Practice SC-900 Describe the capabilities of Microsoft Entra questions with full explanations on every answer.
Start practicing
Describe the capabilities of Microsoft Entra — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?
2An organization uses Microsoft Entra ID Protection. A user's sign-in is flagged with a risk level of 'High' because of an anonymous IP address. The administrator wants to automatically block the sign-in while allowing the user to self-remediate. Which should be configured?
3A company manages Azure resources for multiple departments. The security team needs to grant IT administrators temporary, just-in-time access to high-privilege roles (e.g., Contributor, Owner) only when needed, with approval workflows. Which Microsoft Entra ID capability should they configure?
4A company uses Microsoft Entra ID and needs to regularly review membership of a group that grants access to a sensitive HR application. The identity team wants to automate quarterly reviews and automatically remove users who fail to respond or are denied by the reviewer. Which Microsoft Entra ID feature should they use?
5A company uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) only for external guest users, while allowing internal employees to sign in without MFA. Which Conditional Access setting should be configured?
6A company wants to block all sign-ins using legacy authentication protocols because these protocols do not support multi-factor authentication (MFA). Which component of a Microsoft Entra ID Conditional Access policy should be configured to achieve this?
7An organization uses Microsoft Intune to manage devices. They want to ensure that only devices marked as compliant can access corporate email in Exchange Online. Which Conditional Access component should they configure?
8A company uses Microsoft Entra ID. The IT department wants to automatically assign a Microsoft 365 E5 license to all users in the Sales department based on their department attribute. Which Microsoft Entra ID feature should they use?
9A security team is using Microsoft Entra ID Protection. They want to automatically block sign-ins from known malicious IP addresses, but if a user's account is compromised (e.g., leaked credentials), they want to force the user to change their password upon next sign-in. Which two risk policies should they configure? (Select all that apply.)
10A company uses Microsoft Entra ID and wants to allow external business partners to request access to a specific application through an approval process. The access should be time-limited and automatically expired. Which Microsoft Entra ID feature should be configured?
11A company wants to allow its employees to reset forgotten passwords or unlock their accounts without contacting the help desk. The solution must verify the user's identity using a phone call or mobile app notification before allowing the action. Which Microsoft Entra ID feature should be enabled?
12A company runs a consumer-facing e-commerce website and wants to allow customers to sign in using their existing social media accounts such as Google, Facebook, or LinkedIn. Which Microsoft Entra ID solution should they implement?
13A company has several on-premises web-based applications that need to be securely accessed by remote employees without requiring a VPN. The IT team wants to provide single sign-on (SSO) using Microsoft Entra ID. Which Microsoft Entra ID feature should they implement?
14A company wants to allow external business partners to access its internal applications using their own corporate credentials (e.g., their Microsoft Entra ID or Google account), without creating separate user accounts in the company's directory. Which Microsoft Entra ID feature should they use?
15A company needs to grant IT administrators temporary and time-limited access to privileged roles in Microsoft Entra ID (Azure AD). The access must require approval from a manager and be automatically revoked after the task is completed. Which Microsoft Entra ID feature should be used?
16A company requires that all users accessing a financial application from outside the corporate network must complete multi-factor authentication (MFA). The IT team is configuring a Microsoft Entra ID Conditional Access policy to enforce this requirement. Which component of the policy should be configured to apply the MFA requirement?
17A company uses Microsoft Entra ID. The IT team wants to provide remote employees with secure, single sign-on (SSO) access to a critical on-premises web application that uses password-based authentication, without requiring a VPN connection. Which Microsoft Entra ID feature should they use?
18A multinational corporation uses Microsoft Entra ID. The IT department wants to allow regional IT administrators in Europe to manage users and groups only for their own region, without granting them permissions to manage users in other regions. Which Microsoft Entra ID feature should they use?
19A company uses Microsoft Entra ID. The security team wants to configure a policy so that when a user signs in from an unfamiliar location (not on the company's trusted IP ranges) or from an unfamiliar device, they are prompted for additional verification (e.g., MFA). However, if the sign-in is from a trusted location (e.g., office IP range) and a known device, no additional verification is required. Which Microsoft Entra ID feature should they configure?
20A security administrator at an organization using Microsoft Entra ID needs to automatically detect user sign-ins that exhibit risky behavior, such as signing in from a suspicious IP address or using leaked credentials. The administrator also wants the system to automatically calculate a risk level for each user and take actions like requiring a password reset when risk is high. Which Microsoft Entra ID feature should the administrator use?
21A company wants to allow employees to access corporate resources such as email and internal apps using their personal smartphones. The IT team does not want to fully manage or domain-join these devices but needs each device to have a simple identity that links the user's work account to the device. Which Microsoft Entra ID device identity option should they implement?
22An organization uses Microsoft Entra ID. The security team wants to require multi-factor authentication (MFA) for users who sign in from sessions that Microsoft Entra ID Protection determines to have medium or high sign-in risk. Users signing in from low-risk sessions should not be prompted for MFA. Which feature should the security team configure?
23A company uses Microsoft 365 and requires that users access corporate email and SharePoint from managed devices that meet security policy requirements, such as having encryption enabled and antivirus software running. The security team wants to enforce this access control within Microsoft Entra ID so that unmanaged devices are blocked. Which Microsoft Entra ID feature should they configure?
24An organization uses Microsoft Entra ID to manage user access. The security policy requires that membership in the 'Finance - Sensitive Data' group must be reviewed every quarter by the group owner to confirm that each member still requires access. The group owner must approve or deny each membership, and any denied memberships should be automatically removed. Which Microsoft Entra ID feature should be configured to automate this process?
25A company uses Microsoft Entra ID (Azure AD). The security team wants to create a Conditional Access policy that meets the following requirements: - Require multi-factor authentication (MFA) when users access a sensitive financial application from an untrusted network. - Additionally, require that the device accessing the app is compliant with company policies (e.g., encryption enabled). Which two conditions should the team configure in the Conditional Access policy? (Choose two.)
26A company uses Microsoft Entra ID (Azure AD). They have a cloud-based HR system (e.g., Workday) that contains employee records. They want to automate the process of creating user accounts in Microsoft Entra ID for new hires and deactivating accounts for terminated employees based on information from the HR system. Which Microsoft Entra ID feature should they configure?
27A company uses Microsoft Entra ID. They have a financial application that should only be accessible from Windows devices. The security team wants to create a Conditional Access policy to block access from other operating systems such as macOS or Linux. Which assignment condition should they configure?
28A company uses Microsoft Entra ID. A new IT support technician is hired and needs to be able to reset passwords for users but must not be allowed to delete user accounts or modify group memberships. Which built-in Microsoft Entra ID role should be assigned to this technician?
29A company has an on-premises Active Directory domain and uses Microsoft Entra ID (Azure AD) for cloud applications. They purchase new Windows 10 laptops that are not yet joined to any domain. The IT admin wants users to be able to sign in with their existing on-premises credentials and automatically have the laptops joined to both the on-premises AD domain and Microsoft Entra ID. Which device identity option should the admin configure?
30A company uses Microsoft Entra ID. The security team needs to ensure that when users sign in to a critical financial application from an untrusted network, they must first complete multi-factor authentication (MFA). Additionally, the team wants to block the sign-in if the device is not marked as compliant by Microsoft Intune. Which conditional access grant control should they configure to meet both requirements?
