and remediate users who are at risk due to leaked credentials or anomalous sign-in activity. You want to automate the response to high-risk users by requiring a password change. Which feature should you use?

Question 74easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are configuring Microsoft Entra ID to allow external users from a partner organization to access a specific SharePoint Online site. You need to ensure that the external users authenticate using their own corporate credentials and are automatically invited when they first access the resource. What should you configure?

Question 75mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the conditional access policies you have configured for data access. What should you do?

Question 76hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization has a hybrid identity deployment using Microsoft Entra Connect Sync. You need to ensure that password writeback is enabled so that users can reset their own passwords from the cloud. Which prerequisite must be met?

Question 77mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID. You need to restrict access to a critical application to only users who are in a specific security group and are signing in from a trusted location. You configure a conditional access policy with the following conditions: users (the security group), cloud apps (the critical application), conditions (locations: trusted IP ranges). However, users in the security group are still able to access the app from untrusted locations. What is the most likely reason?

Question 78easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are implementing Microsoft Entra Verified ID to issue verifiable credentials to employees for proof of employment. Which component is required to issue and verify credentials?

Question 79hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID with Application Proxy to publish on-premises web apps. Users report that they are prompted for credentials multiple times when accessing an app. You need to reduce the number of authentication prompts. What should you configure?

Question 80mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID. You need to implement a solution that allows users to sign in without a password using their smartphone. Which TWO authentication methods can be used?

Question 81hardmulti select
Study the full multicast explanation →

Your company uses Microsoft Entra ID with P2 licenses. You need to configure Privileged Identity Management (PIM) for Azure AD roles. Which THREE actions are possible with PIM?

Question 82easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID. You need to enable users to securely share documents with external partners. Which TWO features should you use?

Question 83hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. The Contoso tenant has a cross-tenant access policy configured for Fabrikam. Users from Fabrikam are unable to access resources in Contoso via B2B collaboration. What is the most likely reason?

Exhibit

Refer to the exhibit.

```powershell
Get-MgPolicyCrossTenantAccessPolicy

Id           : /policies/crossTenantAccessPolicy
DisplayName   : Default policy
DefaultPolicy : Microsoft.Graph.PowerShell.Models.MicrosoftGraphCrossTenantAccessPolicyDefault

(DefaultPolicy properties)
B2BCollaborationInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BCollaborationOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
OfficeSyncInbound        : @{AllowedTenants=}
OfficeSyncOutbound       : @{AllowedTenants=}
IsServiceDefault         : True

Get-MgPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyId "/policies/crossTenantAccessPolicy"

Id                   : /policies/crossTenantAccessPolicy/partners/contoso.com
TenantId             : contoso.com
B2BCollaborationInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BCollaborationOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectInbound : @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
B2BDirectConnectOutbound: @{AllowedIdentities=; AllowedApplications=; AllowedTenants=}
OfficeSyncInbound        : @{AllowedTenants=}
OfficeSyncOutbound       : @{AllowedTenants=}
IsServiceDefault         : False
AutomaticUserConsentSettings: @{InboundAllowed=; OutboundAllowed=}
```
Question 84mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You have created a conditional access policy as shown. Users report that they can still access cloud apps from non-compliant devices. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "displayName": "Block access for non-compliant devices",
  "conditions": {
    "users": {
      "includeUsers": ["All"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"],
    "devices": {
      "deviceStates": {
        "include": ["All"]
      }
    }
  },
  "grantControls": {
    "operator": "OR",
    "builtInControls": ["compliantDevice"]
  }
}
```
Question 85easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You run the KQL query in Microsoft Sentinel. The query returns zero results even though you know user@contoso.com has had failed sign-in attempts in the last 30 days. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName == "user@contoso.com"
| summarize TotalAttempts = count(), FailedAttempts = countif(ResultType != 0), Locations = make_set(Location) by AppDisplayName
| where FailedAttempts > 0
```
Question 86easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Contoso uses Microsoft Entra ID P2. Users report that password reset self-service does not work. You verify that the users have the required license. What should you check next?

