Design identity, governance, and monitoring solutions

A large enterprise wants to enforce zero-trust conditional access policies that use real-time user risk, sign-in risk, and device compliance. Which combination of Microsoft Entra ID features should they use?

A company needs to monitor sign-in logs from multiple Microsoft Entra ID tenants and analyze user sign-in patterns across those tenants. Which Azure solution should they use?

A multinational company uses Microsoft Entra ID for identity. They need to grant external partners access to specific SharePoint Online sites. The access must be time-limited and require approval from a resource owner. Which Microsoft Entra ID feature should they use?

A company has multiple Azure subscriptions and wants to enforce that all administrators must use multi-factor authentication (MFA) when accessing the Azure portal. They also want to monitor and report on any policy changes that affect this enforcement. Which combination of Azure services should they use?

A company uses Microsoft Entra ID for identity management. They need to automate the process of granting access to resources for employees and external partners, and require periodic access reviews to ensure compliance. Which Microsoft Entra ID feature should they use?

A company has Microsoft Entra ID Premium P2 licenses and wants to ensure that privileged roles (e.g., Global Administrator) are only activated when needed and with approval. They also need to regularly review who has access to these roles. Which combination of features should they use?

A company wants to collect metrics and logs from all Azure resources in their subscription, including custom metrics from their applications, and create dashboards and alerts. Which Azure service should they use as the primary monitoring platform?

A large enterprise has multiple Azure subscriptions and on-premises servers. They need to collect performance metrics (CPU, memory) from all servers, create custom dashboards to visualize health across workloads, and set up alerts for critical thresholds. They also need to retain log data for one year. Which combination of Azure services should they use?

A company uses Microsoft Entra ID B2B to collaborate with external vendors. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from compliant devices (e.g., managed by Intune). They also want to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?

A company requires all users to use multi-factor authentication (MFA) when accessing cloud applications. However, they want to exempt users from MFA when they connect from the company's headquarters, which has a trusted IP range. They want to enforce this policy centrally. Which Microsoft Entra ID feature should they use?

A company wants to configure policies that detect risky sign-ins (e.g., from anonymous IPs or unfamiliar locations) and automatically require multi-factor authentication (MFA) when such risk is detected. Which Microsoft Entra ID feature should they use to create these policies?

A company uses Microsoft Entra ID and wants to automate the lifecycle management of user accounts in their SaaS applications, such as Salesforce and ServiceNow. The solution should automatically create, update, and deactivate accounts when users join, move, or leave the organization. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID and wants to allow users to sign in using their existing personal Microsoft accounts, Google, and Facebook identities. They also need custom sign-up and sign-in flows with collection of specific user attributes. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID and wants to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications. However, they want to exclude users when connecting from the corporate office IP range and only allow access from devices that are compliant with Intune policies. Which Microsoft Entra ID feature should they use to create this policy?

A multinational company uses Microsoft Entra ID. The company has regional IT teams that need to manage users and groups within their respective regions. Each region has a distinct set of users in specific organizational units. The company wants to assign the User Administrator role to regional IT staff, but limit their scope to only the users in their region. Which Microsoft Entra ID feature should they use?

A large enterprise has a management group hierarchy with 50 subscriptions. They need to enforce that every resource group must have a 'CostCenter' tag and that any new resource group without that tag is automatically denied creation. Additionally, they need to ensure that only the Finance team can modify tags on any resource. They also want to generate monthly compliance reports showing which resources are non-compliant. Which combination of Azure services should they use?

A company uses Microsoft Entra ID Privileged Identity Management (PIM) to control access to administrator roles. They want to implement a monitoring solution that sends an email to the security team whenever a user activates the Global Administrator role outside of standard business hours (9 AM–5 PM). They also need to track all activation history for quarterly audits. Which solution should they implement?

A company uses Microsoft Entra ID B2B collaboration for external partners. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from devices that are compliant with Intune policies. Additionally, they need to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?

A company uses Microsoft Entra ID and wants to automate the process of granting access to internal applications and Microsoft 365 groups. Employees request access through a portal, and managers must approve the requests. The access should be automatically removed after a defined period, and managers must perform quarterly access reviews to confirm continued need. Which Microsoft Entra ID feature should they use?

A company wants to monitor sign-in failures for their Microsoft Entra ID-integrated applications. They need a dashboard in Azure Monitor showing sign-in failures by application and user location. Which data source should they stream to a Log Analytics workspace?

A company is migrating on-premises Windows applications that require LDAP, NTLM, or Kerberos authentication to Azure VMs. They want to provide domain services for these applications without deploying and managing domain controllers. Which Azure service should they use?