31A company uses Microsoft Entra ID and Intune for device management. The security team wants to create a Conditional Access policy for a sensitive research application. They require that: 1) The user must use a device that is marked as compliant by Intune, and 2) The user must accept the company's terms of use before accessing the app. Which grant control combination should they configure in the policy?
32A company wants to automatically detect and alert the security team when a user sign-in appears to originate from a known compromised credential or from an anonymizing VPN service. The company wants to receive a risk score for each sign-in and be able to trigger automated remediation actions. Which Microsoft Entra ID feature should they enable?
33A company uses Microsoft Entra ID. The security team wants to configure automated actions when user sign-ins are detected as high risk due to anonymized IP addresses or leaked credentials. They need to automatically block the sign-in or force a password change based on risk level. Which Microsoft Entra ID feature should they use?
34A company uses Microsoft Entra ID (Azure AD). The IT team has created a security group named 'SalesTeam' that contains all sales department users. They want to ensure that only members of this group can access the company's CRM application, which is registered as an enterprise application in Entra ID. What should the IT team configure?
35A company uses Microsoft Entra ID. The security team wants to grant temporary, time-bound administrative access to the Microsoft 365 user management role for IT support staff. The access should require an approval from a senior administrator, and all actions should be audited. Which Microsoft Entra ID feature should they configure?
36A company uses Microsoft Entra ID. Their sales team wants to use a third-party customer relationship management (CRM) application that requires the 'Sign in and read user profile' permission and also a high-risk permission to 'Read all users' full profiles'. The security team wants to allow users to request access to this application, but they want to require an administrator to review and approve the high-risk permission request before consent is granted. Which Microsoft Entra ID feature should they configure?
37A company uses Microsoft Entra ID. A junior administrator needs to occasionally reset passwords for the IT department. The security team wants to grant this permission only for a limited time and require an approval from a senior administrator before the permission becomes active. All password reset actions must be audited. Which Microsoft Entra ID feature should they configure?
38A company uses Microsoft Entra ID. The IT department needs to ensure that membership in the 'Global Administrator' role is regularly reviewed. Every quarter, the designated reviewers (e.g., senior managers) receive an email asking them to confirm whether each user in the role should keep their assignment. After the review deadline, any member not approved is automatically removed. Which Microsoft Entra ID feature should they configure?
39A company has an on-premises web-based expense report application. The IT team wants to make this application accessible to remote employees over the internet without requiring a VPN. They need to use Microsoft Entra ID for authentication and apply Conditional Access policies such as requiring multi-factor authentication. Which Microsoft Entra ID feature should they implement?
40A company uses Microsoft Entra ID. They frequently collaborate with an external partner organization. The IT team wants to allow the partner's users to access the company's internal SharePoint site using their existing corporate credentials from their own Microsoft Entra tenant. The partner users should not have to create separate guest accounts or remember another password. Which Microsoft Entra feature should the IT team configure?
41A company uses Microsoft Entra ID. The security team wants to enforce a policy that prevents users from choosing commonly used weak passwords like 'Winter2024!' or 'Password@123', and also blocks customized variants based on organizational context (e.g., company name). Users must create passwords that meet standard complexity requirements. Which Microsoft Entra ID feature should they enable?
42A company uses Microsoft Entra ID. They want to ensure that users who are traveling to a high-risk country, based on the sign-in IP address, are prompted for multi-factor authentication before accessing the company's CRM application. Which Microsoft Entra ID feature should they configure?
43A company has discovered that many account compromise attacks are using legacy authentication protocols (e.g., IMAP, POP3, SMTP) which do not support multi-factor authentication. They want to block all sign-ins that use these protocols to reduce risk. Which Microsoft Entra ID feature should they use to enforce this block?
44A company uses Microsoft Entra ID. They want to require multi-factor authentication (MFA) for users who sign in from locations with a high risk score, as determined by Microsoft's analysis of the sign-in's IP address and other behavioral signals. Which Microsoft Entra ID feature should they configure?
45An organization decides to eliminate passwords for their employees. They deploy Windows Hello for Business on company-issued laptops, allowing users to sign in with a PIN or a biometric gesture (e.g., fingerprint). The IT team also enables Microsoft Authenticator and FIDO2 security keys as alternative sign-in methods. Which Microsoft Entra ID capability are they leveraging?
46A company uses Microsoft Entra ID. They want to enforce a policy that requires members of the 'Finance' group to use multi-factor authentication and sign in from a compliant device when accessing the financial reporting application. However, they want to exclude members of the 'Finance Admins' group from these requirements. Which Microsoft Entra ID feature should they configure?
47A company's security team discovers that several recent account compromises originated from attackers using legacy mail protocols (POP3, IMAP) which do not support multi-factor authentication. The team wants to immediately prevent any sign-in attempts using these protocols. Which Microsoft Entra ID feature should they configure to enforce this restriction?
48An organization needs to grant its IT administrators temporary access to the Global Administrator role. The access should require a separate approval from a designated manager before activation, and the permissions should automatically expire after 4 hours. Which Microsoft Entra ID feature should they configure?
49A company uses Microsoft Entra ID. The security team wants to automatically respond to risky user behaviors, such as sign-ins from anonymous IP addresses or impossible travel between geographically distant locations within an unrealistic time frame. They need a solution that can automatically trigger actions like forcing a password reset or blocking sign-in for users identified as high risk. Which Microsoft Entra ID capability should they configure?
50A company uses Microsoft Entra ID. The compliance team requires that membership in highly privileged roles, such as Global Administrator, is reviewed quarterly. The review must be automated: role owners are sent an email notification with a list of current members to approve or deny. If a member does not respond within 30 days, their access should be automatically revoked. Which Microsoft Entra ID feature should the team use to set up this periodic review and automatic removal?
51A company has several custom-developed web applications hosted on-premises. The company wants to provide employees with secure remote access to these applications without deploying a traditional VPN. Employees should be able to sign in using their existing Microsoft Entra ID credentials, and the solution should pass through multi-factor authentication policies. Which Microsoft Entra ID feature should they implement?
52A company wants to reduce help desk calls by allowing users to reset their own passwords. The security team requires that users verify their identity using a registered mobile phone or alternative email before resetting. Additionally, the company policy states that passwords cannot be reused until at least five new passwords have been used. Which Microsoft Entra ID features should they configure to meet these requirements?
53A company uses Microsoft Entra ID and Intune for mobile device management. They want to enforce different access requirements for their finance application: when users access from an unmanaged personal device, they must perform multi-factor authentication (MFA). When they access from a corporate-managed device that is marked as compliant (e.g., joined to Azure AD, antivirus up-to-date, encryption enabled), MFA should not be required. Device compliance is reported by Intune. Which Microsoft Entra ID feature should they use to define these rules?
54A company uses Microsoft Entra ID. They want to configure a Conditional Access policy that requires multi-factor authentication (MFA) when a sign-in is assessed as medium or high risk by Microsoft's identity protection signals. For sign-ins with no detected risk, MFA should not be required. Which feature or service provides the risk assessment signals that can be consumed by Conditional Access policies?