Question 87mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization plans to allow external users to access a SharePoint Online site using their own Microsoft Entra ID credentials. You need to ensure that external users can authenticate without creating a guest account in your tenant. Which solution should you use?

Question 88hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A company uses Microsoft Entra ID with group-based licensing. You assign a license to a group, but some members do not receive the license. There are no error messages in the audit logs. What is the most likely cause?

Question 89mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to enforce multifactor authentication (MFA) for all users in a Microsoft Entra ID tenant. The solution must not require users to register security info if they already have it. Which approach should you use?

Question 90easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

An administrator needs to grant a user the ability to reset passwords for other users in Microsoft Entra ID. Which role should be assigned?

Question 91mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra Connect Sync. You need to ensure that specific on-premises Active Directory groups are synchronized to Microsoft Entra ID. What should you configure?

Question 92hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are implementing Microsoft Entra Identity Protection. You need to configure automated responses to medium and high user risk. Which policy should you create?

Question 93easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A user is unable to sign in to Microsoft Teams because the account is locked. The administrator needs to unlock the account without resetting the password. What should the administrator do?

Question 94mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to configure Microsoft Entra ID to allow users to authenticate using their existing social media accounts. Which identity provider type should you add?

Question 95mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO permissions are required for a custom role to manage Conditional Access policies in Microsoft Entra ID?

Question 96hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE conditions can be used in a Microsoft Entra Conditional Access policy to target specific sign-in scenarios?

Question 97mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO Microsoft Entra ID features can be used to provide just-in-time (JIT) access to privileged roles?

Question 98hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE are valid Microsoft Entra ID license plans that include Identity Protection?

Question 99mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You manage an application registration in Microsoft Entra ID. The JSON shows the current state of the app's password credentials. The application is used by a daemon to acquire tokens. The certificate used for authentication expires on 2025-12-31. The application is currently using a client secret. The security policy requires rotating secrets every 6 months. What is the best course of action?

Exhibit

Refer to the exhibit.

{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "ContosoApp",
  "passwordCredentials": [
    {
      "customKeyIdentifier": "abc123",
      "endDateTime": "2025-12-31T23:59:59Z",
      "keyId": "11111111-1111-1111-1111-111111111111",
      "startDateTime": "2024-01-01T00:00:00Z",
      "secretText": null,
      "hint": "***"
    }
  ]
}
Question 100hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You run this PowerShell script to disable high-risk users. However, some high-risk users remain enabled. What is the most likely reason?

Exhibit

Refer to the exhibit.

$users = Get-AzureADUser -All $true
foreach ($user in $users) {
    $risky = Get-AzureADIdentityRiskyUser -Filter "userPrincipalName eq '$($user.UserPrincipalName)'"
    if ($risky.riskLevel -eq 'high') {
        Set-AzureADUser -ObjectId $user.ObjectId -AccountEnabled $false
    }
}
Question 101mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their Google Workspace credentials without creating external identities. What should you configure?

Question 102hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A company has Microsoft Entra ID P2 licenses. They need to implement a conditional access policy that requires multifactor authentication (MFA) when accessing the Microsoft Entra admin center from a non-compliant device. However, they want to allow access from compliant devices without MFA. What is the best approach?

Question 103easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are configuring Microsoft Entra ID provisioning for a SaaS application that supports SCIM 2.0. The app requires the 'manager' attribute to be mapped. However, the manager attribute is not populated for all users. What should you do to avoid provisioning failures?

Question 104mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that the number of 'Leaked Credentials' detections is high. What action should you take to automatically remediate this risk?

Question 105hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to implement a solution that allows external partners to access specific SharePoint Online sites without creating guest user objects in Microsoft Entra ID. The partners will authenticate using their own identity provider. What should you use?

Question 106easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and wants to enforce that all users register for MFA within 14 days of account creation. Which policy should you configure?