A company wants to allow remote users to access an internal web application hosted on-premises without opening inbound firewall ports. They need seamless single sign-on (SSO) using Microsoft Entra ID credentials. Which Azure service should they use?

A company uses Microsoft Entra ID. They want to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications from outside the corporate network, but allow access without MFA when coming from the corporate office IP range. Which Microsoft Entra ID feature should they use to create this policy?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to allow external business partners to request access to a specific application. The access must be time-limited and require approval from the partner's manager. Additionally, access must automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A company wants to monitor sign-in activity for their Microsoft Entra ID-integrated applications. They need to detect risky sign-ins, such as sign-ins from anonymous IP addresses or unfamiliar locations, and automatically block or require multi-factor authentication. They also need a dashboard showing risk events and the ability to investigate and remediate. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They have a SaaS application that supports SCIM (System for Cross-domain Identity Management). The company wants to automatically create, update, and deactivate user accounts in the SaaS application whenever changes occur in Microsoft Entra ID. They do not want to use custom scripts. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID. They want to grant a user temporary access to the Global Administrator role for a specific task. The access must require approval from a manager and automatically expire after 4 hours. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID. They want to automatically detect sign-ins from anonymous IP addresses, sign-ins from unfamiliar locations, and other risky activities. When such a risk is detected, they want to block the sign-in or require multi-factor authentication. They also need a dashboard to review risk events. Which Microsoft Entra ID feature should they use?

A company is building a customer-facing web application. They want to allow users to sign in using their existing social accounts (Microsoft, Google, Facebook) or create a local account. The solution must be fully managed and support custom branding. Which Azure service should they use?

A company uses Microsoft Entra ID. They want to block all access to corporate applications from devices that are not managed by their organization. They require that only devices enrolled in Microsoft Intune and compliant with company policies can access company resources. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID. They want to require users to use multi-factor authentication when accessing the Azure portal from any device. They do not want to require MFA for other applications. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID. They want to allow external business partners to request access to a specific internal application. The access must be time-limited and require approval from a manager within the partner's organization. Additionally, access should automatically expire after the defined period. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to block the sign-in or require multi-factor authentication (MFA) in real time. Additionally, they need a dashboard that provides a summary of risk events and allows investigation. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block all access to internal corporate applications from devices that are not enrolled in Intune and do not meet the company's compliance policies. The solution must apply to all cloud app access seamlessly. Which Microsoft Entra ID feature should they configure?

A company wants to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to require multi-factor authentication (MFA) or block the sign-in in real time. Additionally, they need a dashboard that shows risk events and allows generating weekly risk reports. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They have many guest users with access to internal SharePoint sites and applications. They need to review guest user access every 90 days and automatically remove access if the guest does not respond to the review request. The solution must be fully automated without custom scripting. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block access to all corporate cloud applications (e.g., Office 365, Azure portal) from devices that are not enrolled in Intune or do not meet the company's compliance policies. The solution must work seamlessly for all cloud apps without requiring per-app configuration. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant external partners access to an internal application for a limited time (30 days). The access request must be approved by a manager from the partner's organization, and after 30 days the access must automatically expire. They also want to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but do not want MFA to be required for other applications like Office 365. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to implement a solution that automatically detects identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via API. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. When such risks are detected, they want to require multi-factor authentication (MFA) or block the sign-in. They also need a dashboard to review risk events and generate reports. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID. They need to grant external partners access to an internal application for a limited time (30 days). The access must be approved by a manager from the partner's organization. After the period ends, access should automatically be removed. The company also wants to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). External partners need temporary access to an internal application. The process must be self-service: partners request access, the request goes through an approval workflow managed by a manager from the partner's organization, and access automatically expires after 30 days. The company also wants to send reminder emails 7 days before expiration. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically detect sign-in risks such as sign-ins from unfamiliar locations, anonymous IP addresses, or leaked credentials. Based on the risk level, they want to apply different controls: for low-risk sign-ins, show a message but allow access; for medium-risk sign-ins, require multi-factor authentication (MFA); for high-risk sign-ins, block the sign-in. They also need to receive a weekly summary report of risk events. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to enable users to reset their own passwords without contacting the help desk. They also want to enforce multi-factor authentication (MFA) during the password reset process. Which Microsoft Entra ID feature should they enable?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to provide external business partners with access to an internal application. The access must be time-limited to 60 days, approved by a manager within the partner company, and automatically expire. The company also needs to generate reports of who has access. Which Microsoft Entra ID feature should they implement?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via an API. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant specific IT administrators just-in-time (JIT) access to Azure virtual machines for troubleshooting. The access must be time-bound, require approval from a senior manager, and be automatically revoked after the granted time period. The company also needs an audit log of all access requests and assignments. Which Azure service or feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to enforce that only devices compliant with security policies (e.g., BitLocker enabled, antivirus running) can access corporate cloud applications (Microsoft 365 and custom SaaS apps). They also need a dashboard to monitor device compliance status. Which Microsoft Entra ID feature(s) should they configure?