55A company's security team discovers that most recent account compromises resulted from attackers exploiting legacy authentication protocols (POP3, IMAP, SMTP Auth) that do not support multi-factor authentication. The team wants to immediately block all sign-in attempts using these legacy protocols while still allowing modern authentication methods (e.g., OAuth 2.0). Which Microsoft Entra ID feature should they configure?
56A company wants to improve password security across its Microsoft Entra ID tenant. The security team wants to prevent users from setting passwords that appear on Microsoft's global banned password list, which includes commonly compromised passwords. Additionally, they need to add a custom banned password containing the company name so that users cannot use variations of it. Which Microsoft Entra ID feature should they configure to enforce these password policies?
57A company uses Microsoft Entra ID and wants to provide external business partners with access to a specific internal application. The partners already use Microsoft Entra ID in their own organization. The company wants the partners to use their existing corporate credentials to sign in, without creating new user accounts in the company's tenant. The company also wants to manage the access lifecycle, including automatically removing access after a project ends. Which Microsoft Entra ID feature should they use?
58A university wants to provide its students with a verifiable digital transcript that the students can share with potential employers. The university uses Microsoft Entra Verified ID to issue credentials. When an employer wants to verify a student's transcript, they scan a QR code or receive a link. Which Microsoft Entra ID feature allows the university to issue these tamper-proof credentials and allows employers to verify them without contacting the university directly?
59A company uses Microsoft Entra ID to manage identities. They want to enforce access policies based on user location, device compliance, and application sensitivity. Which Microsoft Entra ID capability should they use?
60A security administrator uses Microsoft Entra ID Protection to identify and respond to identity-based risks. Which two types of risk detections can be reviewed in Microsoft Entra ID Protection? (Choose two.)
61A healthcare organization uses Microsoft Entra ID and needs to enforce that only users from the United States and Canada can access patient records. Access attempts from all other locations must be blocked. Which Microsoft Entra ID Conditional Access condition should be configured to meet this requirement?
62A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to configure self-service password reset (SSPR) for all users. The security team requires that users must verify their identity with at least two methods before resetting a password. Which SSPR setting should be configured?
63An organization uses Microsoft Entra ID and wants to require users to re-authenticate every 4 hours when accessing a critical financial application, even if the user already has an active sign-in session. Which Conditional Access control should be configured?
64A company uses Microsoft Entra ID Privileged Identity Management (PIM) to manage elevated access to Microsoft Entra ID roles. They want to ensure that a user who activates a privileged role must provide a justification and receive approval from their manager before activation is complete. Which PIM configuration should be used?
65A company uses Microsoft Entra ID (Microsoft Entra ID) to manage access to internal applications for employees and guest users. The compliance team requires that all guest users' access to a sensitive application must be reviewed every 90 days by the application owner. If the owner does not respond to the review request, the guest's access must be automatically revoked. Which Microsoft Entra ID feature should the company use?
66A company uses Microsoft Entra ID (Microsoft Entra ID) to manage user access to cloud applications. The security team wants to enforce that users must provide a second form of authentication, such as a phone call or mobile app notification, in addition to their password. Which Microsoft Entra capability should they enable?
67A company wants to allow external customers to sign in to their custom web application using their own social identities, such as Google or Facebook. They also need to support self-service registration and custom branding for the sign-in pages. Which Microsoft Entra External ID solution should they use?
68A company wants to prevent users from setting weak passwords that are commonly found in leaked databases. They use Microsoft Entra ID (Microsoft Entra ID). Which feature should they enable?
69A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically block sign-ins from users whose credentials have been compromised and require them to change their password before access is granted. Which Microsoft Entra ID capability should they use?
70A company uses Microsoft Entra ID and wants to ensure that guest users who are inactive for 90 days have their access to internal resources automatically revoked. Additionally, a manager must review all guest accounts annually. Which Microsoft Entra feature should be used to implement these requirements?
71A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to allow users to sign in using biometrics (fingerprint or face) on their mobile devices instead of passwords. They want this to work for both iOS and Android devices. Which Microsoft Entra ID feature should they enable?
72A company uses Microsoft Entra ID and Intune for device management. They want to ensure that only devices marked as compliant (e.g., updated, encrypted) can access the corporate HR portal. Which Conditional Access assignment condition should the administrator configure?
73A company has an on-premises Active Directory and wants to synchronize user accounts to Microsoft Entra ID. They also need to enable password hash synchronization so users can sign in to cloud resources with the same password. Which Microsoft tool should they use?
74A company uses Microsoft Entra ID and wants to automatically detect potential security risks such as leaked credentials and suspicious sign-in patterns. They also need the ability to investigate these risks and configure automated responses based on risk levels. Which Microsoft Entra capability should they use?
75A company wants to reduce the risk of privileged account misuse. They need to provide temporary, time-bound access to administrative roles in Microsoft Entra ID (Microsoft Entra ID) and require approval from a manager before granting the access. Which Microsoft Entra capability should they use?
76A company has a Microsoft Entra ID tenant and an on-premises Active Directory Domain Services (AD DS) forest. They need to synchronize user accounts, groups, and passwords from AD DS to Microsoft Entra ID. Due to network restrictions, they prefer a lightweight agent that can be deployed on-premises and supports staging mode for testing. Which identity synchronization tool should they use?
77A company needs to provide a developer with temporary, time-bound administrative access to Azure resources to debug a production issue. The access must require approval from the manager and automatically expire after 4 hours. Which Microsoft Entra capability should they use?
78A company wants to offer a secure sign-in experience for external customers who may use personal accounts from Facebook, Google, or any OpenID Connect provider. They also need to customize the sign-in pages with their company logo and colors. Which Microsoft Entra capability should they use?
79A company uses Microsoft Entra ID and Intune for mobile device management. They want to grant access to a confidential project management site only from devices that are encrypted and have the latest anti-malware updates. Which Conditional Access assignment should they configure to enforce this requirement?
80A company uses Microsoft Entra ID. The security manager wants to provide temporary, time-bound elevated access to the Global Administrator role only when needed, and require approval from a designated approver. Which Microsoft Entra ID capability should they use?
81A company needs to allow external business partners to securely access internal SharePoint Online sites and Teams channels. The partners use various identity providers, including Microsoft Entra ID and Google. The company wants to manage these external users in their directory and assign access policies. Which Microsoft Entra ID capability should they use?
82A multinational organization uses Microsoft Entra ID for identity management. External contractors need temporary elevated access to Azure resources for a critical project. The access must be time-bound (expires after 8 hours), require manager approval, and enforce multifactor authentication (MFA) when contractors activate the role. Which Microsoft Entra capability should they configure?
83A company uses Microsoft Entra ID and wants to automatically detect and remediate over-privileged roles in their Azure subscriptions and AWS accounts. They need to get a unified view of permissions across multiple clouds. Which Microsoft Entra capability should they use?
84A company wants to securely grant external business partners access to internal SharePoint sites and Teams channels. The partners use various identity providers, including Google and Microsoft personal accounts. The company needs to manage these external identities in their Microsoft Entra ID directory and enforce access policies. Which Microsoft Entra capability should they use?