Question 107mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You have a hybrid identity environment with Microsoft Entra ID and Active Directory Domain Services (AD DS). You need to ensure that user passwords are synchronized to Microsoft Entra ID without any hashing of passwords. Which tool should you use?

Question 108hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2 and has enabled Microsoft Entra ID Protection. You need to generate a weekly report of users who are at risk due to anomalous sign-in activity and send it to the security team. What is the most efficient way to achieve this?

Question 109easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A user reports that they cannot access a cloud app that requires MFA. The user's mobile phone is lost. They have no other registered MFA methods. What should the administrator do?

Question 110mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are valid conditions that can be used in a Microsoft Entra ID conditional access policy? (Choose two.)

Question 111hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE of the following are required to implement Microsoft Entra ID Identity Governance for access reviews? (Choose three.)

Question 112easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO of the following are benefits of using Microsoft Entra ID Provisioning for cloud HR applications like Workday? (Choose two.)

Question 113mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can reset their own passwords without administrator intervention, but only if they have registered for self-service password reset (SSPR). What should you configure?

Question 114hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID with hybrid joined devices. You need to enforce multi-factor authentication (MFA) for all cloud app access but want to exclude specific locations (trusted IPs). What is the most efficient way to implement this?

Question 115easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are implementing Microsoft Entra ID Governance. You need to automate the creation of guest user accounts when employees submit a request through the company's HR system. What should you use?

Question 116mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization plans to use Microsoft Entra ID as the identity provider for a third-party SaaS application that supports SAML 2.0. You need to configure single sign-on (SSO) for the application. What should you create in Microsoft Entra ID?

Question 117hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are troubleshooting an issue where users from a partner organization cannot access a shared app in your Microsoft Entra ID tenant. The partner uses Microsoft Entra ID with a custom domain. You have configured cross-tenant access settings. Which setting is most likely misconfigured?

Question 118easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization requires that all administrators use phishing-resistant authentication methods. Which Microsoft Entra ID authentication method meets this requirement?

Question 119mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are designing a Microsoft Entra ID tenant for a new subsidiary. You need to ensure that users can authenticate using their existing on-premises Active Directory credentials without synchronizing password hashes to the cloud. Which identity model should you choose?

Question 120hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that a user's sign-in was blocked due to a medium user risk. However, the user claims the sign-in was legitimate. What should you do to allow future sign-ins without lowering security?

Question 121easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to provide external partners with access to specific SharePoint Online sites without creating user objects in your Microsoft Entra ID. What should you use?

Question 122mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization is implementing a zero-trust security model. Which TWO Microsoft Entra ID features should you enable to enforce least-privilege access and continuous verification?

Question 123hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are deploying Microsoft Entra ID Governance. Which THREE capabilities should you include to meet compliance requirements for access recertification and lifecycle management?

Question 124mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID with hybrid identity. You need to ensure that when a user is disabled in on-premises Active Directory, the corresponding cloud user is also disabled. Which TWO configurations are required?

Question 125hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are reviewing a Conditional Access session control configuration in Microsoft Entra ID. Based on the exhibit, what is the expected behavior when a user signs in?

Exhibit

Refer to the exhibit.

{
  "signInFrequency": "EveryTime",
  "sessionControls": [
    {
      "applicationEnforcedRestrictions": null,
      "cloudAppSecurity": {
        "cloudAppSecurityType": "monitorOnly",
        "isEnabled": true
      },
      "persistentBrowser": null,
      "signInFrequency": {
        "type": "everyTime",
        "value": null
      }
    }
  ]
}
Question 126mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are examining the default cross-tenant access policy for your Microsoft Entra ID tenant. Based on the exhibit, which statement is true?

Exhibit

Refer to the exhibit.

