CCNA Identity Governance Monitoring Questions

75 of 273 questions · Page 1/4 · Identity Governance Monitoring topic · Answers revealed

1
Multi-Selecteasy

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to collect logs from on-premises firewalls and send them to Sentinel. Which TWO connectors can you use? (Choose two.)

Select 2 answers
A.DNS
C.Common Event Format (CEF)
D.Azure Activity Log
E.Windows Security Events via AMA
AnswersB, C

Syslog is a standard protocol for log collection; many firewalls support it.

Why this answer

Syslog is a standard protocol for sending log messages from network devices, including firewalls, to a central collector. Common Event Format (CEF) is a syslog-based format that normalizes logs from different security products, making them easier to parse and analyze in Sentinel. Both connectors allow on-premises firewalls to forward their logs to a Log Analytics agent or AMA, which then sends them to Sentinel.

Exam trap

The trap here is that candidates may confuse 'Syslog' with 'DNS' or 'Windows Security Events' because they think any log source can be collected via a generic connector, but Sentinel requires specific connectors for each data source type.

2
MCQeasy

A company uses Microsoft Entra ID for identity management. They need to automate the process of granting access to resources for employees and external partners, and require periodic access reviews to ensure compliance. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Protection
AnswerB

Entitlement Management allows you to create access packages that define the resources and policies for access. It can automate the request workflow and integrate with access reviews for periodic recertification.

Why this answer

Microsoft Entra ID Entitlement Management is the correct feature because it enables automation of access request workflows for employees and external partners, including time-limited access packages and periodic access reviews to enforce compliance. This directly matches the requirement for granting access and ensuring ongoing governance through reviews.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Entitlement Management because both involve access and reviews, but PIM is strictly for privileged roles, not for general resource access automation for employees and partners.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and oversight for admin roles, not on automating general resource access for employees and partners or managing access reviews for non-privileged users. Option C is wrong because Conditional Access enforces real-time access policies based on signals like location or device compliance, but it does not automate the initial granting of access or provide periodic review capabilities. Option D is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not handle access request workflows or compliance-driven access reviews.

3
MCQeasy

Your organization plans to deploy Microsoft Entra ID Governance. You need to ensure that access to critical applications is reviewed quarterly by the application owners. Which Microsoft Entra ID feature should you use?

A.Microsoft Entra ID Privileged Identity Management
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Terms of Use
D.Microsoft Entra ID Access Reviews
AnswerD

Access Reviews enable periodic attestation of access by owners.

Why this answer

Microsoft Entra ID Access Reviews (Option D) is the correct feature because it enables recurring, delegated review of user access to applications, groups, or roles. By configuring an access review with quarterly frequency and assigning application owners as reviewers, you directly meet the requirement for periodic attestation of access to critical applications. This is the specific Entra ID capability designed for governance-driven access recertification.

Exam trap

The trap here is that candidates confuse Entitlement Management (which includes access packages and can trigger reviews) with the dedicated Access Reviews feature, but the question explicitly asks for the feature that ensures reviews are conducted quarterly by application owners, which is the core purpose of Access Reviews, not a secondary function of Entitlement Management.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Privileged Identity Management (PIM) is focused on just-in-time privileged role activation and approval workflows, not on recurring access reviews for all users of critical applications. Option B is wrong because Microsoft Entra ID Entitlement Management handles automated access request and approval workflows via access packages, but it does not natively provide the recurring review cycle that Access Reviews offer. Option C is wrong because Microsoft Entra ID Terms of Use is a policy acceptance feature that requires users to consent to terms before accessing an application, but it does not perform any periodic review or attestation of existing access.

4
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID) and Microsoft Intune. They want to block access to all corporate cloud applications (e.g., Office 365, Azure portal) from devices that are not enrolled in Intune or do not meet the company's compliance policies. The solution must work seamlessly for all cloud apps without requiring per-app configuration. Which Microsoft Entra ID feature should they configure?

A.Conditional Access policy with 'Require device to be marked as compliant' grant control
B.Microsoft Entra ID Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2C
AnswerA

Correct: Conditional Access can be scoped to 'All cloud apps' and require device compliance, which uses Intune compliance policies.

Why this answer

Option A is correct because a Conditional Access policy with the 'Require device to be marked as compliant' grant control enforces device compliance across all cloud apps (Office 365, Azure portal, etc.) without per-app configuration. This works by integrating with Intune compliance policies and checking device enrollment status at the time of authentication, blocking non-compliant or unenrolled devices at the Entra ID level.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based) with Conditional Access (policy-based), or assume that per-app configuration is required, when in fact Conditional Access applies globally to all cloud apps registered in Entra ID.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anonymous IP addresses), not to enforce device compliance or enrollment for cloud app access. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not device-level access controls. Option D is wrong because Microsoft Entra ID B2C is a customer-facing identity service for external users (e.g., social logins), not for blocking corporate cloud apps based on device compliance.

5
MCQeasy

You are designing a monitoring solution for a critical application hosted on Azure Virtual Machines. The application is latency-sensitive and you need to be alerted when CPU usage exceeds 90% for more than 5 minutes. Which Azure Monitor feature should you use?

A.Service health alert
B.Metric alert
C.Log alert
D.Activity log alert
AnswerB

Metric alerts monitor numeric values like CPU percentage and can trigger on threshold conditions.

Why this answer

Metric alerts in Azure Monitor evaluate resource metrics (like CPU percentage) at regular intervals and trigger actions when a threshold is breached for a specified duration. Since the question involves a latency-sensitive application and a numeric threshold (CPU > 90% for 5 minutes), a metric alert is the correct choice because it provides near-real-time, low-latency evaluation directly from the VM's performance counters.

Exam trap

The trap here is that candidates often confuse Log alerts (which are powerful for complex queries) with Metric alerts, forgetting that Log alerts introduce latency from log ingestion and indexing, making them inappropriate for time-sensitive, threshold-based CPU monitoring.

How to eliminate wrong answers

Option A is wrong because Service Health alerts notify about Azure service-level issues (e.g., regional outages, planned maintenance), not about the performance of your specific virtual machines. Option C is wrong because Log alerts query log data (e.g., from Azure Monitor Logs or Application Insights) and have inherent ingestion and query latency, making them unsuitable for sub-5-minute, latency-sensitive CPU threshold alerts. Option D is wrong because Activity Log alerts monitor changes to Azure resources (e.g., VM creation, deletion, or configuration changes), not the operational metrics like CPU usage.

6
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. When such risks are detected, they want to require multi-factor authentication (MFA) or block the sign-in. They also need a dashboard to review risk events and generate reports. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Governance
AnswerB

Identity Protection detects risks such as leaked credentials, sign-ins from anonymous IP addresses, and malware-linked IP addresses. It provides risk-based conditional access policies and a dashboard for reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect and respond to high-risk sign-in events, such as sign-ins from malware-linked IP addresses or leaked credentials. It provides risk-based conditional access policies that can require MFA or block sign-ins, and it includes a dashboard for reviewing risk events and generating reports. This aligns directly with the scenario's requirements for detection, automated response, and reporting.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, not realizing that Conditional Access is the enforcement mechanism while Identity Protection is the detection and risk-scoring engine that provides the necessary risk signals.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is focused on managing, controlling, and monitoring access to privileged roles, not on detecting or responding to sign-in risks like leaked credentials or malware-linked IPs. Option C is wrong because Conditional Access is a policy engine that enforces access controls (like MFA) based on conditions, but it does not itself detect risk events or provide a risk dashboard; it relies on Identity Protection to supply risk signals. Option D is wrong because Identity Governance handles access reviews, entitlement management, and lifecycle workflows, not real-time risk detection or automated response to high-risk sign-ins.

7
Multi-Selectmedium

Which TWO of the following are valid Azure Policy effects that can be used to enforce compliance?

Select 2 answers
A.DeployIfNotExists
B.Deny
C.AuditIfNotExists
D.Modify
E.AutoRemediate
AnswersA, D

DeployIfNotExists deploys resources if they are missing, enforcing compliance.

Why this answer

DeployIfNotExists is a valid Azure Policy effect that evaluates resources after creation and deploys a template to remediate non-compliant resources, such as automatically installing the Log Analytics agent on VMs missing it. This effect enforces compliance by actively deploying resources to meet policy rules, making it correct for this question.

Exam trap

The trap here is that candidates often confuse 'AuditIfNotExists' with a remediation effect, but it only audits and does not enforce compliance, while 'AutoRemediate' sounds plausible but is not a real Azure Policy effect.

8
Multi-Selecthard

Your organization is designing a governance solution for multiple Azure subscriptions. You need to enforce that all resources are created in specific Azure regions (East US and West Europe only). Additionally, any resource group must have a cost center tag. Which THREE Azure components should you use? (Choose three.)

Select 3 answers
A.Azure Policy
B.Azure Blueprints
C.Policy Initiative
D.Management Groups
E.Role-Based Access Control (RBAC)
AnswersA, C, D

Azure Policy can enforce allowed locations and require tags on resource groups.

Why this answer

Azure Policy is correct because it allows you to define and enforce rules for resource creation, such as restricting allowed locations to East US and West Europe. By assigning a built-in or custom policy definition to a management group or subscription, you can prevent any resource from being created outside the specified regions. This directly addresses the requirement to enforce regional compliance.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which packages and deploys resources) with Azure Policy (which enforces rules), or they overlook that Management Groups are needed to apply policies across multiple subscriptions efficiently.

9
MCQeasy

A company uses Microsoft Entra ID. They need to automatically block sign-ins from users whose accounts have been identified as high-risk for compromise. They also want users to be prompted to reset their password when the risk is detected. Which Microsoft Entra ID feature should they use?

A.Identity Protection with user risk policy
B.Conditional Access with location policy
C.Microsoft Entra ID MFA
D.Microsoft Entra ID Privileged Identity Management
AnswerA

User risk policy can block sign-in or force password change when a user is deemed high risk.

Why this answer

Identity Protection with a user risk policy is the correct feature because it allows automatic blocking of sign-ins when a user's account is flagged as high-risk by Microsoft's machine learning models. Additionally, the policy can be configured to require a secure password reset (self-service password reset) as a remediation action, directly meeting both requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access (which handles location, device, and app conditions) with Identity Protection's risk-based policies, but only Identity Protection directly evaluates user risk and triggers automated password reset remediation.

How to eliminate wrong answers

Option B is wrong because Conditional Access with a location policy controls access based on geographic location (e.g., blocking sign-ins from untrusted countries), not on user risk level. Option C is wrong because Microsoft Entra ID MFA adds a second authentication factor but does not automatically block sign-ins based on risk or force a password reset. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and oversight, not risk-based sign-in blocking or password reset prompts.

10
MCQmedium

You need to monitor Azure resources and send alerts when the CPU usage of a virtual machine exceeds 90% for 5 minutes. Which two Azure services should you use? (Select TWO.)

A.Azure Monitor Action Groups
B.Log Analytics
C.Azure Monitor
D.Application Insights
E.Event Grid
AnswerA, C

Action groups define the notification actions for alerts.

Why this answer

Azure Monitor is the core service for collecting and analyzing metrics and logs from Azure resources. It can be configured with metric alerts that trigger when CPU usage exceeds 90% for 5 minutes. Action Groups define the notification and response actions (e.g., email, SMS, webhook) that are executed when the alert fires, making them essential for sending alerts.

Exam trap

The trap here is that candidates often confuse Log Analytics (a log query tool) with Azure Monitor (the alerting engine), or mistakenly think Application Insights can monitor VM-level metrics, when it is designed for application-level telemetry.

How to eliminate wrong answers

Option B is wrong because Log Analytics is a tool for querying and analyzing log data, not for creating metric-based alerts or sending notifications directly. Option D is wrong because Application Insights is focused on application performance monitoring (APM) for web applications, not infrastructure-level VM CPU metrics. Option E is wrong because Event Grid is a serverless event routing service used for reacting to Azure resource state changes (e.g., VM creation), not for monitoring CPU thresholds or sending alerts.