85A company wants to prevent users from using common passwords like 'Password123' and custom banned passwords such as 'Contoso2024' during sign-up or password change. They also need to apply a common list of banned passwords across tenant-wide. Which Microsoft Entra feature should they configure?
86A company uses Microsoft Entra ID and a third-party SaaS application. They want to prevent users from downloading sensitive documents from the SaaS app when accessing from unmanaged personal devices, while still allowing read-only access. Which Conditional Access control should they apply to achieve this?
87A company uses Microsoft Entra ID. They want to ensure that when users access the HR portal from an unmanaged personal device, they are prompted to sign a terms of use agreement and also required to perform multifactor authentication (MFA). Which Conditional Access control should they configure to enforce both requirements?
88A multinational organization uses Microsoft Entra ID and wants to allow employees to sign in to a custom customer-facing application using their existing social identities (e.g., LinkedIn, Google). They also need to enforce a specific terms of use agreement and be able to revoke a user's access if their social account is compromised. Which Microsoft Entra capability should they configure?
89A company uses Microsoft Entra ID. Employees often forget their passwords and contact the IT helpdesk to reset them. The company wants to reduce helpdesk costs by allowing users to reset their own passwords using a verified mobile phone number or email address. Which Microsoft Entra ID feature should the administrator enable?
90A company wants to allow employees to securely access internal applications from their personal devices. The security policy requires that access is only granted if the device is compliant with company security policies (e.g., encryption enabled, password required, up-to-date operating system). Which Microsoft Entra ID capability should they use?
91A company uses Microsoft Entra ID and wants to automate the lifecycle of guest users. When a contractor's project ends, the guest account should be automatically blocked and then removed after 30 days. Which Microsoft Entra capability should they configure to manage this process?
92A company uses Microsoft Entra ID and Intune to manage devices. They want to enforce a policy that allows access to financial data from SharePoint Online only when the user's device is compliant (e.g., encrypted, patched) AND the user authenticates from a trusted IP address range. Additionally, if the sign-in risk is assessed as medium or high by Identity Protection, the user must also perform multifactor authentication (MFA). Which Conditional Access components should the administrator configure?
93A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?
94A company wants to provide secure external access to a partner application without creating user accounts manually. They need to allow partners to authenticate using their existing corporate identities (e.g., from other organizations) and configure policies for access. Which Microsoft Entra feature should they use?
95A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)
96A company with Microsoft 365 wants employees to access corporate applications from their personal Android and iOS devices. The security team requires that these devices be enrolled in mobile device management (MDM) for compliance policies, and that company data can be selectively wiped from the device without affecting personal data. Which Microsoft Entra device identity type should they configure for these personal devices?
97A company uses Microsoft Entra ID. They want to allow employees to access the expense reporting application only from managed devices that are compliant with security policies and from trusted IP ranges. Additionally, if the user's sign-in risk is high, access must be blocked. Which of the following conditions should the administrator configure in a Conditional Access policy to enforce these requirements?
98A company uses Microsoft Entra ID. The security team wants to automatically detect user behaviors that indicate possible compromise, such as leaked credentials, impossible travel, or anomalous login patterns. When a user is determined to be at high risk, the system should automatically require the user to reset their password the next time they sign in. Which Microsoft Entra capability should they use?
99A company uses Microsoft Entra ID. The security team needs to grant temporary elevated access to the Global Administrator role for a specific task, such as configuring a new security policy. They want the user to request activation, which is then approved by a manager, and the privileges automatically expire after 4 hours. Which Microsoft Entra feature should they use?
100A company uses Microsoft Entra ID and wants to enable employees to reset their own passwords without needing to contact the help desk. They want to enforce multifactor authentication when the employee performs the reset. Which Microsoft Entra feature should they enable?
101A company wants employees to be able to access corporate applications from their personal mobile devices, but only if those devices are enrolled in mobile device management (MDM) and have a PIN code set. Which Microsoft Entra capability should the administrator use to enforce these requirements?
102A company uses Microsoft Entra ID. They want to enforce that users accessing the payroll application from outside the corporate network must use multifactor authentication and must access the app only from devices that are marked as compliant by Intune. Which Conditional Access component should they use to combine these requirements?
103A company wants to allow external business partners to access a specific SharePoint Online site using their own corporate identities (such as Google or Facebook accounts). The company also needs to enforce multi-factor authentication (MFA) for these external users. Which Microsoft Entra capability should the administrator configure?
104A company wants to implement just-in-time (JIT) privileged access management for their Global Administrators in Microsoft Entra ID. They require that a user must request activation of the Global Administrator role, the request must be approved by a separate administrator, and the role will automatically expire after 4 hours. Additionally, they need an audit trail of all activations. Which Microsoft Entra feature should they use?
105A company uses Microsoft Entra ID. They want to enforce that users accessing the finance app from outside the corporate network must use multifactor authentication (MFA) and access from a device marked as compliant. Additionally, if the user's sign-in risk is medium or higher, access must be blocked. Which component of a Conditional Access policy should the administrator configure to specify the 'Block access' action for high-risk sign-ins?
106A company uses Microsoft Entra ID. They want to ensure only current employees have access to a sensitive HR application. They implement a process where group membership for the HR app is reviewed quarterly by the HR manager, and any unnecessary access is automatically removed. Which Microsoft Entra feature should they use?
107A company uses Microsoft Entra ID. The IT department has three teams: Helpdesk, Global Administrators, and Security Administrators. The company wants to allow the Helpdesk team to manage password resets and group memberships, but only for users who belong to the 'Sales' organizational unit. Which Microsoft Entra feature should the administrator use to define this delegated administrative scope?
108A company uses Microsoft Entra ID. They want to require all users accessing the external vendor portal to accept a terms of use document before they are granted access. The acceptance must be revoked after 30 days, requiring the user to accept again. Which Conditional Access component should the administrator configure?
109A company uses Microsoft Entra ID and wants to enforce multifactor authentication (MFA) for all users accessing a sensitive customer relationship management (CRM) application, but only when the access request originates from outside the corporate network. Which component of a Conditional Access policy should the administrator configure to specify this location-based requirement?
110A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 90 days on trusted devices, but force MFA for every sign-in on untrusted devices. Which Conditional Access session control must they configure to meet this requirement?
111A multinational organization uses Microsoft Entra ID. The IT help desk team is responsible for password resets and group management, but only for users located in the European region. The organization has created a group containing all European user accounts. Which Microsoft Entra feature should an administrator use to delegate these administrative tasks specifically to the help desk team, limited to the European user scope?
112A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 30 days on devices that are marked as compliant, but require MFA for every sign-in attempt on non-compliant devices. Which Conditional Access control should they configure to meet this requirement?
113A company uses Microsoft Entra ID. They want to ensure that only users with a specific role can reset passwords for other users in their organization. Which feature should they use?
114A company uses Microsoft Entra ID. They want to enforce multifactor authentication (MFA) for all access to a sensitive HR application. However, they only want to require MFA when the sign-in risk is assessed as medium or high, and block access if the risk is high. Which Conditional Access components must the administrator configure to meet these requirements? (Choose the best answer)
115An organization uses Microsoft Entra ID. They want to automatically detect when a user's sign-in shows a high risk of compromise (e.g., impossible travel, anonymous IP address) and immediately require the user to reset their password. Which Microsoft Entra capability should they use?