PowerShell Output:
Get-MgPolicyCrossTenantAccessPolicyDefault -Default

Id                                   : default
DisplayName                          : Default policy
IsServiceDefault                     : True
B2BCollaborationInbound              : @{Applications=; UsersAndGroups=; Organizations=}
B2BCollaborationOutbound             : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectInbound              : @{Applications=; UsersAndGroups=; Organizations=}
B2BDirectConnectOutbound             : @{Applications=; UsersAndGroups=; Organizations=}
InboundTrust                          : @{IsMfaAccepted=$false; IsCompliantDeviceAccepted=$false; IsHybridAzureADJoinedDeviceAccepted=$false}
Question 127hardmultiple choice
Read the full NAT/PAT explanation →

You are the identity architect for Contoso, a multinational company with 50,000 employees. Contoso uses Microsoft Entra ID with hybrid identity (PHS) and Microsoft Entra ID Protection. The company is deploying Microsoft Copilot for Microsoft 365 and wants to ensure that access to Copilot is controlled based on user risk, device compliance, and location. Additionally, the security team requires that all Copilot interactions are logged and auditable. You need to design a solution that meets these requirements with minimal administrative overhead.

Current environment: - All users are synced from on-premises AD using Microsoft Entra Connect. - Devices are either Microsoft Entra hybrid joined or Microsoft Entra registered. - Microsoft Entra ID Protection is enabled with user risk and sign-in risk policies. - Microsoft Intune is used for device compliance policies. - All users have Microsoft 365 E5 licenses.

Requirements: - Access to Copilot must be blocked for users with high user risk. - Access from untrusted locations must require MFA. - Only compliant devices can access Copilot. - All Copilot interactions must be captured in Microsoft Purview Audit (Standard).

What should you do?

Question 128mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant multifactor authentication (MFA) for all users accessing sensitive applications. Which authentication strength should you select in the policy?

Question 129hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are troubleshooting why a user cannot access a SharePoint Online site. The user is assigned a Conditional Access policy that requires compliant device, and the device is enrolled in Microsoft Intune but shows as non-compliant. What is the most likely cause?

Question 130easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a hybrid identity configuration with Microsoft Entra Connect Sync. You need to enable password hash synchronization (PHS) for hybrid users. What is the prerequisite?

Question 131mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You need to ensure that users accessing Exchange Online from unmanaged devices are blocked. What should you modify in the policy?

Exhibit

{"title":"Exhibit: Conditional Access Policy JSON","content":"{\n  \"conditions\": {\n    \"applications\": {\n      \"includeApplications\": [\"Office365\"]\n    },\n    \"users\": {\n      \"includeUsers\": [\"All\"]\n    },\n    \"clientAppTypes\": [\"browser\", \"mobileAppsAndDesktopClients\"]\n  },\n  \"grantControls\": {\n    \"operator\": \"OR\",\n    \"builtInControls\": [\"mfa\", \"compliantDevice\"]\n  }\n}"}
Question 132hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID Governance. You need to implement an access review for all users who have access to a critical application. The review must be recurring every quarter and require reviewers to provide a justification for their decisions. Which access review settings should you configure?

Question 133easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are implementing Microsoft Entra Verified ID. Which identity verification method uses a decentralized identity standard?

Question 134mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID. You need to ensure that users can only access company resources from trusted networks. Which Conditional Access condition should you configure?

Question 135hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company deploys Microsoft 365 Copilot. You need to enforce that Copilot responses are based only on data within the tenant, not external sources. Which setting should you configure?

Question 136easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to configure self-service password reset (SSPR) for users in Microsoft Entra ID. Which license is required?

Question 137mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization needs to implement a Conditional Access policy that blocks access from countries where the company has no business operations. Which TWO conditions should you configure?

Question 138hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company uses Microsoft Entra ID P2. You need to configure Identity Protection to automatically remediate high-risk users. Which THREE actions can you configure?

Question 139easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are designing a tenant restriction policy using Microsoft Entra ID. Which TWO components are required?