11
MCQeasy

Your company has a Azure subscription with multiple resource groups. You need to ensure that all resources are tagged with a 'CostCenter' tag. What should you use?

A.Azure Policy
B.Azure Blueprints
C.Management Groups
D.Azure RBAC
AnswerA

Azure Policy can enforce tagging rules.

Why this answer

Azure Policy is the correct choice because it enforces organizational standards and compliance by evaluating resources for non-compliance with defined rules, such as requiring a specific tag. You can create a policy that audits or denies resources missing the 'CostCenter' tag, ensuring all resources are tagged automatically or during deployment.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints, thinking Blueprints can enforce tags directly, but Blueprints only define the initial state and do not enforce ongoing compliance like Policy does.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints is used for orchestrating the deployment of resource groups, policies, role assignments, and ARM templates as a repeatable environment, not for enforcing tags on individual resources. Option C is wrong because Management Groups provide a hierarchical structure for organizing subscriptions and applying policies at scale, but they are not the direct enforcement mechanism for tagging resources. Option D is wrong because Azure RBAC manages access control by assigning roles to users, groups, or applications, and does not enforce resource tagging.

12
MCQhard

Refer to the exhibit. You are reviewing an ARM template for deploying a storage account. The template is missing the storage account name parameter definition. What will happen when you attempt to deploy this template?

A.The deployment will prompt the user to provide the missing parameter.
B.The deployment will fail with a validation error because the parameter is not defined.
C.The deployment will succeed using a default name based on the resource group.
D.The deployment will create a storage account with a random name.
AnswerB

The template is invalid; the deployment engine will reject it.

Why this answer

In Azure Resource Manager (ARM) templates, all parameters must be explicitly defined in the `parameters` section of the template. If a parameter is referenced (e.g., in the `resources` section) but not defined, the deployment fails with a validation error before any resource provisioning begins. This is because ARM validates the template structure and parameter definitions during the pre-deployment validation phase, and an undefined parameter is considered a syntax error.

Exam trap

The trap here is that candidates may assume Azure will automatically prompt for or generate a missing parameter, similar to how some Azure Portal experiences handle missing inputs, but ARM templates strictly enforce parameter definitions and fail fast on validation.

How to eliminate wrong answers

Option A is wrong because ARM templates do not prompt the user for missing parameters; they fail validation if a referenced parameter is not defined. Option C is wrong because there is no default name generation based on the resource group; storage account names must be explicitly provided or generated via a defined parameter or variable. Option D is wrong because ARM does not automatically assign random names; the deployment fails before any resource creation occurs.

13
MCQhard

A multinational company uses Microsoft Entra ID and several Azure subscriptions. Security administrators need to review privileged role assignments every month and require justification for continued access. Which design should be recommended?

A.Azure Monitor metric alerts
B.Management group locks
C.Microsoft Entra Privileged Identity Management with access reviews
D.Azure Policy guest configuration
AnswerC

PIM supports eligible role assignments, activation controls, and access reviews for privileged roles.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) with access reviews is the correct design because it provides time-bound, just-in-time privileged role assignments and requires users to periodically justify their continued access through automated access reviews. This directly meets the monthly review and justification requirement for privileged roles, as PIM integrates with Entra ID to enforce approval workflows and expiration policies.

Exam trap

The trap here is that candidates often confuse Azure RBAC management tools (like management locks or Azure Policy) with identity governance tools, mistakenly thinking they can control user role assignments, when in fact only Entra ID PIM provides the required review and justification workflow for privileged roles.

How to eliminate wrong answers

Option A is wrong because Azure Monitor metric alerts are used to detect and notify on performance or operational metrics (e.g., CPU usage, response times) and cannot enforce or review privileged role assignments. Option B is wrong because management group locks prevent accidental deletion or modification of Azure resources at the management group scope but do not manage identity or role assignments in Entra ID. Option D is wrong because Azure Policy guest configuration audits and configures settings inside virtual machines (e.g., OS compliance) and has no capability to review or justify privileged role assignments in Entra ID.

14
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). External partners need temporary access to an internal application. The process must be self-service: partners request access, the request goes through an approval workflow managed by a manager from the partner's organization, and access automatically expires after 30 days. The company also wants to send reminder emails 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Governance - Access Reviews
B.Microsoft Entra ID Identity Governance - Entitlement Management
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Conditional Access
AnswerB

Entitlement Management provides access packages that external users can request. It includes approval workflows, automatic expiration after a defined duration, and email reminders before expiration. It is designed for managing external identities and time-limited access.

Why this answer

Option B is correct because Microsoft Entra ID Identity Governance - Entitlement Management is specifically designed to manage access for external users through self-service access packages. It supports approval workflows with external managers, automatic time-bound access (e.g., 30-day expiration), and lifecycle notifications like reminder emails 7 days before expiry. This aligns perfectly with the requirement for partner-managed, temporary, self-service access.

Exam trap

The trap here is confusing Entitlement Management (designed for external user access lifecycle) with Access Reviews (which is for periodic recertification, not self-service provisioning) or PIM (which is for internal privileged roles, not application access for partners).

How to eliminate wrong answers

Option A is wrong because Access Reviews are used for periodic attestation of existing access, not for self-service request workflows with automatic expiration and reminders. Option C is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation for internal administrators, not for granting temporary access to external partners for an application. Option D is wrong because Conditional Access enforces policies (e.g., MFA, location) during sign-in but does not provide self-service request, approval workflows, or automatic expiration management.

15
Multi-Selecteasy

Which TWO features of Microsoft Entra ID can be used to secure hybrid identities?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Intune
C.Seamless Single Sign-On
D.Azure Active Directory Domain Services
E.Password Hash Synchronization
AnswersC, E

Seamless SSO allows users to sign in without entering passwords when on corporate network.

Why this answer

Seamless Single Sign-On (Seamless SSO) automatically signs users in when they are on corporate devices connected to the corporate network, eliminating password prompts. Password Hash Synchronization (PHS) synchronizes a hash of the user's on-premises AD password to Azure AD, enabling cloud authentication without additional infrastructure. Both features directly secure hybrid identities by extending on-premises credentials to the cloud.

Exam trap

The trap here is that candidates often confuse Azure AD DS (a managed domain service) with a feature of Microsoft Entra ID, when in fact it is a separate service that provides legacy LDAP and NTLM capabilities, not a native hybrid identity authentication feature.

16
Multi-Selectmedium

Your company uses Microsoft Entra ID. You need to implement a privileged identity management (PIM) strategy to secure administrative roles. Which TWO capabilities does PIM provide? (Choose two.)

Select 2 answers
A.Approval workflows for role activation
B.Conditional Access policies for role activation
C.Management of external identities
D.Just-in-time (JIT) access to privileged roles
E.Automated user provisioning to applications
AnswersA, D

PIM can require approval from designated approvers before a role is activated.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides time-based and approval-based role activation to secure privileged roles. Approval workflows for role activation (Option A) are a core PIM feature, allowing designated approvers to review and approve activation requests before a user gains elevated permissions. This ensures that privileged access is granted only after explicit authorization, reducing the risk of unauthorized use.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control access to apps) with PIM's role activation policies (which control access to privileged roles), leading them to incorrectly select Option B.

17
Drag & Dropmedium

Drag and drop the steps to implement Azure Site Recovery for a Hyper-V VM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, create the vault. Then ensure network connectivity. Install the provider and agent.

Create and apply a replication policy. Finally, enable replication.

18
MCQhard

Your company plans to deploy a new SaaS application that will be used by employees and external users. The application requires single sign-on (SSO) and must support conditional access policies that enforce MFA for external users. Additionally, the application must be able to read user profile attributes from Microsoft Entra ID. You need to design an identity solution that meets these requirements. What should you include in the design?

A.Register the application in Microsoft Entra ID (App Registration) and configure it to use OpenID Connect for authentication; apply conditional access policies to the app.
B.Use Azure AD Application Proxy to publish the SaaS app and configure pre-authentication with Entra ID.
C.Use Microsoft Entra Domain Services to authenticate the application via LDAP.
D.Register the application in Microsoft Entra B2C and configure federation with your Entra ID tenant.
AnswerA

App registration supports SSO, conditional access, and Graph API for profile reads.

Why this answer

Option A is correct because registering the application in Microsoft Entra ID (App Registration) and configuring OpenID Connect (OIDC) enables SSO and allows the application to read user profile attributes via the Microsoft Graph API. Conditional access policies can be applied directly to the enterprise app in Entra ID to enforce MFA for external users, meeting all stated requirements.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy (for on-premises apps) or Entra B2C (for customer identities) with the correct solution for a SaaS app requiring employee and external user access with conditional access and Graph API reads.

How to eliminate wrong answers

Option B is wrong because Azure AD Application Proxy is designed for publishing on-premises apps, not SaaS applications, and does not inherently support reading user profile attributes via Graph API. Option C is wrong because Microsoft Entra Domain Services provides LDAP/Kerberos/NTLM authentication for legacy apps and does not support modern SSO protocols like OIDC or conditional access policies for SaaS apps. Option D is wrong because Microsoft Entra B2C is intended for customer-facing identity management with external identity providers, not for employee access to a SaaS app, and it does not natively support reading user profile attributes from the primary Entra ID tenant via Graph API.

19
MCQhard

Refer to the exhibit. You run this Kusto query in Azure Monitor Logs. What does it return?

A.The number of heartbeats per computer in the last hour.
B.Computers that sent a heartbeat in the last 5 minutes.
C.Computers that have not sent a heartbeat in the last 5 minutes.
D.The average heartbeat frequency per computer.
AnswerC

The query filters for computers whose last heartbeat is older than 5 minutes.

Why this answer

The query uses the `Heartbeat` table and filters for heartbeats older than 5 minutes (`ago(5m)`). The `where` clause selects records where `TimeGenerated` is less than 5 minutes ago, meaning it finds heartbeats that were sent before that threshold. The `distinct Computer` then returns only computers whose most recent heartbeat is older than 5 minutes, i.e., computers that have not sent a heartbeat in the last 5 minutes.

This is a common pattern for detecting unresponsive or offline machines.

Exam trap

The trap here is that candidates misread the comparison operator: `TimeGenerated < ago(5m)` selects records older than 5 minutes (not newer), leading them to incorrectly think the query returns computers that recently sent a heartbeat.

How to eliminate wrong answers

Option A is wrong because the query does not count heartbeats per computer; it uses `distinct Computer` to return unique computer names, not an aggregation like `summarize count()`. Option B is wrong because the filter `TimeGenerated < ago(5m)` selects records older than 5 minutes, not records within the last 5 minutes; to find computers that sent a heartbeat in the last 5 minutes, the filter would be `TimeGenerated > ago(5m)`. Option D is wrong because the query does not calculate any average or frequency; it simply returns distinct computer names based on a time filter, with no aggregation or statistical function.

20
MCQmedium

Your organization uses Microsoft Entra ID and requires that all external users accessing resources must be approved by a designated reviewer. You need to automate the review process for external identities. What should you implement?

A.Microsoft Purview
B.Privileged Identity Management (PIM)
C.Microsoft Entra access reviews
D.Conditional Access
AnswerC

Access reviews automate the periodic review of external users' access.

Why this answer

Microsoft Entra access reviews allow you to automate the periodic review of external identities, ensuring that only approved users retain access. This feature directly supports the requirement for a designated reviewer to approve or deny external users, with automated reminders and results. It is the correct choice because it is purpose-built for governance of external identities in Entra ID.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with access reviews, as both involve approvals, but PIM is for privileged roles while access reviews are for ongoing user access certification, especially for external identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance and compliance solution focused on data classification, labeling, and risk management, not on automating identity access reviews. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval, not the periodic review of all external identities. Option D is wrong because Conditional Access enforces access policies based on conditions like location or device state, but does not provide a workflow for designated reviewers to approve or deny external user access.

