CCNA Identity Governance Monitoring Questions

75 of 273 questions · Page 2/4 · Identity Governance Monitoring topic · Answers revealed

76
Multi-Selecthard

Which THREE Azure services or features should you use to design a comprehensive monitoring solution for a hybrid infrastructure spanning on-premises and Azure?

Select 3 answers
A.Azure Monitor
B.Network Watcher
C.Log Analytics agent (or Azure Monitor Agent)
D.Azure Arc-enabled servers
E.Azure Traffic Manager
AnswersA, C, D

Azure Monitor collects and analyzes metrics and logs from Azure and on-premises resources.

Why this answer

Azure Monitor is the central platform for collecting, analyzing, and acting on telemetry from both Azure and on-premises resources. It provides a unified monitoring experience by aggregating metrics and logs, enabling alerting, dashboards, and integration with other services like Log Analytics. For a hybrid infrastructure, Azure Monitor serves as the core data ingestion and analysis hub, making it essential for a comprehensive monitoring solution.

Exam trap

The trap here is that candidates often confuse Network Watcher (a network diagnostics tool) with a general monitoring solution, or they overlook Azure Arc-enabled servers as a prerequisite for managing and monitoring on-premises machines with Azure Monitor.

77
MCQmedium

Your organization uses Azure Monitor to monitor a fleet of 500 VMs running Windows Server. You need to collect security event logs (Event ID 4625 for failed logons) from all VMs and send them to a Log Analytics workspace. The solution must support centralized configuration and be scalable. You also want to filter out high-volume noise events to reduce costs. What should you do?

A.Enable VM Insights on all VMs and use the Performance view to detect failed logons.
B.Stream events to Azure Event Hubs and use a function to filter and send to Log Analytics.
C.Install the Log Analytics agent on each VM and configure Windows Event log collection in the workspace.
D.Deploy the Azure Monitor agent via Azure Policy and create a data collection rule to collect Event ID 4625.
AnswerD

Azure Monitor agent with DCRs provides scalable, centralized configuration and filtering.

Why this answer

Option D is correct because the Azure Monitor agent (AMA) is the current recommended agent for collecting security events from VMs, and using Azure Policy to deploy it ensures centralized, scalable configuration across 500 VMs. A data collection rule (DCR) can be configured to collect only Event ID 4625, filtering out high-volume noise events at the source, which reduces costs by minimizing data ingestion into the Log Analytics workspace.

Exam trap

The trap here is that candidates may choose the Log Analytics agent (MMA) option because it is familiar from legacy setups, but the exam tests knowledge of the newer Azure Monitor agent (AMA) and its centralized configuration via DCRs, which is the recommended and scalable solution for modern environments.

How to eliminate wrong answers

Option A is wrong because VM Insights is designed for performance monitoring (CPU, memory, disk, network) and does not collect security event logs like Event ID 4625; it cannot detect failed logons. Option B is wrong because streaming events to Azure Event Hubs and using a function to filter and send to Log Analytics adds unnecessary complexity and cost; the Azure Monitor agent with a DCR can filter events directly without intermediate services. Option C is wrong because the Log Analytics agent (MMA) is deprecated in favor of the Azure Monitor agent (AMA), and while it can collect Windows event logs, it does not support centralized configuration via DCRs as efficiently as AMA, and it lacks the native filtering capabilities to reduce noise at the source.

78
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to allow external business partners to access an internal web application using their own organizational identities. The solution must support self-service sign-up and enforce multi-factor authentication for partner users. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
AnswerA

Microsoft Entra ID B2B collaboration enables sharing applications with external users and allows them to use their own identities. It supports self-service sign-up and conditional access policies like MFA.

Why this answer

Microsoft Entra ID B2B collaboration is the correct feature because it allows external business partners to access internal applications using their own organizational identities (home directory credentials) without requiring them to have a separate account in your tenant. It supports self-service sign-up through entitlement management and can enforce multi-factor authentication (MFA) via Conditional Access policies that evaluate the partner user's session, even if the partner's home tenant does not enforce MFA.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners with existing organizational identities) with B2C (for customers using social or local accounts), leading them to select B2C when the requirement explicitly states 'business partners' and 'their own organizational identities.'