Question 140mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the Global Administrator. The security team reports that several users have been compromised due to weak passwords. You need to implement a solution that enforces strong password policies and blocks common passwords. The solution must also provide users with the ability to reset their own passwords securely if they forget them, without requiring help desk intervention. Additionally, you need to configure risk-based Conditional Access policies to block sign-ins from anonymous IP addresses and require MFA for high-risk sign-ins. You have the following options: A. Configure password protection in Microsoft Entra ID to enforce a custom banned password list and enable self-service password reset (SSPR) with MFA. Then create Conditional Access policies for sign-in risk and anonymous IP. B. Enable password hash sync and configure pass-through authentication. Create a Conditional Access policy to require MFA for all users. C. Implement Microsoft Entra ID Protection and enable MFA registration policy. Configure password expiration to 90 days. D. Use security defaults in Microsoft Entra ID and enable automatic password rollback. Which option should you choose?

Question 141hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company, Fabrikam Inc., uses Microsoft Entra ID with hybrid identity. You have an on-premises Active Directory and use Microsoft Entra Connect Sync to synchronize users. You need to configure Microsoft Entra ID Protection to detect leaked credentials and risky sign-ins. Additionally, you must ensure that when a user is detected as high risk, their access is automatically blocked and they are required to change their password. You also need to enable password writeback so that password changes are written back to on-premises AD. You have the following options: A. Enable Identity Protection, configure user risk policy to require password change, and enable password writeback in Microsoft Entra Connect. B. Enable Identity Protection, configure sign-in risk policy to block access, and enable password hash sync. C. Configure Conditional Access policy to require MFA for all users, and enable seamless SSO. D. Deploy Microsoft Defender for Identity and configure automatic remediation. Which option should you choose?

Question 142easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization, Wingtip Toys, has a Microsoft 365 E3 tenant. You are implementing Microsoft Entra ID Governance. You need to create an access review for all guest users who have access to the company's HR application. The review must be performed by the application owner, and any denied access should be automatically removed after the review completes. You also need to ensure that if the reviewer does not respond, their access is automatically revoked. You have the following options: A. Create an access review with scope: All guest users, reviewers: Application owner, auto-apply results: Yes, action to apply if reviewers don't respond: Remove access. B. Create an access review with scope: All users, reviewers: Resource owners, auto-apply results: No, action to apply if reviewers don't respond: Keep access. C. Create an access review with scope: Group members, reviewers: Group owner, auto-apply results: Yes, action to apply if reviewers don't respond: Keep access. D. Create an access review with scope: All guest users, reviewers: Resource owner, auto-apply results: No, action to apply if reviewers don't respond: Remove access. Which option should you choose?

Question 143mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2 licensing. You need to ensure that when a user's risk level is detected as 'high' by Identity Protection, the user is automatically required to perform a password change during their next sign-in. Which conditional access policy configuration should you use?

Question 144hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Microsoft Entra Connect Sync to synchronize user accounts. The security team requires that all cloud-only users must be blocked from syncing to on-premises AD. What should you do to meet this requirement?

Question 145easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

A user reports they cannot access a SharePoint Online site. They receive an error stating that their account is disabled. You check Microsoft Entra ID and see the user's account is enabled. What is the most likely cause?

Question 146hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The conditional access policy JSON shown above is applied to all users. A user authenticates from a trusted location and wants to access a cloud app. Which combination of controls will be enforced?

Exhibit

{
  "conditions": {
    "users": {
      "includeUsers": ["All"]
    },
    "applications": {
      "includeApplications": ["All"]
    },
    "locations": {
      "includeLocations": ["AllTrusted"]
    },
    "clientAppTypes": ["browser", "mobileAppsAndDesktopClients"]
  },
  "grantControls": {
    "builtInControls": ["mfa"],
    "termsOfUse": ["termsOfUseId1"]
  },
  "sessionControls": {
    "signInFrequency": {
      "value": 1,
      "type": "hours"
    },
    "persistentBrowser": {
      "mode": "never"
    }
  }
}
Question 147easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You need to allow external users from a specific partner organization to access a SharePoint Online site using their own Microsoft Entra ID credentials. Which feature should you configure?