21
Multi-Selectmedium

Your company uses Microsoft Entra ID. You need to implement a governance strategy for guest users. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Create access reviews for guest users
B.Disable external identities
C.Block all guest user access
D.Enable self-service sign-up for guest users
E.Configure Microsoft Entra entitlement management
AnswersA, E

Access reviews ensure guest access is reviewed periodically.

Why this answer

Access reviews for guest users (Option A) are a core governance control in Microsoft Entra ID, allowing administrators to periodically review and confirm or revoke guest access. This ensures that guest accounts remain necessary and compliant with security policies, directly addressing the governance requirement.

Exam trap

The trap here is that candidates may confuse blocking or disabling guest access (Options B and C) with governance, when the correct approach involves reviewing and managing guest access through reviews and entitlement management.

22
Multi-Selecteasy

Your company uses Microsoft Entra ID for identity management. You need to implement a solution that automatically blocks sign-ins from risky users and requires multi-factor authentication (MFA) when a sign-in risk is detected. Which TWO services should you use? (Choose two.)

Select 2 answers
A.Microsoft Purview
B.Microsoft Entra ID Protection
C.Microsoft Defender XDR
D.Microsoft Intune
E.Conditional Access policies
AnswersB, E

Identity Protection detects risky users and sign-ins.

Why this answer

Microsoft Entra ID Protection (B) is the service that detects sign-in risks (e.g., anonymous IP, atypical travel) and labels users or sign-ins as risky. Conditional Access policies (E) then enforce automated responses, such as blocking the sign-in or requiring MFA, based on the risk level from Entra ID Protection. Together, they provide the detection and enforcement mechanism described in the requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Defender XDR (which includes identity threat detection) with the policy enforcement layer, but only Conditional Access policies can apply the automated MFA or block action based on risk from Entra ID Protection.

23
MCQhard

Your Azure subscription contains multiple virtual machines (VMs) that run a line-of-business application. You need to configure alerts when the CPU usage exceeds 90% for more than 5 minutes. Additionally, the alert must automatically trigger a runbook to scale out the application. Which Azure service should you use to create this alert?

A.Azure Automation
B.Azure Logic Apps
C.Azure Monitor metric alert
D.Azure Autoscale
AnswerC

Metric alerts can trigger action groups that include runbooks.

Why this answer

Azure Monitor metric alerts can evaluate resource metrics like CPU usage at a specified frequency and trigger actions when a threshold (e.g., 90%) is breached for a given duration (e.g., 5 minutes). The alert can invoke an Automation runbook via an action group, enabling automatic scaling of the application. This is the correct service because it directly supports metric-based alerting with multi-condition evaluation and action group integration.

Exam trap

The trap here is that candidates confuse Azure Monitor metric alerts with Azure Autoscale, assuming Autoscale can both alert and trigger runbooks, when in fact Autoscale only performs scaling actions based on its own rules and does not generate alerts or invoke runbooks.

How to eliminate wrong answers

Option A is wrong because Azure Automation is a service for authoring and running runbooks, but it does not itself evaluate metrics or generate alerts; it can only be triggered by an alert action group. Option B is wrong because Azure Logic Apps is a workflow orchestration service that can respond to alerts via connectors, but it is not the native alerting service for metric thresholds and would require additional configuration to evaluate CPU usage. Option D is wrong because Azure Autoscale is a scaling service that can automatically adjust resources based on metrics, but it does not create alerts or trigger runbooks; it directly scales resources without an intermediate alerting step.

24
MCQmedium

A company uses Microsoft Entra ID. They want to grant a user temporary access to the Global Administrator role for a specific task. The access must require approval from a manager and automatically expire after 4 hours. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerC

PIM enables just-in-time privileged access to Microsoft Entra ID roles with approval, activation time limits, and automatic expiration, meeting the requirement.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access, allowing users to activate roles like Global Administrator for a limited time. It supports approval workflows (manager approval) and configurable activation duration (e.g., 4 hours), making it the correct choice for temporary, approved, time-bound role elevation.

Exam trap

The trap here is confusing PIM's JIT activation with Conditional Access policies, which control access to applications but not role elevation, or with Access Reviews, which are for periodic recertification rather than temporary activation.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like location or device state to control access to resources, but it does not provide time-bound role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not manage role activation or approval. Option D is wrong because Access Reviews automate periodic attestation of group memberships or role assignments but do not support on-demand, temporary activation with approval and automatic expiration.

25
MCQeasy

A company uses Microsoft Entra ID. They need to grant external partners access to an internal application for a limited time (30 days). The access must be approved by a manager from the partner's organization. After the period ends, access should automatically be removed. The company also wants to send email reminders 7 days before expiration. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Protection
AnswerB

Entitlement Management provides access packages that can define time-limited access, require approval from specified managers, automatically expire, and send email notifications before expiration.

Why this answer

Microsoft Entra ID Entitlement Management is the correct feature because it provides automated access lifecycle management for external users, including time-limited access packages, approval workflows (including external manager approval), and automatic expiration with email notifications. This directly matches the requirement for 30-day access with partner manager approval and 7-day reminder emails.

Exam trap

The trap here is confusing Entitlement Management (which handles the full lifecycle of external access with expiration and approvals) with Access Reviews (which is a periodic review tool, not an automated expiration mechanism).

How to eliminate wrong answers

Option A is wrong because Access Reviews are a periodic attestation mechanism that requires manual or semi-automated review cycles, not a one-time 30-day expiration with automatic removal and email reminders. Option C is wrong because Conditional Access enforces access policies (e.g., MFA, device compliance) in real time but does not manage access expiration, approval workflows, or automated email reminders. Option D is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not handle external partner access lifecycle or time-bound approvals.

26
MCQmedium

A company uses Microsoft Entra ID Premium P2. They need to automatically detect users with high-risk sign-ins (e.g., from anonymous IP addresses or leaked credentials) and require them to reset their password. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Privileged Identity Management
C.Conditional Access
D.Access Reviews
AnswerA

Detects identity risks and can automate remediation like password reset.

Why this answer

Identity Protection is the correct feature because it is specifically designed to detect and remediate risky sign-ins, including those from anonymous IP addresses or leaked credentials. It uses machine learning to assign a risk level to each sign-in and user, and can automatically enforce password resets when high-risk events are detected, aligning with the requirement for automated detection and remediation.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, not realizing that Conditional Access is the enforcement engine that requires Identity Protection to first detect and assign the risk level, making Identity Protection the correct feature for automatic detection.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time access and approval workflows for privileged roles, not on detecting risky sign-ins or enforcing password resets for all users. Option C (Conditional Access) is wrong because while it can enforce policies based on sign-in risk, it does not automatically detect or assign risk levels; it relies on Identity Protection to provide the risk assessment. Option D (Access Reviews) is wrong because it is a governance tool for periodic review of group memberships or application access, not for real-time risk detection or password reset enforcement.

27
MCQmedium

You have an Azure subscription that contains 100 virtual machines. You need to monitor the virtual machines for security vulnerabilities and receive recommendations. What should you use?

A.Microsoft Defender for Cloud
B.Azure Monitor
C.Microsoft Sentinel
D.Microsoft Defender XDR
AnswerA

Defender for Cloud provides vulnerability assessment and security recommendations.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center) provides unified security management and advanced threat protection across hybrid cloud workloads. It continuously assesses your virtual machines for security vulnerabilities, misconfigurations, and missing updates, then delivers actionable recommendations and a secure score to prioritize remediation. This directly matches the requirement to monitor VMs for vulnerabilities and receive recommendations.

Exam trap

The trap here is that candidates confuse Azure Monitor (which monitors performance and availability) with security monitoring, or assume Microsoft Sentinel (a SIEM) is the correct tool for vulnerability scanning, when in fact Defender for Cloud is the dedicated service for security posture management and vulnerability assessment.

How to eliminate wrong answers

Option B is wrong because Azure Monitor is a platform for collecting and analyzing telemetry data (metrics, logs) from resources, but it does not perform vulnerability scanning or provide security recommendations—it lacks the built-in vulnerability assessment and secure score features. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR solution for aggregating security logs, detecting threats, and orchestrating incident response; it does not natively scan VMs for vulnerabilities or generate compliance recommendations. Option D is wrong because Microsoft Defender XDR (formerly Microsoft 365 Defender) is an extended detection and response solution that correlates signals across endpoints, email, and identities, but it is not designed for vulnerability assessment of Azure VMs and does not provide the same centralized security posture management as Defender for Cloud.

28
MCQhard

You are reviewing a Conditional Access policy for a Microsoft Entra ID tenant. The exhibit shows the policy configuration. Users report that they are prompted for MFA every hour even when using approved Microsoft applications. The security team wants to reduce MFA prompts but maintain security. What should you modify?

A.Enable 'persistentBrowser' session control
B.Change cloudAppSecurityType to 'blockDownloads'
C.Remove the 'approvedApplication' grant control
D.Increase the signInFrequency value to 24 hours
AnswerD

Increasing sign-in frequency to 24 hours reduces MFA prompts while maintaining security.

Why this answer

The sign-in frequency control in Conditional Access determines how often a user must re-authenticate. Increasing the value from 1 hour to 24 hours directly reduces the frequency of MFA prompts while still requiring re-authentication daily, balancing security and user experience. This change applies to approved Microsoft applications as configured in the policy.

Exam trap

The trap here is that candidates confuse session controls like 'persistentBrowser' with sign-in frequency, assuming that keeping the browser session alive will also reduce MFA prompts, but sign-in frequency is a separate, explicit time-based re-authentication control that overrides session persistence.

How to eliminate wrong answers

Option A is wrong because enabling 'persistentBrowser' session control keeps the browser session alive but does not affect the sign-in frequency for MFA prompts; it only prevents re-authentication for browser-based sessions, not for all approved applications. Option B is wrong because changing cloudAppSecurityType to 'blockDownloads' is a session control for Microsoft Defender for Cloud Apps that restricts data exfiltration, not a mechanism to reduce MFA prompt frequency. Option C is wrong because removing the 'approvedApplication' grant control would eliminate the requirement that only approved Microsoft applications can be used, potentially allowing non-approved apps and increasing security risk, not reducing MFA prompts.

29
MCQhard

You are a solutions architect for a financial services company. The company uses Microsoft Entra ID and has the following requirements: 1. All Azure administrators must use Privileged Identity Management (PIM) to activate their roles for a maximum of 4 hours. 2. Activation must require Azure Multi-Factor Authentication (MFA) and a ticket number. 3. Approvers must be notified via email when a role is activated. 4. All activation requests must be audited. You configure PIM for Entra ID roles. Which additional configuration is needed to meet all requirements?

A.Configure a Conditional Access policy to require MFA for all admins.
B.Enable Azure AD audit logs in the Azure portal.
C.Set the maximum activation duration to 4 hours in the PIM settings.
D.Create an Azure Monitor alert rule for role activations.
AnswerC

PIM allows configuring max activation duration per role.

Why this answer

Option C is correct. PIM for Entra ID roles already supports MFA, ticket numbers, email notifications, and audit logs. However, the requirement to limit activation to 4 hours requires configuring a maximum activation duration in PIM settings.

Option A (Conditional Access) is not needed because PIM handles MFA separately. Option B (Azure AD audit logs) is already enabled. Option D (Azure Monitor) is not required for this scenario.

30
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect sign-in attempts from anonymous IP addresses and sign-ins from unfamiliar locations. When such a risk is detected, they want to block the sign-in or require multi-factor authentication (MFA) in real time. Additionally, they need a dashboard that provides a summary of risk events and allows investigation. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerA

Identity Protection detects risky sign-ins and provides a dashboard with risk events for investigation. It can feed risk data into Conditional Access for enforcement.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it automatically detects sign-in risks such as anonymous IP addresses and unfamiliar locations, and can trigger real-time remediation actions like blocking the sign-in or requiring MFA. It also provides a risk dashboard and investigation capabilities, directly matching the requirements for risk detection, automated response, and reporting.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but Conditional Access is only the enforcement layer; Identity Protection is the actual detection engine that generates the risk signals used by Conditional Access.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls based on conditions, but it does not itself detect risks like anonymous IPs or unfamiliar locations; it relies on Identity Protection to provide risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and access governance, not on detecting sign-in risks from anonymous IPs or unfamiliar locations. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time risk detection or automated sign-in blocking.