116A company uses Microsoft Entra ID and wants to allow users to reset their own passwords without help desk intervention. However, they want to ensure that only users who have already registered for multifactor authentication (MFA) can use self-service password reset (SSPR). Which Microsoft Entra feature should the administrator configure to enforce this requirement?
117A company wants to allow external customers to sign in to a custom web application using their existing Google or Facebook accounts. Which Microsoft Entra ID feature should they use?
118A company has a hybrid identity environment with Active Directory synchronizing to Microsoft Entra ID. They want users to be able to reset their own on-premises passwords via the cloud SSPR portal. What is the minimum license required for this capability?
119A company uses Microsoft Entra ID. The IT department wants to ensure that users are prompted to change their password only when there is a high likelihood that their credentials have been compromised, rather than forcing periodic password changes. They also want to block users from using common passwords from a custom list of banned passwords. Which Microsoft Entra features should they use?
120A company uses Microsoft Entra ID. The security team needs to block all sign-in attempts from a list of known malicious IP addresses. They also want to block sign-ins that originate from anonymous proxy services. Which Microsoft Entra capability should they configure to meet these requirements?
121A company uses Microsoft Entra ID. The IT help desk team needs to be able to reset passwords and manage user account properties, but only for users located in the United Kingdom. The organization has created a dynamic group that contains all UK users. Which Microsoft Entra feature should an administrator use to delegate these administrative permissions specifically to the help desk team, limited to the UK user scope?
122A company uses Microsoft Entra ID. They have a critical application that requires additional security. The security team wants to enforce multifactor authentication (MFA) for every access to the application, but they also want users to reauthenticate with MFA if a session lasts longer than 60 minutes, regardless of device compliance. Which Conditional Access control should the administrator configure?
123A company uses Microsoft Entra ID. The security team wants to grant temporary, time-limited administrative access to Azure subscriptions only when needed, with an approval workflow. Which Microsoft Entra capability should they use?
124A company uses Microsoft Entra ID. The security team wants to provide just-in-time (JIT) administrative access to Azure resources. They require that administrators must request approval before gaining elevated privileges, and that the elevated access automatically expires after the task is completed. Which Microsoft Entra capability should they use?
125A company uses Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) only when users sign in from devices that are not compliant with company security policies. They also want to block sign-ins from unknown geographic locations. Which Microsoft Entra feature should they configure?
126A company uses Microsoft Entra ID. They want to implement two security baseline requirements: (1) Users must register for multifactor authentication (MFA) before they can use self-service password reset (SSPR). (2) Administrators must have just-in-time (JIT) access to Azure resources with approval required. Which two Microsoft Entra features should they use? (Choose two.)
127Order the steps to create a conditional access policy in Azure AD.
128Sequence the steps to set up Microsoft Sentinel for a new workspace.
129Arrange the steps to investigate a user compromise using Azure AD Identity Protection.
130Match each compliance term to its correct definition.
131Match each Microsoft Defender product to its focus area.
132Match each identity term to its correct meaning.
133Your company is implementing a new application that requires users to authenticate using Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) for all users accessing this application, but only when they are connecting from an untrusted network. Which conditional access policy should you configure?
134You are a consultant helping a client migrate from on-premises Active Directory to Microsoft Entra ID. The client has a large number of user accounts and wants to synchronize identities while allowing users to use their existing on-premises passwords. Which tool should you recommend?
135A user reports that they are unable to sign in to a SaaS application that is configured for single sign-on (SSO) with Microsoft Entra ID. The user can sign in to other applications. What should you check first?
136Your organization uses Microsoft Entra ID for identity management. You need to allow external partners to access a specific SharePoint Online site without requiring them to have a Microsoft Entra ID account in your tenant. Which feature should you use?
137Your organization wants to ensure that users cannot install applications from the Microsoft Store on their company-managed Windows devices. Which Microsoft Entra ID feature should you combine with Microsoft Intune to enforce this?
138Your company is using Microsoft Entra ID to manage identities. You want to allow users to reset their own passwords without help desk intervention, but only if they have registered for self-service password reset (SSPR). What should you configure?
139Which TWO of the following are capabilities of Microsoft Entra ID? (Select two.)
140Which THREE of the following are features of Microsoft Entra ID Governance? (Select three.)
141Which TWO of the following are supported identity types for Microsoft Entra External ID? (Select two.)
142Which THREE of the following are capabilities provided by Microsoft Entra ID Protection? (Select three.)
143Which TWO of the following are types of identities that can be managed in Microsoft Entra ID? (Select two.)
144Your organization uses Microsoft Entra ID to allow users to access cloud applications. You need to ensure that any sign-in from a known malicious IP address is blocked. Which feature should you configure?
145Your organization wants to enable single sign-on (SSO) for users accessing Microsoft 365 apps from unmanaged devices while enforcing multifactor authentication (MFA). Which Microsoft Entra feature should you configure?
146Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user passwords and enable password writeback for self-service password reset. Which tool should you use?
147You are deploying Microsoft Entra Verified ID to issue verifiable credentials for employee onboarding. Which component is required to issue credentials?
148Your organization uses Microsoft Entra ID Governance. You need to ensure that guest users' access to internal applications is automatically removed after 90 days. What should you configure?
149Your company uses Microsoft Entra ID with P2 licenses. You want to require approval for users to activate the Global Administrator role. Which feature should you configure?
150Your organization is using Microsoft Entra Permissions Management (CIEM). You need to identify overprivileged identities in AWS. Which capability should you use?
151Your organization wants to use Microsoft Entra ID to authenticate users from a partner company that uses its own identity provider. Which federation standard should you use?
152Your company uses Microsoft Entra ID. You need to enforce that all users register for MFA within 14 days of account creation. Which feature should you use?
153Your organization is implementing Microsoft Entra Internet Access (formerly Microsoft Entra Internet Access). You need to secure access to public internet apps by enforcing traffic routing through Microsoft's network. Which feature should you enable?
154Which TWO Microsoft Entra features can be used to enforce multifactor authentication (MFA)?
155Which THREE components are part of Microsoft Entra Permissions Management (CIEM)?
156Which TWO authentication methods in Microsoft Entra ID support passwordless sign-in?
157Refer to the exhibit. The JSON shows a Conditional Access policy. What is the primary purpose of this policy?
158Refer to the exhibit. A user reports being unable to access Exchange Online from their personal laptop. The sign-in log shows failure due to device non-compliance. What should you configure to allow access while maintaining security?
159Refer to the exhibit. User2 attempts to activate the Global Administrator role. What must happen before User2 gains the role?
160A company wants to allow its partners to access a specific SharePoint Online site using their own corporate credentials. The company does not want to manage partner accounts. Which Microsoft Entra feature should they use?
161An organization has deployed Microsoft Entra ID Governance and wants to automate the process of revoking access to a critical application when an employee leaves the company. Which feature should they configure?
162A user reports that they cannot access Microsoft 365 apps from a public Wi-Fi network. The admin sees a Conditional Access policy requiring a compliant device and a trusted location. Which component enforces this policy?