Question 148mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2. You want to automatically remediate high-risk users by requiring them to change their password. However, you also want to allow users to self-remediate if they believe the risk detection is false positive. What should you implement?

Question 149mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO actions can you perform using Microsoft Entra ID Governance? (Choose two.)

Question 150hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE are valid methods to protect against password spray attacks in Microsoft Entra ID? (Choose three.)

Question 151easymulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which TWO are prerequisites for implementing Microsoft Entra ID Identity Protection? (Choose two.)

Question 152hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Which THREE are features of Microsoft Entra ID Governance? (Choose three.)

Question 153hardmultiple choice
Read the full NAT/PAT explanation →

You are the identity administrator for Contoso Ltd., a multinational company with 10,000 employees. The company uses Microsoft Entra ID P2 licenses for all users. The security team has mandated the following requirements: 1) All users must use multi-factor authentication (MFA) when accessing any cloud app from untrusted networks. 2) Users who are detected as high risk by Identity Protection must be automatically blocked from signing in until an administrator reviews the risk. 3) Guest users from partner organizations must have their access reviewed every 90 days. 4) The IT department must be able to grant temporary administrative access to specific roles for up to 4 hours without requiring approval from a manager. You need to design a solution that meets all requirements with minimal administrative effort. Which combination of actions should you take?

Question 154mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization, Fabrikam Inc., uses Microsoft Entra ID with a hybrid identity configuration. You have 500 cloud-only users and 5,000 synced users from on-premises Active Directory. The company wants to implement a passwordless authentication strategy. The following requirements must be met: 1) All users must be able to sign in without a password on Windows 10/11 devices that are Microsoft Entra joined. 2) Users who are not assigned a mobile phone must be able to use a security key (FIDO2). 3) The solution must work for both cloud-only and synced users. 4) The passwordless method should require the lowest administrative overhead for enrollment. Which passwordless authentication method should you recommend?

Question 155easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company, Northwind Traders, uses Microsoft Entra ID P1. You need to allow employees to reset their own passwords without help desk intervention. The company policy requires that password resets be secured with two verification methods. Additionally, users must not be able to reuse the last 10 passwords. The solution must minimize administrative effort. What should you configure?

Question 156mediummultiple choice
Read the full NAT/PAT explanation →

Your organization, Contoso, has a Microsoft Entra ID tenant with 50,000 users. You are implementing a zero-trust security model. The following requirements must be met: 1) All access to SaaS applications must be restricted based on user, device, and location. 2) Users accessing from unmanaged devices must only be allowed browser-based access and must accept terms of use. 3) The IT team must be able to grant temporary access to the Global Administrator role for up to 8 hours. 4) All external users must have their access reviewed every 6 months. Which combination of Microsoft Entra features should you use?

Question 157hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company, Alpine Ski House, uses Microsoft Entra ID P2. You have the following requirements: 1) Users in the Finance department must be required to use MFA when accessing the financial application, but only if they are not on the corporate network. 2) All users must be automatically blocked if Identity Protection detects their account as compromised (high user risk). 3) You need to ensure that the password change process after a high-risk detection does not allow users to reuse the last 5 passwords. 4) The solution must minimize false positives and allow users to self-remediate if they believe a risk detection is incorrect. Which configuration should you implement?

Question 158mediummulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant authentication for all users when accessing the Azure Management application. Which TWO authentication methods satisfy the requirement?

Question 159hardmulti select
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company is implementing a Microsoft Entra ID Governance solution. You need to ensure that access reviews are performed for all guest users in the Finance department. The review must be conducted by the guest user's manager. Which THREE actions should you take?

Question 160mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Refer to the exhibit. You have a Conditional Access policy as shown. A Global Administrator reports that they are not prompted for MFA when accessing the Azure portal. Which is the most likely reason?