31
MCQeasy

Your company has a Microsoft Entra ID tenant with 10,000 users. You plan to grant external partners access to a specific SharePoint Online site using Microsoft Entra B2B collaboration. You need to ensure that partners can authenticate using their own corporate credentials. What should you configure?

A.Cross-tenant synchronization
B.Conditional Access policy for guest users
C.Microsoft Entra B2B collaboration with external identities
D.Microsoft Entra guest user accounts with password
AnswerC

B2B collaboration allows external users to authenticate with their own identity provider.

Why this answer

Microsoft Entra B2B collaboration allows external partners to authenticate using their own corporate credentials (such as Azure AD, Microsoft account, or other identity providers) without requiring a separate password or local account. This is the correct solution because it directly supports the requirement for partners to use their own identity providers, enabling seamless access to the SharePoint Online site via guest user invitations.

Exam trap

The trap here is that candidates often confuse Cross-tenant synchronization (Option A) with B2B collaboration, but Cross-tenant synchronization is for internal multi-tenant scenarios, not for granting external partners access with their own credentials.

How to eliminate wrong answers

Option A is wrong because Cross-tenant synchronization is designed to synchronize users between two Azure AD tenants for internal collaboration, not for granting external partners access to a specific SharePoint site with their own credentials. Option B is wrong because a Conditional Access policy for guest users controls access conditions (e.g., MFA, device compliance) after the guest user is already invited, but it does not enable authentication with the partner's own corporate credentials. Option D is wrong because creating guest user accounts with passwords would require partners to manage separate credentials, defeating the purpose of using their own corporate identities and violating the principle of federated authentication.

32
Multi-Selecthard

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution to monitor changes to privileged groups in both directories and ensure that any unauthorized changes trigger an automated response. Which THREE services should you include in the design?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Purview
C.Microsoft Entra Identity Protection
D.Group Policy Management Console
E.Microsoft Defender for Identity
AnswersA, E

Sentinel can collect logs from both Entra ID and on-premises and automate responses.

Why this answer

Microsoft Sentinel is correct because it serves as the centralized SIEM (Security Information and Event Management) solution that can ingest logs from both Microsoft Entra ID (via diagnostic settings) and on-premises Active Directory (via Windows Security Events or Azure Monitor Agent). It allows you to create analytics rules that detect unauthorized changes to privileged groups and trigger automated responses, such as playbooks (Logic Apps) or incident creation, ensuring a unified monitoring and response workflow.

Exam trap

The trap here is that candidates often confuse Microsoft Purview (data governance) with Microsoft Defender for Cloud Apps (which can monitor group changes in SaaS apps) or assume Entra Identity Protection covers group membership monitoring, but neither Purview nor Identity Protection is designed for auditing or responding to privileged group modifications in hybrid directories.

33
MCQhard

A large enterprise has multiple Azure subscriptions and on-premises servers. They need to collect performance metrics (CPU, memory) from all servers, create custom dashboards to visualize health across workloads, and set up alerts for critical thresholds. They also need to retain log data for one year. Which combination of Azure services should they use?

A.A
B.B
C.C
D.D
AnswerA

Azure Monitor with Log Analytics workspaces allows collection of performance counters, creation of custom dashboards, and alert rules. Log retention can be set to one year per workspace.

Why this answer

Azure Monitor is the central service for collecting performance metrics (CPU, memory) from both Azure VMs and on-premises servers via the Log Analytics agent or Azure Monitor Agent. Log Analytics workspace stores the data, enabling custom dashboards with Azure Workbooks and alerts with Azure Monitor Alerts. The 1-year retention is achieved by configuring the workspace's data retention settings (up to 730 days by default, extendable to 2 years).

Exam trap

The trap here is that candidates confuse Azure Monitor with Azure Sentinel, thinking Sentinel is needed for long-term retention and alerting, but Sentinel is a security-specific solution, while Azure Monitor natively handles performance monitoring, dashboards, and retention for operational data.

How to eliminate wrong answers

Option B is wrong because it suggests using Azure Sentinel, which is a SIEM/SOAR for security events, not primarily for performance metrics and custom dashboards; it would add unnecessary cost and complexity. Option C is wrong because it proposes Azure Storage for log retention, but Azure Storage does not natively support querying or alerting on performance metrics; you would need additional services like Azure Data Explorer, making it inefficient. Option D is wrong because it includes Azure Event Hubs, which is for real-time data streaming and ingestion, not for long-term storage or direct dashboarding; it would require additional downstream services to achieve the requirements.

34
MCQeasy

Your company has a large Azure environment with thousands of resources. You need to design a solution to track resource ownership and ensure that resources are cleaned up when projects end. You want to use a tag-based approach where each resource has an 'Owner' and 'Project' tag. Additionally, you need to generate a weekly report of resources that are not tagged or have been orphaned (no recent activity). What should you include in the design?

A.Use Azure Policy to audit missing tags and create a custom dashboard in Azure Monitor.
B.Use Azure Monitor alerts with a metric alert for unmodified resources.
C.Use Azure Automation runbook to inventory resources and store in a SQL database, then use Power BI to report.
D.Use Azure Resource Graph queries in an Azure Logic App scheduled to run weekly, and send the report via email.
AnswerD

Logic Apps can execute queries and send formatted reports.

Why this answer

Option C is correct because Azure Resource Graph can query all resources and their tags, and Azure Logic Apps can schedule the query and send a report via email. Option A is wrong because Azure Policy can enforce tags but does not generate reports natively. Option B is wrong because Azure Monitor alerts are for real-time notifications, not scheduled reports.

Option D is wrong because Azure Automation runbooks can do this but are more complex than Logic Apps.

35
MCQhard

You are designing a monitoring solution for a critical application running on Azure Kubernetes Service (AKS). The application generates custom metrics that need to be queried in real-time for dashboards. You also need to retain logs for one year for compliance. Which combination of services should you use?

A.Azure Monitor Metrics and Azure Monitor Logs
B.Prometheus and Azure Monitor Logs
C.Azure Data Explorer and Azure Blob Storage
D.Application Insights and Azure Storage
AnswerA

Metrics for real-time dashboards, Logs for long-term log retention and querying.

Why this answer

Azure Monitor Metrics is the correct choice for real-time querying of custom metrics because it stores numeric time-series data with sub-minute granularity and supports near real-time alerting and dashboarding via Azure Dashboards or Grafana. Azure Monitor Logs (Log Analytics) is required for retaining logs for one year, as it offers configurable retention up to 730 days (2 years) and supports KQL queries for compliance and audit needs. Together, they provide a unified monitoring solution for AKS that meets both real-time metric querying and long-term log retention requirements.

Exam trap

The trap here is that candidates often confuse Prometheus as the only way to collect custom metrics in AKS, but Azure Monitor Metrics natively supports custom metrics via the Azure Monitor agent and does not require a separate Prometheus deployment for real-time dashboards.

How to eliminate wrong answers

Option B is wrong because Prometheus is a third-party monitoring tool that, while commonly used with AKS, does not natively integrate with Azure Monitor Logs for log retention; you would need Azure Monitor for logs, making this combination redundant and less integrated. Option C is wrong because Azure Data Explorer is designed for big data analytics and interactive queries on large datasets, not for real-time metric dashboards, and Azure Blob Storage is a cold storage option that does not support real-time querying or native dashboarding. Option D is wrong because Application Insights is primarily for application performance monitoring (APM) and traces, not for storing custom metrics from AKS in a real-time queryable format, and Azure Storage (Blob) is not a log analytics platform and lacks the querying capabilities needed for compliance retention.

36
Multi-Selecteasy

You are designing a governance strategy for Azure resources. You need to enforce compliance with corporate standards and ensure that resource provisioning is audited. Which TWO Azure features should you include?

Select 2 answers
A.Azure Role-Based Access Control
B.Azure Blueprints
C.Azure Policy
D.Azure Management Groups
E.Azure Resource Graph
AnswersC, E

Enforces rules and effects on resources.

Why this answer

Azure Policy is correct because it enforces compliance by applying rules (e.g., allowed SKUs, tagging requirements) to resources during provisioning and existing resources via audit or deny effects. It ensures corporate standards are met and provides continuous compliance evaluation, which directly addresses the need to enforce standards and audit provisioning.

Exam trap

The trap here is confusing Azure Policy (which enforces and audits resource properties) with Azure Blueprints (which packages policies but does not enforce them) or RBAC (which controls access, not resource compliance).

37
MCQhard

Your organization has a hybrid identity with Microsoft Entra ID and on-premises Active Directory. You need to allow users to reset their own passwords from the cloud. What should you configure?

A.Password hash synchronization only
B.Azure AD Connect with password hash sync
C.Pass-through authentication
D.Azure AD self-service password reset with password writeback
AnswerD

SSPR with writeback allows users to reset on-premises passwords from the cloud.

Why this answer

Azure AD self-service password reset (SSPR) with password writeback is the correct configuration because it allows users to reset their on-premises Active Directory passwords from the cloud. Password writeback ensures that the new password is written back to the on-premises AD, maintaining hybrid identity synchronization. Without writeback, cloud-only password resets would not update the on-premises directory, breaking the hybrid identity model.

Exam trap

The trap here is that candidates often confuse password hash synchronization with the ability to perform password resets, not realizing that SSPR with writeback is a separate feature requiring explicit configuration beyond just syncing hashes.

How to eliminate wrong answers

Option A is wrong because password hash synchronization alone only syncs password hashes for authentication; it does not enable self-service password reset or writeback. Option B is wrong because Azure AD Connect with password hash sync is the mechanism for syncing hashes, not a feature for password reset; SSPR requires additional configuration of writeback. Option C is wrong because pass-through authentication validates passwords against on-premises AD but does not provide any password reset capability or writeback functionality.

38
Multi-Selectmedium

Which TWO of the following are true about Microsoft Entra ID Governance features?

Select 2 answers
A.Conditional Access policies govern access based on location and device.
B.Access reviews allow administrators to periodically review and attest to access rights.
C.Privileged Identity Management (PIM) provides just-in-time access for all users.
D.Identity Protection automatically blocks all risky sign-ins.
E.Entitlement management enables automation of access request workflows.
AnswersB, E

Access reviews are a key governance feature for periodic attestation.

Why this answer

Option B is correct because Microsoft Entra ID Access Reviews enable administrators to periodically review and attest to the access rights of users, groups, or applications, ensuring that only authorized users retain access. This is a core governance feature that helps organizations meet compliance and security requirements by automating the certification process.

Exam trap

The trap here is confusing security features (Conditional Access, Identity Protection) with governance features (Access Reviews, Entitlement Management), leading candidates to select options that enforce access rather than manage its lifecycle.

39
Multi-Selecthard

Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Self-service password reset
C.Conditional Access
D.Privileged Identity Management
E.Access Reviews
AnswersA, E

Entitlement Management is part of Entra ID Governance.

Why this answer

Options A and C are correct. Entitlement Management (A) and Access Reviews (C) are core governance features. Option B (Self-service password reset) is a user management feature.

Option D (Privileged Identity Management) is part of Identity Protection. Option E (Conditional Access) is security policy.

40
MCQmedium

A company uses Microsoft Entra ID. They need to monitor sign-in logs for anomalous activity (e.g., sign-ins from unfamiliar locations) and automatically take action such as requiring MFA or blocking sign-in. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Access Reviews
D.Privileged Identity Management
AnswerA

Identity Protection provides risk detection (e.g., unfamiliar sign-ins) and allows automated remediation through integration with Conditional Access policies.

Why this answer

Identity Protection is the correct feature because it is specifically designed to detect anomalous sign-in activities, such as sign-ins from unfamiliar locations or anonymous IP addresses, and can automatically trigger risk-based remediation actions like requiring MFA or blocking sign-ins. It leverages machine learning models and real-time risk detections to assess sign-in risks and apply policies accordingly, directly meeting the requirement for monitoring and automated response.