163An organization wants to allow users to reset their own passwords without help desk intervention. They also need to enforce multifactor authentication during the reset process. Which Microsoft Entra feature should they configure?
164A company uses Microsoft Entra ID with a custom line-of-business application that only supports SAML 2.0. They want to enable single sign-on for users. What should they configure in Microsoft Entra ID?
165An organization wants to protect against password spray attacks by automatically blocking sign-ins from suspicious IP addresses. Which Microsoft Entra feature should they use?
166A company wants to provide external consultants with access to a specific application using their LinkedIn or Google accounts. Which Microsoft Entra feature allows this?
167An organization is migrating from on-premises Active Directory to Microsoft Entra ID. They need to synchronize user passwords so that users can use the same password for both on-premises and cloud resources. Which authentication method should they choose?
168A user is unable to access a cloud app and receives a message that their sign-in was blocked by a Conditional Access policy. The admin wants to allow the user to self-remediate by meeting policy requirements. What should the admin enable?
169Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)
170Which THREE are benefits of using Microsoft Entra ID as an identity provider? (Choose three.)
171Which TWO capabilities are provided by Microsoft Entra External ID? (Choose two.)
172The exhibit shows a Conditional Access policy named 'Block Legacy Auth'. The admin notices that the policy is not blocking legacy authentication as intended. Based on the output, what is the most likely reason?
173The exhibit shows a sign-in failure for John Doe. The admin wants to allow the sign-in while still enforcing MFA. What should the admin do?
174The exhibit shows that a user was added to the Global Administrator role. Which Microsoft Entra feature should be used to provide just-in-time access to this role?
175A company wants to ensure that only users with specific IP addresses can access its critical applications. Which Microsoft Entra feature should they configure?
176A user reports that they cannot access a cloud app even though they are in the correct location and have a valid license. The administrator suspects a Conditional Access policy might be blocking access. Which tool should the admin use to diagnose the issue?
177An organization uses Microsoft Entra ID for identity management and wants to allow external partners to access their resources using their own corporate credentials. Which feature should they enable?
178A multinational company needs to enforce multi-factor authentication for all users but exclude a break-glass emergency account. Which approach should they take in Microsoft Entra ID?
179An organization wants to automatically revoke access to cloud apps when an employee leaves the company. Which Microsoft Entra feature should they use?
180A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have a custom line-of-business application that uses Windows Integrated Authentication and requires Kerberos. Which approach should they use to enable hybrid identity?
181An administrator notices that some users are being prompted for MFA even though they are inside the corporate network. The Conditional Access policy includes a condition for 'All locations' except trusted IPs. What is the most likely cause?
182A company wants to grant temporary, time-limited access to a critical Azure resource for an external consultant. Which Microsoft Entra feature should they use?
183A company has a Microsoft Entra ID tenant with thousands of users. They need to ensure that only users with a 'Manager' attribute populated can access a sensitive app. Which approach should they use?
184Which TWO Microsoft Entra features can be used together to enforce risk-based conditional access?
185Which THREE are valid authentication methods in Microsoft Entra ID?
186Which TWO capabilities are part of Microsoft Entra ID Governance?
187You are reviewing a Conditional Access policy JSON. What is the result of this policy?
188You are analyzing a PIM activation request. The roleDefinitionId corresponds to the Global Administrator role. What is the duration of the activation?
189You are viewing an application registration in Microsoft Entra ID. What can you conclude about this app?
190Your company uses Microsoft Entra ID. You need to enable users to sign in to third-party SaaS applications using their corporate credentials without storing passwords in those apps. Which Microsoft Entra feature should you configure?
191A user reports they cannot access the company portal from their personal device. The device is not enrolled in Microsoft Intune. The admin wants to ensure only compliant devices can access corporate resources. What should the admin configure?
192Refer to the exhibit. The Conditional Access policy shown is applied to all users accessing Office 365. A user with a compliant device but no MFA registered attempts to access Exchange Online. What will happen?
193Your organization uses Microsoft Entra ID with P2 licenses. You need to review and approve role activations for the Global Administrator role on a weekly basis. Which feature should you use?
194A company wants to allow employees to sign in using their Microsoft credentials (e.g., personal Outlook.com) to access internal applications. Which Microsoft Entra feature should be configured?
195Refer to the exhibit. A user accesses a web app from a device that is Microsoft Entra joined but not Intune compliant. Which condition will be satisfied?
196An organization has Microsoft Sentinel and Microsoft Defender XDR. They want to automatically block a user's sign-in if a high-risk alert is triggered. Which Microsoft Entra feature integrates with these products to enforce access controls?
197Your organization uses Microsoft Entra ID. You want to provide external partners with access to a SharePoint site using their own identity providers (e.g., Google, Facebook). Which feature should you use?
198Refer to the exhibit. The Conditional Access policy is configured to block access for high-risk users. A user with a medium risk level attempts to sign in. What will happen?
199Which TWO features are part of Microsoft Entra ID P2 licensing? (Choose two.)
200Which TWO scenarios are supported by Microsoft Entra B2B collaboration? (Choose two.)
201Which THREE components are part of Microsoft Entra ID's identity governance? (Choose three.)
202Which TWO conditions can be used in a Microsoft Entra Conditional Access policy? (Choose two.)
203Which THREE features are included in Microsoft Entra ID Free? (Choose three.)
204Which THREE capabilities are provided by Microsoft Entra Identity Protection? (Choose three.)
205Your company is implementing Microsoft Entra ID and wants to ensure that users can sign in using their existing social media accounts. Which feature should you configure?
206A user reports that they cannot access the company's HR application, which requires Microsoft Entra ID authentication. The user can access other apps that also use Entra ID. What is the most likely cause?
207Your organization uses Microsoft Entra ID Governance. You need to ensure that when a user leaves the company, all their access to critical applications is automatically removed. Which feature should you use?
208Your company wants to provide a single sign-on experience for all cloud applications. Which Microsoft Entra ID feature should you implement?
209A user reports frequent password reset requests. You suspect password spray attacks. Which Microsoft Entra ID feature should you use to investigate?
210Your organization uses Microsoft Entra ID with P2 licenses. You need to delegate the ability to manage role assignments in Entra ID without granting global admin rights. Which feature should you use?
211Your company wants to allow partners to use their own corporate credentials to access a specific SharePoint site. Which Microsoft Entra ID feature supports this?
212A user is locked out of their account after multiple failed sign-in attempts. You need to reduce false lockouts while maintaining security. What should you do?
213Your organization has multiple on-premises directories and wants to synchronize them to Microsoft Entra ID. However, you must avoid duplicate user objects. Which feature should you configure?
214Which TWO of the following are capabilities of Microsoft Entra ID? (Choose two.)
215Which THREE are features of Microsoft Entra ID? (Choose three.)
216Which TWO are capabilities of Microsoft Entra ID Governance? (Choose two.)
217Refer to the exhibit. The JSON snippet shows an app registration in Microsoft Entra ID. The password credential endDateTime is set to 2025-12-31. What will happen when that date is reached?
218Refer to the exhibit. A Microsoft Graph PowerShell script is shown. What is the purpose of this script?
219Refer to the exhibit. The JSON shows a conditional access policy. What is the effect of this policy?
220Your company uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts. Which Microsoft Entra feature should you configure?