A company uses Microsoft Entra ID. They want to allow users to sign in to partner applications using their Microsoft Entra ID credentials. The partner applications support SAML 2.0 and OpenID Connect. They also need to customize the appearance of the sign-in pages. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?

A company uses Microsoft Entra ID. They need to automatically block sign-ins from users whose accounts have been identified as high-risk for compromise. They also want users to be prompted to reset their password when the risk is detected. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically review and remove guest accounts that have not signed in for 90 days. They also need to generate reports for auditors. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to integrate their on-premises Active Directory with Microsoft Entra ID to enable single sign-on (SSO) for cloud applications. Users should be able to use the same password for on-premises resources and cloud applications. The company has a large on-premises user base and wants to avoid additional infrastructure for federation. Which Microsoft Entra ID feature should they implement?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow external business partners to access an internal web application using their own organizational identities. The solution must support self-service sign-up and enforce multi-factor authentication for partner users. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity risks, such as users with leaked credentials or sign-ins from anonymous IP addresses, and generate alerts. They also want to automatically trigger a password reset for high-risk users. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant temporary administrative roles to users for specific tasks. The process must require approval from a designated approver, and the access must automatically expire after a defined period. The company also needs audit logs of all role assignments and activations. Which Microsoft Entra ID feature should they implement?

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to enforce that users accessing sensitive cloud applications from outside the corporate network must use multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically remove guest users who have not signed in for 60 days. Additionally, they must generate a report of all guest access for auditors. Which Microsoft Entra ID feature should they implement?

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow users to sign in to multiple SaaS applications using their Microsoft Entra ID credentials without being prompted again for each application. Which Microsoft Entra ID feature should they enable?

A company uses Microsoft Entra ID Premium P2. They need to automatically detect users with high-risk sign-ins (e.g., from anonymous IP addresses or leaked credentials) and require them to reset their password. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to ensure that users who access sensitive cloud applications from untrusted networks (e.g., public Wi-Fi) are prompted for multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automatically detect sign-ins from users with leaked credentials and prompt those users to reset their password during the next sign-in. Which Microsoft Entra ID feature should they enable?

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to automatically block sign-ins from malicious IP addresses and require users to perform multi-factor authentication (MFA) when signing in from untrusted locations. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to generate periodic reports of user sign-ins and audit activities for compliance. They want to store the logs for 1 year. Which Azure service should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to automate the process of granting users access to a specific application only during business hours and revoking it automatically. The access should be based on a request-approval workflow. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID. They need to monitor sign-in logs for anomalous activity (e.g., sign-ins from unfamiliar locations) and automatically take action such as requiring MFA or blocking sign-in. Which Microsoft Entra ID feature should they configure?

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to enforce that all users accessing the company's internal application from mobile devices must be compliant with device management policies (e.g., require a PIN and encryption). The application does not support modern authentication. Which Microsoft Entra ID feature should they use?

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically detect users whose credentials have been leaked and require them to reset their password at their next sign-in. Additionally, they want to block sign-ins from anonymous IP addresses (e.g., Tor network). Which combination of Microsoft Entra ID features should they enable to meet both requirements?

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They need to automatically block sign-ins from anonymous IP addresses (e.g., Tor) and force users from risky sign-ins to reset their password. They want to minimize administrative effort and use built-in features. Which Microsoft Entra ID feature should they enable?

An enterprise wants just-in-time elevation for Azure administrators and periodic validation that privileged users still require access. Which two Microsoft Entra features should you recommend? (Choose 2.)

A company must prevent non-compliant devices from accessing Exchange Online and SharePoint Online. Which design should you recommend?

A company plans to migrate on-premises applications to Azure. They require users to authenticate using their existing on-premises Active Directory credentials without syncing password hashes to the cloud. Which Microsoft Entra ID authentication method should they use?

A multinational company uses Microsoft Entra ID and several Azure subscriptions. Security administrators need to review privileged role assignments every month and require justification for continued access. Which design should be recommended?

A company wants workload deployments to access Azure resources without storing client secrets in CI/CD variables. The pipeline runs from GitHub Actions. Which identity design should be used?

A SaaS application must allow external partner users to sign in with their own organization credentials while the company controls application access. What should be used?

An organization wants to enforce MFA only when sign-in risk is medium or high. Which Microsoft Entra capability should be used?