Exam trap

The trap here is that candidates often confuse Conditional Access as the detection mechanism, but it is only the enforcement layer; Identity Protection is the service that performs the actual anomaly detection and risk assessment.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect anomalous activity; it relies on risk signals from Identity Protection to trigger actions. Option C (Access Reviews) is wrong because it is used for periodic attestation of group memberships or application access, not for real-time monitoring or automated response to sign-in anomalies. Option D (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and approval workflows, not on detecting or responding to anomalous sign-in behavior.

41
MCQhard

Your organization uses Microsoft Entra ID with P2 licensing. You need to implement a strategy to automatically detect and remediate risky sign-ins without requiring user interaction for low-risk events. What should you configure?

A.Identity Protection sign-in risk policy set to allow access and log for low risk, and require MFA for medium and above
B.Conditional Access policy with session control requiring MFA for all sign-ins
C.Identity Protection user risk policy set to block high risk
D.Identity Protection sign-in risk policy set to allow access with MFA for medium and above
AnswerA

Automatically remediates low risk by allowing access with logging, and requires MFA for higher risk.

Why this answer

Option A is correct because the Identity Protection sign-in risk policy allows you to automatically respond to sign-in risk levels. By configuring it to 'allow access' and 'log' for low risk, you meet the requirement of no user interaction for low-risk events, while requiring MFA for medium and above ensures remediation for higher-risk sign-ins without manual intervention.

Exam trap

The trap here is confusing sign-in risk policies (which evaluate individual sign-in events) with user risk policies (which evaluate overall user compromise), leading candidates to select Option C, which addresses user risk rather than the sign-in risk requirement.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy requiring MFA for all sign-ins does not differentiate by risk level, forcing user interaction even for low-risk events, which contradicts the requirement to avoid user interaction for low risk. Option C is wrong because the Identity Protection user risk policy targets user account compromise (e.g., leaked credentials), not sign-in risk; it blocks high-risk users but does not address the sign-in risk detection and remediation for low-risk events. Option D is wrong because it requires MFA for medium and above but does not explicitly allow and log low-risk sign-ins without user interaction; the 'allow access with MFA' for medium and above still triggers MFA for medium risk, but the policy lacks the 'log' action for low risk, potentially blocking or requiring interaction for low-risk events depending on defaults.

42
MCQmedium

Your company has a Microsoft Entra ID tenant with 50,000 users. You need to design a solution to ensure that users can reset their own passwords without help desk intervention, while preventing password reuse for the last 10 passwords. Which feature should you enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra Connect
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerD

SSPR enables users to reset their own passwords, and password protection policies can enforce reuse restrictions.

Why this answer

Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without help desk intervention. Additionally, SSPR can be configured with password protection policies that enforce password history, preventing reuse of the last 10 passwords. This directly meets both requirements stated in the question.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which handles risk-based policies) with SSPR, or they mistakenly think PIM is involved because it deals with passwords, but PIM is strictly for privileged role management, not end-user password resets.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not provide self-service password reset capabilities or enforce password history policies. Option B is wrong because Microsoft Entra Connect is used for hybrid identity synchronization between on-premises Active Directory and Azure AD, not for password reset or reuse prevention. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and role activation for privileged roles, not general user password reset or password history enforcement.

43
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity strategy for Azure resources?

Select 2 answers
A.Use managed identities for Azure resources instead of service principals with secrets
B.Assign the Contributor role at the subscription scope to allow flexibility
C.Use storage account keys for access to blob data
D.Enable Privileged Identity Management (PIM) for just-in-time role assignments
E.Use a single service principal for all applications
AnswersA, D

Managed identities provide an automatically managed identity, reducing the need to manage credentials.

Why this answer

Managed identities for Azure resources eliminate the need to manage credentials by automatically rotating them and binding them to a resource lifecycle. This removes the risk of secret leakage or mismanagement that exists with service principal secrets, directly supporting a least-privilege identity strategy by ensuring identities are scoped and ephemeral.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'convenience' and select broad roles like Contributor at subscription scope, thinking it provides flexibility, when in reality it grants excessive permissions that violate the core principle.

44
MCQeasy

Your company has multiple Azure subscriptions and needs a single pane of glass to monitor the health and performance of all resources across subscriptions. Which Azure service should you use?

A.Microsoft Sentinel
B.Azure Service Health
C.Azure Monitor
D.Azure Advisor
AnswerC

Azure Monitor provides metrics, logs, and alerts for all Azure resources across subscriptions.

Why this answer

Azure Monitor is the correct choice because it provides a unified, single-pane-of-glass experience for collecting, analyzing, and acting on telemetry from all Azure resources across multiple subscriptions. It aggregates metrics, logs, and alerts from various sources, enabling cross-subscription monitoring of health and performance without requiring separate tools.

Exam trap

The trap here is confusing Azure Monitor's broad monitoring capabilities with specialized services like Sentinel (security) or Service Health (Azure infrastructure status), leading candidates to pick a tool that addresses only a subset of the requirement.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) tool focused on security detection, investigation, and response, not general resource health and performance monitoring. Option B is wrong because Azure Service Health provides personalized alerts and guidance for Azure service issues and planned maintenance, but it does not monitor the health and performance of your own deployed resources. Option D is wrong because Azure Advisor is a personalized cloud consultant that offers best-practice recommendations for cost, security, reliability, and performance, but it does not provide real-time monitoring or a dashboard for resource health and performance.

45
Drag & Dropmedium

Drag and drop the steps to configure Azure Load Balancer for high availability of web servers into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create backend pool, health probe, rule, associate public IP, test.

46
MCQeasy

A multinational company uses Microsoft Entra ID. The company has regional IT teams that need to manage users and groups within their respective regions. Each region has a distinct set of users in specific organizational units. The company wants to assign the User Administrator role to regional IT staff, but limit their scope to only the users in their region. Which Microsoft Entra ID feature should they use?

A.Administrative Units
B.Dynamic Groups
C.Microsoft Entra ID B2B
D.Microsoft Entra ID Identity Protection
AnswerA

Correct. Administrative Units enable scoping of role assignments to a specific set of users or groups, allowing regional IT teams to manage only their local users.

Why this answer

Administrative Units in Microsoft Entra ID allow you to delegate administrative roles, such as User Administrator, to a specific subset of users and groups defined by organizational boundaries (e.g., region). By creating an Administrative Unit for each region and adding the regional users and groups to it, you can assign the User Administrator role scoped to that unit, ensuring regional IT staff can only manage their own region's identities.

Exam trap

The trap here is that candidates often confuse Administrative Units with Dynamic Groups, thinking that group-based membership scoping is equivalent to role-based administrative scoping, but Dynamic Groups only control group membership, not administrative permissions.

How to eliminate wrong answers

Option B is wrong because Dynamic Groups automatically manage group membership based on user attributes (e.g., department), but they do not provide role-based access control scoping; they cannot restrict administrative permissions to a subset of users. Option C is wrong because Microsoft Entra ID B2B is designed for external collaboration with guest users from partner organizations, not for delegating administrative control over internal users within the same tenant. Option D is wrong because Microsoft Entra ID Identity Protection is a security feature that detects and responds to identity risks (e.g., compromised credentials), and it does not offer any capability to scope administrative roles to specific users or regions.

47
MCQeasy

You need to ensure that only authorized users can access the Azure portal. What should you use?

A.Conditional Access policies
B.Azure RBAC
C.Privileged Identity Management (PIM)
D.Azure AD Identity Protection
AnswerA

Conditional Access can enforce MFA and device compliance to access the portal.

Why this answer

Conditional Access policies are the correct choice because they enforce access control decisions at the Azure AD authentication layer, allowing you to require specific conditions (e.g., MFA, compliant device, trusted IP) before a user can sign in to the Azure portal. This directly ensures that only authorized users—those meeting the defined conditions—can access the portal, regardless of their role assignments. Azure RBAC controls what actions a user can perform after authentication, not whether they can sign in at all.

Exam trap

The trap here is confusing authorization (what you can do after signing in, handled by RBAC) with authentication and access control (who can sign in, handled by Conditional Access), leading candidates to incorrectly choose Azure RBAC or PIM.

How to eliminate wrong answers

Option B is wrong because Azure RBAC (Role-Based Access Control) manages permissions for Azure resources after authentication, such as who can create VMs or read storage accounts, but it does not control the initial sign-in process to the Azure portal. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not block unauthorized users from accessing the portal; it only manages role assignments and activation. Option D is wrong because Azure AD Identity Protection detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not directly enforce access control policies to block unauthorized users from the portal; it feeds risk signals into Conditional Access for enforcement.

48
MCQmedium

A company is migrating on-premises Windows applications that require LDAP, NTLM, or Kerberos authentication to Azure VMs. They want to provide domain services for these applications without deploying and managing domain controllers. Which Azure service should they use?

A.Microsoft Entra ID
B.Microsoft Entra ID Domain Services
C.Active Directory on Azure VMs
D.Microsoft Entra ID B2C
AnswerB

AAD DS provides a fully managed domain controller service that supports LDAP, NTLM, and Kerberos, ideal for lifting-and-shifting legacy apps.

Why this answer

Microsoft Entra ID Domain Services (formerly Azure AD DS) provides managed domain services such as LDAP, NTLM, and Kerberos authentication without requiring you to deploy, patch, or manage domain controllers. It integrates with your existing Microsoft Entra tenant and supports group policy, domain join, and legacy authentication protocols needed by the on-premises Windows applications being migrated to Azure VMs.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID (a modern identity provider) with Microsoft Entra ID Domain Services (which provides legacy protocol support), leading them to incorrectly select Entra ID for LDAP/NTLM/Kerberos needs.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID is a cloud-based identity and access management service that uses modern protocols like OAuth 2.0, OpenID Connect, and SAML, and does not natively support LDAP, NTLM, or Kerberos authentication required by legacy Windows applications. Option C is wrong because deploying Active Directory on Azure VMs would require you to manually manage domain controllers, which contradicts the requirement to avoid deploying and managing domain controllers. Option D is wrong because Microsoft Entra ID B2C is designed for customer-facing identity management with social and local account sign-ins, not for providing domain services like LDAP or Kerberos for enterprise applications.

49
Multi-Selecteasy

Which TWO features of Microsoft Entra ID help protect against credential compromise? (Choose two.)

Select 2 answers
A.Microsoft Entra Conditional Access
B.Microsoft Entra Identity Protection
C.Microsoft Entra Password Protection
D.Microsoft Entra Smart Lockout
E.Microsoft Entra access reviews
AnswersC, D

Password Protection bans common weak passwords.

Why this answer

Options A and D are correct. Password protection bans weak passwords and smart lockout prevents brute force attacks. Option B is wrong because Conditional Access controls access after authentication.

Option C is wrong because Identity Protection detects risky sign-ins but does not directly protect against credential compromise. Option E is wrong because access reviews are for governance.

50
MCQhard

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a lifecycle workflow that automatically disables user accounts when employees leave the organization, and then deletes them after 30 days. What should you use?

A.Microsoft Entra Domain Services
B.Microsoft Entra ID Governance
C.Microsoft Intune
D.Microsoft Entra Connect Health
AnswerB

Entra ID Governance includes Lifecycle Workflows to automate user lifecycle processes.

Why this answer

Microsoft Entra ID Governance includes lifecycle workflows that automate the process of disabling and deleting user accounts based on triggers such as employee departure. This feature allows you to configure a workflow that disables the account immediately and then schedules deletion after a specified period, such as 30 days, without requiring custom scripting or manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Governance with Microsoft Entra Domain Services, mistakenly thinking that domain services include user lifecycle management, when in fact Entra ID Governance is the correct service for automated identity lifecycle tasks.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP and Kerberos, not lifecycle automation for user accounts. Option C is wrong because Microsoft Intune focuses on mobile device management (MDM) and mobile application management (MAM), not on automating user account lifecycle in Entra ID. Option D is wrong because Microsoft Entra Connect Health monitors the health of on-premises identity infrastructure and sync, not user account lifecycle workflows.