Exhibit

{
  "ConditionalAccessPolicies": [
    {
      "displayName": "Require MFA for admins",
      "conditions": {
        "users": {
          "includeRoles": ["Global Administrator", "Exchange Administrator"]
        },
        "applications": {
          "includeApplications": ["Office 365 Exchange Online", "Microsoft Azure Management"]
        }
      },
      "grantControls": {
        "builtInControls": ["mfa"]
      }
    }
  ]
}
Question 161hardmultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You need to protect a custom SaaS application that uses SAML-based SSO. The application does not support Conditional Access. You want to enforce session controls such as blocking downloads of sensitive files. What should you implement?

Question 162easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

You are troubleshooting a user who cannot sign in to Microsoft Teams. Sign-in logs show error code 53003 with additional details 'Blocked by Conditional Access'. The user is a member of a group that is excluded from the Conditional Access policy. What is the most likely cause?

Question 163hardmultiple choice
Read the full NAT/PAT explanation →

Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You have 10,000 users and 500 applications. You are planning to implement a comprehensive identity security strategy. Your requirements are: 1. All users must use phishing-resistant MFA for accessing business-critical applications. 2. Users accessing sensitive HR data must be required to use a compliant device. 3. Any authentication attempt from an anonymous IP address or from a country where Contoso has no business operations must be blocked. 4. All external collaboration must be governed by access reviews that require sponsor approval. 5. You need to monitor and respond to identity risks in real time.

You need to design a solution using Microsoft Entra ID features. Which combination of features should you implement?

Question 164mediummultiple choice
Read the full NAT/PAT explanation →

You are the identity administrator for a multinational company with 50,000 users. The company uses Microsoft Entra ID P2 and has recently acquired a small subsidiary with 300 users that uses a different identity provider (Okta). You need to integrate the subsidiary's identities into your Microsoft Entra tenant. Requirements: - The subsidiary's users must be able to access Microsoft 365 applications using their existing Okta credentials. - You must minimize changes to the subsidiary's existing infrastructure. - All access to Microsoft 365 must be governed by your Conditional Access policies. - Passwords must not be stored in Microsoft Entra ID.

What should you implement?

Question 165easymultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your organization uses Microsoft 365 Business Premium with Microsoft Entra ID P1. You have 200 users. You need to enforce multi-factor authentication (MFA) for all users accessing the company's CRM application, which is a third-party SaaS app integrated via SAML. The CRM app does not support modern authentication protocols. You want to use a Microsoft solution that does not require additional licenses. What should you use?

Question 166mediummultiple choice
Read the full Implement and manage Microsoft Entra identity and access explanation →

Your company has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the security administrator. You need to implement a solution that automatically detects and remediates identity risks. Requirements: - Risky sign-ins (e.g., from anonymous IP addresses) should be automatically blocked. - Users with confirmed compromised credentials should be forced to reset their password at next sign-in. - You need to receive alerts when high-risk events occur. - The solution must minimize false positives.

Which Microsoft Entra ID features should you combine?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

MS-102 Practice Test 1 — 10 Questions→MS-102 Practice Test 2 — 10 Questions→MS-102 Practice Test 3 — 10 Questions→MS-102 Practice Test 4 — 10 Questions→MS-102 Practice Test 5 — 10 Questions→MS-102 Practice Exam 1 — 20 Questions→MS-102 Practice Exam 2 — 20 Questions→MS-102 Practice Exam 3 — 20 Questions→MS-102 Practice Exam 4 — 20 Questions→Free MS-102 Practice Test 1 — 30 Questions→Free MS-102 Practice Test 2 — 30 Questions→Free MS-102 Practice Test 3 — 30 Questions→MS-102 Practice Questions 1 — 50 Questions→MS-102 Practice Questions 2 — 50 Questions→MS-102 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft PurviewManage users, groups, licensing, and supportImplement and manage identity and access in Microsoft Entra ID

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implement and manage Microsoft Entra identity and access setsAll Implement and manage Microsoft Entra identity and access questionsMS-102 Practice Hub