How to eliminate wrong answers

Option B (Microsoft Entra ID B2C) is wrong because B2C is designed for customer-facing applications where users sign up with social or local identities, not for business partner access with existing organizational identities. Option C (Microsoft Entra ID Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, not external identity federation or self-service sign-up. Option D (Microsoft Entra ID Connect) is wrong because it synchronizes on-premises Active Directory objects to Entra ID for internal users, not for inviting external partners or enforcing MFA on guest users.

79
Multi-Selecteasy

Which THREE are valid Azure RBAC role types? (Choose three.)

Select 3 answers
A.Service roles
B.Directory roles
C.Custom roles
D.Built-in roles
E.Guest roles
AnswersA, C, D

Service roles are used by Azure services.

Why this answer

Options B, C, and E are correct. Built-in roles (B), custom roles (C), and service roles (E) exist. Option A (Guest roles) is not a category.

Option D (Directory roles) are for Entra ID, not Azure RBAC.

80
MCQmedium

Your organization has multiple Azure subscriptions managed through Azure Management Groups. You need to enforce a policy that requires all resources to have a 'CostCenter' tag. If a resource is created without the tag, the deployment should be denied. Additionally, you need to ensure that existing non-compliant resources are automatically remediated. Which combination of actions should you take?

A.Create a policy with DeployIfNotExists effect only, and rely on periodic evaluation.
B.Create a policy with Modify effect to add the tag, and assign it at the management group level.
C.Create a policy with Deny effect for new resources, and create a remediation task using a DeployIfNotExists policy for existing resources.
D.Create a policy with Deny effect only, and run a script to tag existing resources.
AnswerC

Deny blocks new; remediation fixes existing.

Why this answer

Option C is correct because it combines two policy effects to address both requirements: the Deny effect blocks creation of new resources without the 'CostCenter' tag, while a separate DeployIfNotExists policy with a remediation task automatically adds the tag to existing non-compliant resources. This dual approach ensures enforcement for new deployments and automated remediation for existing resources, which is necessary because a single policy effect cannot both deny and remediate simultaneously.

Exam trap

The trap here is that candidates often think a single policy effect (like Modify or DeployIfNotExists) can both deny new non-compliant resources and remediate existing ones, but Azure Policy requires separate effects for denial and remediation, and Modify does not deny—it silently changes the resource, which may not meet strict governance requirements.

How to eliminate wrong answers

Option A is wrong because DeployIfNotExists only remediates existing resources and does not deny creation of new non-compliant resources, leaving a gap in enforcement. Option B is wrong because the Modify effect can add tags during creation or update but does not deny deployments; it modifies the resource to comply, which may not be acceptable if the requirement is to deny creation without the tag. Option D is wrong because a Deny-only policy blocks new non-compliant resources but provides no automated remediation for existing resources, requiring manual scripting which violates the 'automatically remediated' requirement.

81
Multi-Selecteasy

Which TWO Azure Policy effects can be used to prevent the creation of non-compliant resources?

Select 2 answers
A.Audit
B.Append
C.Deny
D.Modify
E.Manual
AnswersC, D

Deny effect blocks the request if the resource does not comply with the policy.

Why this answer

The 'Deny' effect (Option C) is correct because it actively blocks any resource creation or update request that violates a policy rule, ensuring non-compliant resources are never deployed. The 'Modify' effect (Option D) is also correct because it can add or change resource properties during creation or update to enforce compliance, effectively preventing non-compliant configurations from being created. Both effects operate at the time of the resource request, stopping non-compliant resources before they exist.

Exam trap

The trap here is that candidates often confuse 'Audit' with a blocking effect, or mistakenly think 'Append' can prevent creation, when in reality only 'Deny' and 'Modify' (with its ability to alter properties during deployment) can stop non-compliant resources from being created.