51
MCQmedium

A company uses Microsoft Entra ID B2B collaboration for external partners. They want to enforce that external users must use multi-factor authentication (MFA) and access company resources only from devices that are compliant with Intune policies. Additionally, they need to require a session timeout of 1 hour. Which combination of Microsoft Entra ID features should they use?

A.Configure cross-tenant access settings to trust MFA and device compliance from external organizations, and then create a Conditional Access policy that requires MFA, compliant device, and a session sign-in frequency of 1 hour.
B.Create a Conditional Access policy for external users that requires MFA and compliant device, and set session controls for sign-in frequency. Trusting MFA from external tenants is automatic.
C.Use Microsoft Entra ID Identity Protection to detect risky sessions for external users and require MFA only when risk is high. This will also enforce device compliance automatically.
D.Configure Microsoft Entra ID Privileged Identity Management (PIM) for external users to activate MFA and require compliant device. PIM is for role activation, not for external user access policies.
AnswerA

Cross-tenant access settings allow you to trust claims from external tenants. Combined with a Conditional Access policy, you can enforce MFA, device compliance, and session controls.

Why this answer

Option A is correct because cross-tenant access settings in Microsoft Entra ID allow you to trust MFA and device compliance claims from external organizations, which is necessary when external users bring their own devices. Then, a Conditional Access policy targeting external users can enforce MFA, require compliant device, and set a session sign-in frequency of 1 hour using session controls. This combination ensures that the company's security requirements are met without relying on the external tenant's policies.

Exam trap

The trap here is that candidates assume MFA and device compliance from external users are automatically trusted or can be enforced solely through Conditional Access, forgetting that cross-tenant trust settings must be explicitly configured to accept those claims from the external organization.

How to eliminate wrong answers

Option B is wrong because trusting MFA from external tenants is not automatic; it must be explicitly configured in cross-tenant access settings, otherwise the Conditional Access policy cannot rely on MFA claims from the external user's home tenant. Option C is wrong because Identity Protection detects risk but does not enforce device compliance automatically; it can require MFA based on risk level but cannot mandate compliant device or session timeout. Option D is wrong because Privileged Identity Management (PIM) is designed for just-in-time role activation, not for enforcing MFA, device compliance, or session controls for external user access to resources.

52
MCQeasy

Your company is implementing a new Azure subscription for a project that requires strict separation of duties. The security team requires that all resource creation must be approved by a central IT team. Additionally, any resource that does not comply with company tagging standards should be automatically reported. You need to design a solution that meets these requirements using Azure Policy and Azure Role-Based Access Control (RBAC). What should you do?

A.Use Azure Policy with 'Audit' effect to report non-compliant resources. Use Azure RBAC to assign Owner role to IT team.
B.Use Azure Policy with 'Append' effect to automatically add required tags at creation. Use Azure Monitor alerts for non-compliance.
C.Create an Azure Policy with 'DeployIfNotExists' to deploy a tagging template. Use Azure RBAC to assign Contributor role to IT team.
D.Create a custom RBAC role that allows only the IT team to add a specific 'Approved' tag. Use Azure Policy with 'Deny' effect to block resources without that tag. Use a separate 'Audit' policy for other tagging standards.
AnswerD

This enforces approval through RBAC and policy denial, and audits other tags.

Why this answer

Option D is correct because it uses a custom RBAC role to restrict the ability to add an 'Approved' tag to the IT team, combined with a Deny policy that blocks creation of any resource lacking that tag, ensuring all resource creation requires IT approval. The separate Audit policy automatically reports resources that fail to meet other company tagging standards, fulfilling both the approval and compliance reporting requirements without manual intervention.

Exam trap

The trap here is that candidates often think a simple RBAC role assignment (like Owner or Contributor) combined with an Audit policy is sufficient, but they overlook the need for a Deny policy to actively block unapproved resource creation, which is essential for strict separation of duties.

How to eliminate wrong answers

Option A is wrong because assigning the Owner role to the IT team grants them full control over all resources, including the ability to bypass approval and modify permissions, which violates strict separation of duties. Option B is wrong because the Append effect automatically adds required tags at creation but does not enforce approval; Azure Monitor alerts can report non-compliance but do not block unapproved creation or enforce tagging standards at the policy level. Option C is wrong because DeployIfNotExists deploys a tagging template to remediate non-compliant resources but does not prevent creation of unapproved resources; assigning Contributor role to the IT team allows them to create resources without requiring approval, breaking separation of duties.

53
MCQmedium

Refer to the exhibit. You are an Azure administrator reviewing a custom Azure Policy definition. What does this policy do?

A.Denies the creation of virtual machines with the SKUs Standard_D2s_v3 or Standard_D4s_v3.
B.Denies the creation of resource groups that contain virtual machines with the specified SKUs.
C.Allows only virtual machines with the SKUs Standard_D2s_v3 or Standard_D4s_v3 to be created in a specific region.
D.Audits virtual machines to check if they have the SKUs Standard_D2s_v3 or Standard_D4s_v3.
AnswerA

The if condition checks for VM type and SKU name in the list, and then denies creation.

Why this answer

The policy definition uses the 'deny' effect, which blocks any request that matches the specified condition. The condition checks if the virtual machine SKU is either 'Standard_D2s_v3' or 'Standard_D4s_v3' using the 'in' operator on the 'Microsoft.Compute/virtualMachines/sku.name' alias. Therefore, any attempt to create a VM with these SKUs will be denied, making Option A correct.

Exam trap

The trap here is that candidates confuse the 'deny' effect with 'audit' or 'DeployIfNotExists', or misinterpret the condition as allowing only those SKUs instead of denying them, leading them to select Option C or D.

How to eliminate wrong answers

Option B is wrong because the policy targets the 'Microsoft.Compute/virtualMachines' resource type, not 'Microsoft.Resources/resourceGroups', and the condition evaluates the VM SKU, not the resource group's contents. Option C is wrong because the policy uses a 'deny' effect, not 'allow' or 'DeployIfNotExists', and it does not include any location-based condition (e.g., 'location' alias) to restrict creation to a specific region. Option D is wrong because the policy uses the 'deny' effect, not 'audit' or 'AuditIfNotExists', so it actively blocks creation rather than merely auditing existing VMs.

54
MCQmedium

An organization wants to enforce MFA only when sign-in risk is medium or high. Which Microsoft Entra capability should be used?

A.Azure RBAC deny assignments only
B.Conditional Access with Identity Protection risk signals
C.Access reviews only
D.Administrative units only
AnswerB

Conditional Access can use sign-in risk from Identity Protection to require MFA or block access.

Why this answer

Conditional Access policies can integrate with Microsoft Entra Identity Protection risk signals to enforce MFA based on the calculated sign-in risk level (low, medium, high). When the risk is medium or high, the policy triggers MFA, meeting the requirement precisely. This is the only Microsoft Entra capability that directly uses risk-based conditional enforcement.

Exam trap

The trap here is that candidates often confuse Azure RBAC (which controls resource access) with Conditional Access (which controls authentication and session conditions), leading them to pick a permission-based option instead of the risk-based policy engine.

How to eliminate wrong answers

Option A is wrong because Azure RBAC deny assignments control access to Azure resources via role-based permissions and cannot evaluate sign-in risk or enforce MFA. Option C is wrong because Access reviews are used for periodic attestation of group memberships or application access, not for real-time risk-based MFA enforcement. Option D is wrong because Administrative units are used to delegate administrative scope within a tenant, not to enforce authentication policies based on risk.

55
Multi-Selectmedium

Which THREE methods can you use to authenticate users to Azure resources using Microsoft Entra ID?

Select 3 answers
A.OAuth 2.0 authorization code flow
B.API keys
C.Service principal with client certificate
D.Managed identities for Azure resources
E.Shared access signatures (SAS) tokens
AnswersA, C, D

OAuth 2.0 is used by applications to obtain access tokens to Azure resources.

Why this answer

OAuth 2.0 authorization code flow is correct because it is the primary delegated authentication protocol used by Microsoft Entra ID to authenticate users to Azure resources. This flow allows a client application to obtain an access token on behalf of a user, after the user has authenticated interactively via the Microsoft identity platform. It supports single sign-on (SSO), multi-factor authentication, and conditional access policies, making it the standard for user authentication in Azure.

Exam trap

The trap here is that candidates confuse authentication methods for users (OAuth 2.0, managed identities for user-assigned scenarios) with authorization or access control mechanisms (SAS tokens, API keys) that do not involve user identity verification via Microsoft Entra ID.

56
MCQeasy

Refer to the exhibit. You apply this Azure Policy to a subscription. What happens when a user tries to create a virtual machine?

A.The virtual machine is created, and an audit event is logged.
B.The virtual machine is created only if it has a specific tag.
C.The creation of the virtual machine is denied.
D.The virtual machine is created only in a specific location.
AnswerC

The policy denies any VM creation.

Why this answer

The Azure Policy in the exhibit uses the 'deny' effect, which explicitly blocks any operation that does not comply with the policy rule. When a user attempts to create a virtual machine, Azure Resource Manager evaluates the policy before provisioning the resource. If the VM creation request does not meet the conditions defined in the policy (e.g., requiring a specific tag or location), the request is denied and the VM is not created.

This is why option C is correct.

Exam trap

The trap here is that candidates often confuse the 'deny' effect with 'audit' or 'append', assuming the VM will be created with a warning or modification, when in fact 'deny' completely blocks the operation.

How to eliminate wrong answers

Option A is wrong because the 'deny' effect prevents the VM from being created entirely; an audit event would only be logged if the effect were 'audit' or 'auditIfNotExists'. Option B is wrong because the policy does not specify a tag requirement; it uses a 'deny' effect that blocks creation based on other conditions, not tags. Option D is wrong because the policy does not restrict creation to a specific location; it denies creation based on the policy rule, which may involve location but the effect is denial, not conditional allowance.

57
MCQhard

Your Azure environment includes multiple subscriptions that are managed by different teams. You need to ensure that all resources are compliant with your company's security policies, and any non-compliant resources must be automatically remediated or reported. Which solution should you implement?

A.Azure Policy with remediation tasks
B.Azure Blueprints
C.Azure RBAC
D.Microsoft Defender for Cloud
AnswerA

Azure Policy can automatically remediate non-compliant resources using DeployIfNotExists or Modify effects.

Why this answer

Azure Policy with remediation tasks is the correct solution because it allows you to define and enforce security policies across multiple subscriptions, and automatically remediate non-compliant resources using managed identities and DeployIfNotExists or Modify policy effects. This ensures continuous compliance without manual intervention, meeting the requirement for both automatic remediation and reporting.

Exam trap

The trap here is that candidates often confuse Azure Policy (for governance and remediation) with Azure Blueprints (for environment setup) or Microsoft Defender for Cloud (for security monitoring), but only Azure Policy with remediation tasks provides the automatic, continuous enforcement and remediation required for compliance.

How to eliminate wrong answers

Option B (Azure Blueprints) is wrong because it is primarily a packaging and orchestration tool for deploying consistent environments (including policies, RBAC, and resource groups), but it does not provide automatic remediation of non-compliant resources after deployment; it is a one-time or versioned deployment artifact, not a continuous compliance enforcement mechanism. Option C (Azure RBAC) is wrong because it controls who can access and manage resources (authorization), not what resources are compliant with security policies; it cannot detect or remediate non-compliant configurations. Option D (Microsoft Defender for Cloud) is wrong because it provides security posture management, threat detection, and recommendations, but it does not automatically remediate non-compliant resources by itself; it can integrate with Azure Policy for remediation, but the core enforcement and remediation engine is Azure Policy, not Defender for Cloud.

58
MCQeasy

A company wants to monitor sign-in failures for their Microsoft Entra ID-integrated applications. They need a dashboard in Azure Monitor showing sign-in failures by application and user location. Which data source should they stream to a Log Analytics workspace?