221A user reports that they cannot access the corporate portal after a password reset. The user can access other cloud apps. You verify that the user account is enabled and not locked. What should you check next?
222Your organization plans to migrate from on-premises Active Directory to Microsoft Entra ID. You need to design the identity synchronization strategy to support password hash synchronization and password writeback. Which tool should you use?
223You need to provide external partners with access to your organization's SharePoint site. The partners must use their own credentials. Which Microsoft Entra feature should you use?
224A user reports that they are repeatedly prompted for multifactor authentication when accessing Microsoft 365 apps from the same trusted device. What should you do to reduce the number of prompts?
225Your organization uses Microsoft Entra ID P2 licenses. You need to implement a process to automatically remove users from a group if they have not signed in for 90 days. Which feature should you use?
226You need to allow users to reset their own passwords without contacting the help desk. Which Microsoft Entra feature should you enable?
227Your organization requires that all external guest users must sign in using Microsoft Authenticator for MFA. What should you configure?
228You need to implement a solution that allows users to access cloud applications without entering a password, using Windows Hello for Business. Which Microsoft Entra feature integrates with Windows Hello for Business?
229Which TWO capabilities are provided by Microsoft Entra ID?
230Which THREE features are part of Microsoft Entra Identity Governance?
231Which TWO Microsoft Entra features can help protect against credential attacks?
232Refer to the exhibit. You are reviewing a Conditional Access policy in JSON format. What is the effect of this policy?
233Refer to the exhibit. You are reviewing a Privileged Identity Management (PIM) configuration for a role in Microsoft Entra ID. The roleDefinitionId corresponds to a specific role. What is the effect of this configuration?
234Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution to allow external partners to access a specific SharePoint Online site. The partners must use their own email addresses to sign in. You want to enforce multifactor authentication for all external users. Additionally, you need to ensure that external users are automatically removed from the site after 90 days. You have the following requirements: 1. Use built-in Microsoft Entra features. 2. Minimize administrative effort. 3. The solution must support automatic expiration of access. What should you do?
235A company uses Microsoft Entra ID for identity management. They want to allow employees to sign in using their existing Facebook credentials. Which feature should they configure?
236A user reports that they cannot access a critical application, receiving an error that their session has expired. The sign-in logs show the user was prompted for multifactor authentication (MFA) multiple times during the same session. What should an administrator review to reduce these interruptions?
237A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have multiple on-premises applications that use LDAP for authentication. They want to enable single sign-on (SSO) to these applications from the cloud without modifying the applications. Which approach should they use?
238A company uses Microsoft Entra ID. The security team wants to automatically block sign-ins from IP addresses that exhibit brute-force attack patterns. Which capability should they enable?
239An administrator needs to grant a vendor temporary access to an Azure subscription for exactly 48 hours. After that time, access must be automatically revoked. Which Microsoft Entra feature should be used?
240A multinational company uses Microsoft Entra ID. They want to ensure that users from a specific country only access a sensitive application from compliant devices. Additionally, they want to block access if the sign-in risk is medium or high. Which combination of policies should they create?
241A company wants to allow employees to use their corporate Microsoft Entra ID credentials to sign in to third-party SaaS applications like Salesforce and ServiceNow. Which feature provides this capability?
242A company is using Microsoft Entra ID to manage identities for a multi-tenant SaaS application. They want to allow users from partner organizations to access the application using their own corporate credentials, without needing to manage separate accounts. Which solution should they implement?
243Which TWO capabilities are provided by Microsoft Entra Identity Protection?
244Which THREE components are part of the Microsoft Entra External Identities suite?
245Which TWO features are included in Microsoft Entra ID P2 licensing?
246You are the identity administrator for a large enterprise using Microsoft Entra ID. The company has 50,000 users and recently acquired a smaller company with 2,000 users that uses a third-party identity provider (IdP) based on SAML 2.0. The acquisition must be fully integrated within 30 days. The CISO mandates that all users must use MFA for any access to cloud applications. The acquired company's users currently do not use MFA. You need to choose an approach that minimizes changes to the acquired company's current authentication infrastructure while meeting the MFA requirement. The solution must also allow the acquired company's users to access resources in the parent tenant using their existing credentials. What should you do?
247You are an identity consultant for a mid-sized company with 5,000 employees. They use Microsoft Entra ID P1 and Microsoft Intune for device management. The company wants to implement passwordless authentication for all employees to improve security and user experience. Currently, users sign in with username and password plus MFA via the Microsoft Authenticator app. The company has a mix of Windows 10/11 devices (both domain-joined and Microsoft Entra joined) and iOS/Android mobile devices. They want to support passwordless sign-in on all platforms. The CTO is concerned about cost and wants to minimize additional licensing. Which passwordless method should you recommend?
248You are a security administrator for a company using Microsoft Entra ID P2. The company has a critical application that should only be accessible by a specific group of users (the 'Finance' group). You need to ensure that any access to this application is automatically logged and that an administrator is notified when a user outside the Finance group attempts to access it. Additionally, the CEO wants a quarterly review of all users who have access to this application. Which combination of features should you use?
249You are the identity architect for a global organization with 100,000 users across 50 countries. The company uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. Recently, the security team identified that several compromised user accounts were used to exfiltrate data from a cloud storage app. The CISO wants to implement a solution that detects anomalous behavior (e.g., impossible travel, mass download) and automatically blocks the user session when such behavior is detected. The solution must also provide the ability to investigate and remediate after the fact. Which Microsoft Entra feature should you use in conjunction with Defender for Cloud Apps to meet these requirements?
250Your organization is planning to implement Microsoft Entra ID for identity and access management. Which TWO capabilities are provided by Microsoft Entra ID?
251You are a security architect for a large enterprise using Microsoft Entra ID. You need to implement a solution that enforces least-privilege access and reduces lateral movement. Which THREE Microsoft Entra capabilities should you include in your design?
252Your company, Contoso, uses Microsoft Entra ID for employee identity management. You need to ensure that when an employee leaves the company, their access to all SaaS applications is automatically revoked within 24 hours. The HR department updates the employee status in a cloud HR system (Workday). What should you do?
253Your organization is using Microsoft Entra ID with P2 licenses. You need to enforce a policy that requires administrators to request approval before activating their privileged roles, and approvals must expire after 8 hours. Additionally, you need to ensure that all privileged role activations are logged for auditing. Which combination of Microsoft Entra capabilities should you use?
254Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that users can use the same password on-premises and in the cloud without having to sync password hashes. Additionally, you want to prevent accounts from being locked out after a few bad password attempts in the cloud. Which Microsoft Entra feature should you implement?
255Your organization uses Microsoft Entra ID and has deployed Microsoft Entra ID Governance for entitlement management. You need to allow external partners to request access to a specific application, but only if they have a valid email address from an approved domain. Once approved, their access should automatically expire after 30 days. You also need to ensure that the partner's access is reviewed quarterly by the application owner. What should you configure?
256Your organization is using Microsoft Entra ID and has deployed Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with Intune policies can access corporate email via Microsoft Outlook for iOS and Android. Additionally, you need to prevent users from copying corporate data to personal apps on the same device. Which two Microsoft Entra features should you combine?