82
MCQhard

Your company has multiple Azure subscriptions managed by a management group. You need to enforce that all resources are deployed in the West US region only. Additionally, you must allow a specific resource group in the production subscription to be deployed in East US. What should you configure?

A.Assign a policy at the management group level that denies all locations except West US, and assign a separate policy at the subscription level that allows East US.
B.Assign a policy at each subscription level allowing only West US, and grant the resource group owner role to bypass.
C.Assign a policy at the management group level that denies all locations except West US, and create a policy exemption for the specific resource group.
D.Use Azure Blueprints to assign a policy at the management group and then edit the blueprint for the exception.
AnswerC

Exemption allows the resource group to bypass the policy.

Why this answer

Azure Policy can be assigned at the management group level with a deny effect to restrict locations. To allow exceptions, you can create an exclusion by specifying the resource group as an exemption or by using a policy assignment at a lower scope with a different effect. The best practice is to use policy exemptions for specific RGs.

83
MCQmedium

A company needs to monitor sign-in logs from multiple Microsoft Entra ID tenants and analyze user sign-in patterns across those tenants. Which Azure solution should they use?

A.Azure Sentinel with Microsoft Entra ID connectors
B.Azure Log Analytics workspace with Microsoft Entra ID diagnostic settings
C.Microsoft Entra ID Reports and Monitoring
D.Azure Monitor Workbooks
AnswerA

Correct. Azure Sentinel can connect to multiple Microsoft Entra ID tenants via connectors and perform advanced analytics across data sources, making it ideal for cross-tenant sign-in analysis.

Why this answer

Azure Sentinel (now Microsoft Sentinel) is the correct choice because it provides a cloud-native SIEM that can ingest sign-in logs from multiple Microsoft Entra ID tenants via its built-in Microsoft Entra ID connectors. This enables cross-tenant analysis of user sign-in patterns, which is not possible with single-tenant monitoring tools. Sentinel's analytics rules and workbooks allow security teams to detect anomalies and investigate sign-in behaviors across all connected tenants.

Exam trap

The trap here is that candidates often confuse Azure Monitor Workbooks or Log Analytics workspaces as sufficient for multi-tenant log aggregation, but they lack the cross-tenant ingestion and correlation capabilities that only a SIEM like Microsoft Sentinel provides.

How to eliminate wrong answers

Option B is wrong because a Log Analytics workspace with Microsoft Entra ID diagnostic settings can only stream logs from a single tenant per workspace; it does not natively aggregate logs from multiple tenants for cross-tenant analysis. Option C is wrong because Microsoft Entra ID Reports and Monitoring provides sign-in logs and reports only within the scope of a single tenant, lacking the capability to combine data from multiple tenants. Option D is wrong because Azure Monitor Workbooks are visualization tools that can display data from a single Log Analytics workspace or data source, but they cannot independently ingest or correlate sign-in logs from multiple Entra ID tenants without a SIEM like Sentinel.

84
MCQhard

Your company has a hybrid identity environment with 10,000 on-premises users synchronized to Microsoft Entra ID using Microsoft Entra Connect. You plan to implement a modern access control strategy for all cloud applications. The requirements are: enforce multifactor authentication (MFA) for all users when accessing sensitive applications, allow users to self-remediate risky sign-ins via a mobile app, and minimize infrastructure complexity. You need to design the identity and governance solution. What should you do?

A.Deploy Azure AD Domain Services and configure Kerberos authentication for cloud apps. Use Azure MFA Server on-premises for MFA enforcement.
B.Configure Microsoft Entra ID Protection to detect risky sign-ins and create a conditional access policy that requires MFA for sensitive apps. Enable the risky user policy to require password change, and use Microsoft Authenticator for self-remediation.
C.Implement Microsoft Defender for Identity to monitor on-premises AD and require MFA via on-premises NPS extension.
D.Use Microsoft Entra Permissions Management to enforce MFA policies and manage user permissions.
AnswerB

This solution leverages Entra ID Protection and Conditional Access without additional infrastructure.