A.Microsoft Entra ID Audit logs
B.Microsoft Entra ID Sign-in logs
C.Microsoft Entra ID Provisioning logs
D.Office 365 Activity logs
AnswerB

Sign-in logs capture successful and failed sign-in attempts with details like application, user, and location, making them suitable for monitoring sign-in failures.

Why this answer

Microsoft Entra ID Sign-in logs contain detailed information about every sign-in attempt, including success or failure status, application name, user location (IP address), and failure reasons. Streaming these logs to a Log Analytics workspace enables you to build custom dashboards in Azure Monitor that visualize sign-in failures by application and user location. Audit logs track configuration changes, not authentication events; Provisioning logs cover user/group synchronization; and Office 365 Activity logs focus on workload-specific actions, not general sign-in failures.

Exam trap

The trap here is that candidates often confuse Audit logs with Sign-in logs, assuming Audit logs capture all security events, but Audit logs specifically exclude authentication attempts and location data.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Audit logs record changes made to the directory (e.g., user creation, policy updates) and do not contain sign-in failure events or user location data. Option C is wrong because Microsoft Entra ID Provisioning logs track synchronization activities between Entra ID and third-party applications (e.g., ServiceNow, SAP) and do not capture sign-in failures. Option D is wrong because Office 365 Activity logs capture user actions within Exchange Online, SharePoint Online, and other Office 365 workloads, but they do not include sign-in failure details for all Entra ID-integrated applications or user location data.

59
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via an API. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Identity Protection
B.Privileged Identity Management (PIM)
C.Microsoft Entra ID Connect Health
D.Microsoft Entra ID Audit Logs
AnswerA

Identity Protection automatically detects identity risks using machine learning, provides risk reports, and exposes data via Microsoft Graph API for SIEM integration. It directly meets all requirements.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it provides automated detection of identity-based risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. It generates risk event reports and exposes risk data through the Microsoft Graph API, enabling integration with SIEM systems for centralized monitoring and response.

Exam trap

Microsoft often tests the distinction between detection (Identity Protection) and remediation (PIM), so candidates mistakenly choose PIM because they associate it with identity security, but PIM handles privilege management, not risk event detection.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation, access reviews, and approval workflows, not on detecting risk events like leaked credentials or impossible travel. Option C (Microsoft Entra ID Connect Health) is wrong because it monitors the health and performance of on-premises identity infrastructure (e.g., AD FS, Connect sync), not user sign-in risk events. Option D (Microsoft Entra ID Audit Logs) is wrong because audit logs record administrative activities and configuration changes, not risk-based detections such as anonymous IP sign-ins or leaked credentials.

60
MCQeasy

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. The query returns no results. Which is the most likely cause?

A.The syntax is invalid because where clause should use == instead of ==
B.Microsoft Entra ID Protection is not enabled for the tenant
C.The column names are incorrect
D.The time range is too short
AnswerB

Without Identity Protection, RiskLevelDuringSignIn may be null.

Why this answer

The KQL query references the 'IdentityLogonEvents' table, which is populated by Microsoft Entra ID Protection. If Entra ID Protection is not enabled, this table will contain no data, causing the query to return zero results even if the syntax, column names, and time range are correct.

Exam trap

The trap here is that candidates often assume a KQL query returning no results is due to syntax errors or column name typos, but the real issue is a missing prerequisite service (Entra ID Protection) that populates the referenced table.

How to eliminate wrong answers

Option A is wrong because the syntax 'where ==' is actually a valid KQL operator for equality comparison; the double equals sign is correct and not an error. Option C is wrong because the column names 'Timestamp', 'UserPrincipalName', and 'RiskLevelDuringSignIn' are standard schema columns in the IdentityLogonEvents table and are correctly spelled. Option D is wrong because even if the time range is short, the query would still return results if data existed; a short time range does not cause zero results when data is present.

61
MCQeasy

Your company plans to use Microsoft Sentinel as a SIEM solution. You need to ensure that security events from all Azure subscriptions are collected in a single workspace. What should you configure?

A.Create a Log Analytics workspace per subscription and use cross-workspace queries
B.Use Azure Policy to enforce Log Analytics workspace configuration across subscriptions
C.Deploy Microsoft Sentinel in each subscription and connect them via Azure Lighthouse
D.Enable Microsoft Sentinel on a single Log Analytics workspace and configure diagnostic settings for all subscriptions to send logs to that workspace
AnswerD

This centralizes all logs in one workspace.

Why this answer

Option D is correct because Microsoft Sentinel requires a single Log Analytics workspace to act as the SIEM repository. By enabling Sentinel on that workspace and configuring diagnostic settings on all Azure subscriptions to stream their security logs (e.g., Activity logs, NSG flow logs, Windows Event logs) to that same workspace, you centralize all security events in one location. This ensures unified detection, investigation, and response across the entire enterprise without needing multiple Sentinel instances.

Exam trap

The trap here is that candidates often confuse Azure Policy's ability to enforce log collection with the need to also enable Sentinel on a single workspace, or they mistakenly think cross-workspace queries or multiple Sentinel instances can achieve the same centralized correlation, which violates Sentinel's architecture requirement for a single data repository.

How to eliminate wrong answers

Option A is wrong because creating a separate Log Analytics workspace per subscription and using cross-workspace queries does not consolidate events into a single workspace; it only allows querying across workspaces, which breaks Sentinel's single-pane-of-glass requirement for correlation and incident management. Option B is wrong because Azure Policy can enforce that resources send logs to a specific Log Analytics workspace, but it cannot enable Microsoft Sentinel itself or guarantee that all security events from all subscriptions are collected in one workspace without also configuring diagnostic settings. Option C is wrong because deploying Microsoft Sentinel in each subscription creates isolated SIEM instances that cannot share incidents, analytics rules, or workbooks; Azure Lighthouse provides cross-subscription management but does not merge data into a single Sentinel workspace.

62
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that all Azure subscriptions are covered by a single continuous export configuration that sends security alerts to a Log Analytics workspace. What should you do?

A.Use Azure Policy to deploy continuous export settings to all subscriptions.
B.Configure continuous export at the management group level.
C.Create an Azure Automation runbook to export settings to all subscriptions.
D.Configure continuous export in each subscription individually.
AnswerB

Continuous export settings can be applied to a management group and inherited by all subscriptions.

Why this answer

Continuous export can be configured at the subscription level or management group scope. By configuring it at the management group level, all subscriptions under that management group inherit the export settings. This provides a single configuration point.

63
MCQmedium

Your organization is implementing a hybrid identity solution with Microsoft Entra ID. Users in an on-premises Active Directory domain need to access cloud applications. You need to ensure that password changes on-premises are synchronized to Entra ID within 30 seconds. Which configuration should you use?

A.Pass-through Authentication (PTA)
B.Federation with Active Directory Federation Services (AD FS)
C.Microsoft Entra Cloud Sync
D.Microsoft Entra Connect Sync with password hash synchronization
AnswerC

Cloud Sync uses a lightweight agent and can sync changes in near-real time, meeting the 30-second requirement.

Why this answer

Microsoft Entra Cloud Sync (Option C) is the correct choice because it is designed for near-real-time synchronization of identity changes, including password writes, with a target latency of under 30 seconds. It uses the lightweight Microsoft Entra Connect provisioning agent and the SCIM (System for Cross-domain Identity Management) protocol to sync changes from on-premises Active Directory to Entra ID, meeting the strict 30-second requirement for password change propagation.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect Sync (Option D) with Microsoft Entra Cloud Sync (Option C), assuming both offer the same synchronization speed, but Connect Sync uses a scheduled batch process (default 2-minute interval) that cannot meet the 30-second requirement, while Cloud Sync is designed for near-real-time sync.

How to eliminate wrong answers

Option A is wrong because Pass-Through Authentication (PTA) validates passwords directly against on-premises AD without synchronizing password hashes to Entra ID, so it does not propagate password changes to the cloud. Option B is wrong because Federation with AD FS relies on on-premises authentication and does not synchronize password changes to Entra ID; it only redirects authentication requests. Option D is wrong because Microsoft Entra Connect Sync with password hash synchronization typically runs on a schedule (default every 2 minutes) and cannot guarantee synchronization within 30 seconds; it is designed for batch sync, not near-real-time propagation.

64
MCQeasy

You need to assign permissions to an Azure resource group so that a user can create and manage virtual machines but cannot delete the resource group. What should you use?

A.Assign the Owner role at the resource group level.
B.Assign the Reader role at the resource group level.
C.Assign the Contributor role at the resource group level.
D.Assign the User Access Administrator role at the resource group level.
AnswerC

Contributor allows management of resources but not deletion of the resource group.

Why this answer

The Contributor role at the resource group level grants full management access to all resources within the resource group, including creating and managing virtual machines, but explicitly prevents the user from deleting the resource group itself. This meets the requirement because the Contributor role cannot perform management operations on the resource group scope, such as deletion, which is reserved for the Owner role.

Exam trap

The trap here is that candidates often confuse the Contributor role with the Owner role, assuming Contributor can delete the resource group, or they mistakenly think the Reader role provides sufficient permissions for VM management.

How to eliminate wrong answers

Option A is wrong because the Owner role at the resource group level includes the permission to delete the resource group, which violates the requirement. Option B is wrong because the Reader role only allows viewing resources, not creating or managing virtual machines. Option D is wrong because the User Access Administrator role is designed to manage user access to resources, not to create and manage virtual machines, and it also includes the ability to elevate permissions, which could inadvertently allow resource group deletion.

65
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically detect sign-in risks such as sign-ins from unfamiliar locations, anonymous IP addresses, or leaked credentials. Based on the risk level, they want to apply different controls: for low-risk sign-ins, show a message but allow access; for medium-risk sign-ins, require multi-factor authentication (MFA); for high-risk sign-ins, block the sign-in. They also need to receive a weekly summary report of risk events. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Identity Protection policies
B.Microsoft Entra ID Conditional Access policies with sign-in risk conditions
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerB

Conditional Access policies can evaluate sign-in risk levels (low, medium, high) from Identity Protection and apply granular controls such as block, require MFA, or session controls. Combined with Identity Protection reports, you get the weekly summary.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies can integrate sign-in risk conditions from Identity Protection to enforce granular controls based on risk levels. This allows you to configure actions such as showing a message for low risk, requiring MFA for medium risk, and blocking access for high risk, while Identity Protection provides the weekly summary report of risk events.

Exam trap

The trap here is that candidates often confuse Identity Protection (the detection engine) with Conditional Access (the enforcement engine), assuming Identity Protection alone can apply the per-risk-level controls, when in reality Conditional Access policies are required to map risk levels to specific actions like MFA or block.

How to eliminate wrong answers

Option A is wrong because Identity Protection policies alone detect risks and can trigger automated responses, but they do not natively support the granular per-risk-level controls (e.g., show message for low, MFA for medium, block for high) that Conditional Access policies provide; Conditional Access is the enforcement layer. Option C is wrong because Access Reviews are used for periodic attestation of group memberships or application access, not for real-time risk-based sign-in controls or risk event reporting. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not sign-in risk detection or conditional access based on risk levels.

66
MCQhard

You are investigating a security incident where an unauthorized user may have modified a production VM. You run the KQL query shown in the exhibit in Microsoft Sentinel, but it returns no results. The VMs are present and have been modified recently. What is the most likely reason for no results?

A.The query does not filter by a time range, so it may be returning old data.
B.The Caller field is not included in the output, so the query cannot identify unauthorized users.
C.The OperationNameValue is incorrect; the correct value is 'MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE' in uppercase.
D.The ResourceId contains the VM name in lowercase, but the extract pattern is case-sensitive.
AnswerD

The ResourceId uses lowercase 'virtualmachines', while the extract pattern uses 'virtualMachines' with capital M, causing no match.

Why this answer

Option D is correct because the KQL query uses the `extract` function with a pattern that expects the VM name in the ResourceId to be in lowercase, but the actual ResourceId contains the VM name in uppercase. The `extract` function in KQL is case-sensitive by default, so the pattern fails to match, returning no results. Even though the VMs have been modified, the query cannot parse the ResourceId correctly, leading to zero output.