257Your company uses Microsoft Entra ID and wants to implement a passwordless authentication strategy for all users. You have a mix of Windows 10 devices, iOS devices, and Android devices. You need a solution that works across all platforms and does not require users to remember passwords. What should you implement?
258Your organization wants to allow employees to use their personal mobile devices to access corporate resources, but you need to ensure that corporate data is protected if the device is lost or stolen. You also need to enforce a PIN policy on the device. Which combination of Microsoft Entra and Microsoft Intune features should you use?
259Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution that automatically detects and remediates users with leaked credentials. Additionally, you need to require users to change their password when a high risk is detected. Which Microsoft Entra features should you configure?
260Your organization is deploying Microsoft Entra ID. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without creating new cloud passwords. Which feature should you configure?
261A company has Microsoft Entra ID with Conditional Access policies. Users report being prompted for MFA every time they access the company's CRM app from their corporate laptops. However, the policy is configured to require MFA only for untrusted locations. What is the most likely cause?
262Your organization uses Microsoft Entra ID. You need to grant external partners limited access to a SharePoint site for 30 days. After 30 days, access should automatically expire. Which Microsoft Entra feature should you use?
263You are designing an identity solution for a new company that will use Microsoft Entra ID. The company wants employees to use biometrics (fingerprint) on their mobile devices to sign in without typing a password. Which Microsoft Entra feature should you implement?
264Refer to the exhibit. You are reviewing Microsoft Entra sign-in logs. Which statement is true?
265Your company uses Microsoft Entra ID. You need to enforce that all users accessing the HR application must have a device that is compliant with company security policies. The device compliance is managed by Microsoft Intune. Which feature should you use to enforce this requirement?
266Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that when a user's on-premises account is disabled, their cloud account is automatically disabled within 5 minutes. Which configuration should you use?
267You are configuring Microsoft Entra ID for a new user. The user will need to access resources in multiple Microsoft cloud services (Office 365, Azure, Dynamics 365). Which Microsoft Entra edition is minimally required to provide single sign-on (SSO) across these services?
268Your company uses Microsoft Entra ID. Security policy requires that all external guest users must be reviewed and their access approved by their sponsor every 90 days. If not approved, access should be automatically removed. Which feature should you use?
269Which two capabilities are provided by Microsoft Entra ID? (Choose two.)
270Which three features are available in Microsoft Entra ID P2 but not in P1? (Choose three.)
271Which two scenarios are examples of using Microsoft Entra business-to-business (B2B) collaboration? (Choose two.)
272Refer to the exhibit. You run the cmdlet and get a list of risk detections. What does this cmdlet retrieve?
273Refer to the exhibit. You run this PowerShell cmdlet. What is the outcome?
274Your company uses Microsoft Entra ID. You need to ensure that when a user's account is compromised and used to send spam, the account is automatically blocked from signing in. Which feature should you configure?
275Your organization uses Microsoft Entra ID for identity management. You need to enable users to sign in using a QR code from the Microsoft Authenticator app. Which Microsoft Entra feature should you configure?
276You are configuring Microsoft Entra ID Governance. You need to ensure that when a user leaves the organization, their access to all SaaS applications is automatically revoked. Which Microsoft Entra feature should you use?
277Your organization uses Microsoft Entra ID with P2 licenses. You need to implement a policy that requires users to perform multifactor authentication (MFA) when accessing the finance application from an untrusted network, but not when accessing it from the corporate network. Which Microsoft Entra feature should you configure?
278Your organization uses Microsoft Entra ID and Microsoft Intune. You need to ensure that only devices that are enrolled in Intune and compliant with your organization's security policies can access corporate email. Which Microsoft Entra feature should you use?
279Your organization wants to use Microsoft Entra Verified ID to issue digital credentials to employees. Which Microsoft Entra service provides the ability to issue and verify verifiable credentials?
280Your organization uses Microsoft Entra ID and Microsoft Sentinel. You need to analyze sign-in logs to detect risky sign-ins that are not blocked by Conditional Access policies. Which Microsoft Entra feature provides risk detection and can feed into Sentinel?
281Your organization uses Microsoft Entra ID with P1 licenses. You need to provide a temporary access pass for a new employee to set up their account without a password. Which Microsoft Entra feature should you use?
282Your organization uses Microsoft Entra ID and needs to allow external partners to sign in using their own identity providers (e.g., Google or Facebook). Which Microsoft Entra feature should you configure?
283Your organization is using Microsoft Entra ID with P2 licenses. You need to ensure that all guest users are reviewed for access quarterly, and if not approved, access is automatically removed. Which Microsoft Entra feature should you configure?
284Which TWO of the following are capabilities of Microsoft Entra ID Governance?
285Which THREE of the following are features of Microsoft Entra ID Protection?
286Which TWO of the following are methods for implementing passwordless authentication in Microsoft Entra ID?
287Refer to the exhibit. You are evaluating a Conditional Access policy in JSON format. The policy is assigned to a test user group. A user in that group tries to access Outlook Web App (OWA) from a browser. What is the effect of this policy?
288Refer to the exhibit. You are reviewing a risk detection in Microsoft Entra Identity Protection. The risk event indicates 'unfamiliarFeatures' with medium risk level for user John Doe from IP 203.0.113.5. What is the most likely cause of this risk detection?
289Refer to the exhibit. You are configuring an access package in Microsoft Entra Entitlement Management. Based on the policy, which users can request access to the HR App?
290Your organization uses Microsoft Entra ID to manage user identities. A new employee named John joins the company and needs access to Microsoft 365 apps. You want to ensure John's identity is verified using a phone call. Which authentication method should you configure?
291Your company is implementing a hybrid identity solution with Microsoft Entra ID. You need to ensure that password changes on-premises are synchronized to the cloud within minutes. Which feature should you enable?
292Your organization uses Microsoft Entra ID Governance. You need to ensure that access to a critical application is reviewed every 90 days by the application owner. If the review is not completed, access should be revoked automatically. Which feature should you configure?
293Your company uses Microsoft Entra ID and wants to allow external partners to sign in using their own Google or Facebook accounts. Which feature should you enable?
294Your organization uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) for all users. Which policy should you create?
295Your organization uses Microsoft Entra ID and needs to block sign-ins from legacy authentication protocols to reduce risk. Which feature should you use?
296Your organization uses Microsoft Entra ID. You need to ensure that when a user's account is disabled on-premises, their access to cloud apps is blocked within 5 minutes. Which hybrid identity configuration should you use?
297Your organization uses Microsoft Entra ID. A user reports that they are unable to access any Microsoft 365 services because they forgot their password. Which self-service tool should they use?
298Your company uses Microsoft Entra ID and wants to automatically assign licenses to new employees based on their department. Which feature should you use?
299Your organization uses Microsoft Entra ID. Which TWO capabilities are provided by Microsoft Entra ID Governance?
300Your organization uses Microsoft Entra ID. Which THREE authentication methods can be used for passwordless sign-in?
The Describe the capabilities of Microsoft Entra domain covers the key concepts tested in this area of the SC-900 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-900 domains — no account required.
The Courseiva SC-900 question bank contains 300 questions in the Describe the capabilities of Microsoft Entra domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Describe the capabilities of Microsoft Entra domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included