Exam trap

The trap here is that candidates assume the query logic is correct and focus on missing filters or incorrect field names, but the real issue is the case sensitivity of the `extract` function in KQL when parsing the ResourceId, which is a subtle but critical detail in Azure Sentinel queries.

How to eliminate wrong answers

Option A is wrong because the query does not include a time filter, but that would return all historical data, not no results; the issue is that the query fails to parse the ResourceId, not that it lacks a time range. Option B is wrong because the absence of the Caller field in the output does not cause the query to return no results; it only means the caller identity is not displayed, but the query would still return rows if the pattern matched. Option C is wrong because the OperationNameValue 'Microsoft.Compute/VirtualMachines/Write' is correct as shown; the casing in KQL queries for this field is case-insensitive, so uppercase is not required and would not cause zero results.

67
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They have a SaaS application that supports SCIM (System for Cross-domain Identity Management). The company wants to automatically create, update, and deactivate user accounts in the SaaS application whenever changes occur in Microsoft Entra ID. They do not want to use custom scripts. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Application Proxy
B.Microsoft Entra ID Provisioning (Automatic User Provisioning)
C.Microsoft Entra ID Connect
D.Microsoft Entra ID B2B Collaboration
AnswerB

Microsoft Entra ID's provisioning service can automatically create, update, and deactivate user accounts in SaaS applications that support SCIM, based on changes in Microsoft Entra ID.

Why this answer

Microsoft Entra ID Provisioning (Automatic User Provisioning) is the correct feature because it natively supports the SCIM (System for Cross-domain Identity Management) protocol to automate the creation, update, and deactivation of user accounts in SaaS applications. This eliminates the need for custom scripts by synchronizing identity changes from Microsoft Entra ID to the target application in near real-time.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Connect (which syncs from on-premises AD) with cloud-to-SaaS provisioning, but the question explicitly targets a cloud-only SaaS application with no on-premises dependency.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications, not user provisioning to SaaS apps. Option C is wrong because Microsoft Entra ID Connect is used for hybrid identity synchronization between on-premises Active Directory and Microsoft Entra ID, not for provisioning users to third-party SaaS applications. Option D is wrong because Microsoft Entra ID B2B Collaboration enables external user access to your organization's resources, not automated user lifecycle management in a SaaS application.

68
MCQmedium

A company uses Azure Policy to enforce tagging on resources. The security team reports that some resources are missing the required 'CostCenter' tag. You need to ensure that any resource created without the required tag is automatically remediated by adding the tag with a default value. What should you configure in Azure Policy?

A.DeployIfNotExists effect
B.AuditIfNotExists effect
C.Append effect
D.Deny effect
AnswerA

DeployIfNotExists evaluates resources and triggers a remediation task to add the missing tag.

Why this answer

The DeployIfNotExists effect is correct because it automatically remediates non-compliant resources by deploying a tag with a default value when the required 'CostCenter' tag is missing. This effect triggers a deployment task that adds the tag, ensuring continuous compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse Append (which only works during creation/update) with DeployIfNotExists (which can remediate existing resources), leading them to choose Append for automatic remediation of all resources.

How to eliminate wrong answers

Option B (AuditIfNotExists) is wrong because it only audits and reports non-compliance without performing any automatic remediation. Option C (Append) is wrong because it adds the tag during resource creation or update but does not remediate existing resources that are already missing the tag. Option D (Deny) is wrong because it blocks resource creation if the tag is missing, but the requirement is to automatically add the tag with a default value, not to deny creation.

69
MCQhard

Refer to the exhibit. You are analyzing a deployment of a Custom Script Extension on an Azure VM. The extension fails to run. What is the most likely cause?

A.The VM agent is not installed.
B.The VM has no outbound internet connectivity.
C.The 'protectedSettings' property is misconfigured.
D.The extension type is incorrect.
AnswerC

The commandToExecute should be under 'settings' or 'protectedSettings' with proper JSON structure.

Why this answer

The Custom Script Extension on Azure VMs requires the `commandToExecute` parameter to be placed in the `protectedSettings` property when the script URL or command contains sensitive information (e.g., storage account keys). If `commandToExecute` is incorrectly placed in the `publicSettings` property instead, or if the `protectedSettings` JSON structure is malformed (e.g., missing the required `commandToExecute` key or using an incorrect casing), the extension will fail to run because it cannot parse the execution command. This is a common misconfiguration that causes the extension to report a failure status without executing the script.

Exam trap

The trap here is that candidates often assume network connectivity (Option B) is the default cause of extension failures, but the question specifically points to a configuration error in the extension settings, which is a more nuanced and common misconfiguration in Azure deployments.

How to eliminate wrong answers

Option A is wrong because the VM agent is required for any extension to run, and if it were missing, the extension would not even be recognized or attempted; the question states the extension fails to run, not that it is absent. Option B is wrong because the Custom Script Extension can download scripts from Azure Storage or a public URL, and while outbound connectivity is needed for downloading, the failure described is specifically about configuration, not network access; the extension would report a download failure, not a misconfiguration error. Option D is wrong because the extension type is explicitly specified as 'Custom Script Extension' in the deployment, and using the correct type is a prerequisite; an incorrect type would prevent the extension from being installed at all, not cause it to fail after deployment.

70
Multi-Selecthard

Which THREE should you consider when designing a monitoring solution for a critical application that requires high availability and low latency? (Choose three.)

Select 3 answers
A.Dashboard visual appeal and color scheme
B.Data volume and associated costs
C.Log retention period and archival strategy
D.Alerting latency and frequency
E.Custom metric creation for all application counters
AnswersB, C, D

Volume directly impacts cost and performance.

Why this answer

Option B is correct because monitoring data volume directly impacts cost, especially in Azure Monitor where data ingestion and retention are billed per GB. For a critical application with high availability and low latency, you must balance the granularity of monitoring data against budget constraints to avoid unexpected costs that could compromise operational sustainability.

Exam trap

The trap here is that candidates confuse 'monitoring solution design' with 'dashboard aesthetics' or assume more metrics always improve observability, ignoring the cost and latency trade-offs inherent in Azure Monitor's pay-per-GB model.

71
MCQmedium

A company uses Microsoft Entra ID and wants to automate the process of granting access to internal applications and Microsoft 365 groups. Employees request access through a portal, and managers must approve the requests. The access should be automatically removed after a defined period, and managers must perform quarterly access reviews to confirm continued need. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Entitlement Management
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Self-Service Group Management
AnswerA

Entitlement Management allows creation of access packages with approval flows, time-limited access, and recurring access reviews. It is designed for governing access to applications and groups.

Why this answer

Microsoft Entra ID Entitlement Management is the correct feature because it provides automated access request workflows, time-bound access assignments (via access packages), and periodic access reviews. This directly matches the requirements for a portal-based request process with manager approval, automatic expiration, and quarterly reviews.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with Entitlement Management, as both involve approvals and reviews, but PIM is strictly for privileged roles (e.g., Global Administrator) while Entitlement Management handles access to applications and groups for all users.

How to eliminate wrong answers

Option B (PIM) is wrong because it is designed for just-in-time privileged role activation and oversight, not for automating access to internal applications and Microsoft 365 groups with time-bound assignments and reviews. Option C (Conditional Access) is wrong because it enforces access policies based on signals like location or device state, not for managing access requests, approvals, or expiration. Option D (Self-Service Group Management) is wrong because it allows users to create and manage groups without approval workflows or automatic expiration, and it lacks built-in access review capabilities.

72
MCQeasy

You need to provide a team of developers with access to create and manage Azure resources in a specific resource group. The developers should not be able to modify access policies for other users. Which built-in role should you assign?

A.Contributor
B.Owner
C.Reader
D.User Access Administrator
AnswerA

Contributor can create and manage resources but cannot manage access.

Why this answer

The Contributor role allows full management of resources but cannot manage access (role assignments). Owner can manage access. Reader is read-only.

User Access Administrator only manages access, not resources.

73
MCQmedium

A company wants to monitor sign-in activity for their Microsoft Entra ID-integrated applications. They need to detect risky sign-ins, such as sign-ins from anonymous IP addresses or unfamiliar locations, and automatically block or require multi-factor authentication. They also need a dashboard showing risk events and the ability to investigate and remediate. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Self-Service Password Reset (SSPR)
AnswerA

Identity Protection detects risky sign-ins and user behavior, provides a risk dashboard, and integrates with Conditional Access to enforce policies like blocking or requiring MFA.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it specifically detects and responds to risky sign-ins, such as those from anonymous IP addresses or unfamiliar locations, by automatically blocking access or requiring multi-factor authentication. It provides a dashboard of risk events (e.g., leaked credentials, impossible travel) and supports investigation and remediation workflows, directly matching the requirements for monitoring sign-in activity and enforcing conditional access policies.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'risk' and 'security,' but PIM is solely for privileged role governance, not for detecting risky sign-ins from anonymous IPs or unfamiliar locations.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on managing, controlling, and monitoring access to privileged roles (e.g., global administrator) through just-in-time activation and approval workflows, not on detecting risky sign-ins or enforcing MFA for general users. Option C (Access Reviews) is wrong because it automates periodic attestation of group memberships or application access to ensure only the right users have access, but it does not detect or respond to risky sign-in events in real time. Option D (Self-Service Password Reset) is wrong because it allows users to reset their own passwords without help desk intervention, addressing password management, not risk-based sign-in detection or conditional access enforcement.

74
MCQmedium

You are designing an identity solution for a large enterprise that uses Microsoft Entra ID. The company has a partner organization that needs access to a specific application. The partner uses their own identity provider (IdP). You need to enable seamless access without duplicating user accounts. What should you configure?

A.Federation with the partner's IdP
B.Microsoft Entra External ID
C.Passwordless authentication
D.Identity synchronization
AnswerB

External ID enables external users to bring their own identities.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) is the correct solution because it allows the partner organization to access the specific application using their own identity provider (IdP) without requiring duplicate user accounts in your tenant. It leverages federation trust, enabling seamless single sign-on (SSO) by authenticating users against their home IdP and issuing a token for your application. This aligns with the requirement for a zero-trust, external identity scenario where user lifecycle is managed externally.

Exam trap

The trap here is that candidates often confuse federation (Option A) with External ID, not realizing that federation is a broader concept that can be implemented via External ID for external users, while the exam expects you to recognize that External ID is the specific service designed for this partner access scenario without account duplication.

How to eliminate wrong answers

Option A is wrong because federation with the partner's IdP typically implies a direct trust relationship between your Entra ID and the partner's IdP for all users, which is more complex and often used for hybrid identity scenarios, not for granting granular application access to external users without account duplication. Option C is wrong because passwordless authentication (e.g., FIDO2, Windows Hello) is an internal authentication method that does not solve the problem of allowing external users from a different IdP to access your application; it focuses on eliminating passwords for your own users. Option D is wrong because identity synchronization (e.g., using Azure AD Connect) would require creating and syncing user objects from the partner's directory into your tenant, which duplicates accounts and violates the requirement to avoid duplication.

75
Multi-Selectmedium

Which TWO Microsoft Entra ID features should you use to protect against credential attacks?

Select 2 answers
A.Password Protection
B.Identity Protection
C.Group-based licensing
D.Self-Service Password Reset (SSPR)
E.Application Proxy
AnswersA, B

Password Protection blocks weak passwords and common password patterns.

Why this answer

Password Protection is correct because it specifically targets credential attacks by blocking weak passwords and common variations (e.g., 'Password123!') using a global banned password list and the option to add custom terms. Identity Protection is correct because it uses real-time risk detection (e.g., leaked credentials, anonymous IP addresses) to automatically block or require MFA for suspicious sign-ins, directly mitigating credential-based attacks like password spray or brute force.

Exam trap

The trap here is that candidates often confuse SSPR (a self-service recovery tool) with a proactive attack prevention feature, but SSPR does not block credential attacks—it only helps users after they are locked out or have forgotten their password.

Page 1 of 4 · 273 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Identity Governance Monitoring questions.