Why this answer

Option B is correct because it uses Microsoft Entra ID Protection to detect risky sign-ins and a Conditional Access policy to require MFA for sensitive applications, meeting the MFA enforcement requirement. The risky user policy requiring a password change combined with Microsoft Authenticator for self-remediation allows users to resolve their own risk without admin intervention, satisfying the self-remediation requirement. This approach minimizes infrastructure complexity by relying entirely on cloud-native services rather than on-premises components.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Identity or Azure AD Domain Services with identity protection and access control solutions, overlooking that Entra ID Protection and Conditional Access are the correct cloud-native services for risk-based MFA enforcement and self-remediation.

How to eliminate wrong answers

Option A is wrong because deploying Azure AD Domain Services and configuring Kerberos authentication for cloud apps does not enforce MFA or provide self-remediation; Azure MFA Server is deprecated and adds on-premises complexity, contradicting the requirement to minimize infrastructure complexity. Option C is wrong because Microsoft Defender for Identity monitors on-premises AD for security threats but does not enforce MFA or provide self-remediation; the on-premises NPS extension for MFA requires additional infrastructure and does not support user self-remediation via a mobile app. Option D is wrong because Microsoft Entra Permissions Management (formerly CloudKnox) focuses on cloud infrastructure entitlement management and permissions, not on enforcing MFA policies or providing self-remediation for risky sign-ins.

85
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically detect identity risks, such as users with leaked credentials or sign-ins from anonymous IP addresses, and generate alerts. They also want to automatically trigger a password reset for high-risk users. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Access Reviews
AnswerA

Microsoft Entra ID Identity Protection detects risk events like leaked credentials and anonymous IP addresses. It can be configured to automatically require password reset for high-risk users.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect identity risks such as leaked credentials and sign-ins from anonymous IP addresses. It generates alerts based on risk detections and can be configured to automatically trigger remediation actions like forcing a password reset for high-risk users through risk-based policies.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is a policy engine that enforces controls based on risk signals, whereas Identity Protection is the service that generates those risk signals and can directly trigger password resets.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time privileged access management and role activation, not on detecting identity risks like leaked credentials or anonymous IP sign-ins. Option C (Conditional Access) is wrong because it enforces access control policies based on signals (e.g., location, device compliance) but does not natively detect or alert on identity risks or automatically trigger password resets; it can integrate with Identity Protection but is not the primary feature for risk detection. Option D (Access Reviews) is wrong because it provides periodic attestation of group memberships and role assignments, not real-time risk detection or automated password reset triggers.

86
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They have many guest users with access to internal SharePoint sites and applications. They need to review guest user access every 90 days and automatically remove access if the guest does not respond to the review request. The solution must be fully automated without custom scripting. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Conditional Access
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management
AnswerA

Access Reviews can be configured to periodically review guest access and automatically remove users who do not respond or are not approved.

Why this answer

Microsoft Entra ID Access Reviews is the correct feature because it allows administrators to create recurring reviews of guest user access to groups, applications, and SharePoint sites. It can be configured to automatically remove access if the guest does not respond within a specified period (e.g., 90 days), and it supports full automation without custom scripting by leveraging built-in review schedules and auto-apply actions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews, but PIM is designed for privileged roles and requires activation, whereas Access Reviews handle recurring attestation of any user's access, including guest users, with automatic removal on non-response.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Conditional Access enforces access policies based on signals like location or device state, but it does not provide recurring access reviews or automatic removal of access for non-responsive guests. Option C is wrong because Microsoft Entra ID Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not schedule periodic guest access reviews or remove access based on lack of response. Option D is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not recurring reviews of standard guest user access to SharePoint sites and applications.

87
Multi-Selecthard

Your company is designing a governance strategy for Azure. You need to ensure that all resource groups in a subscription are created with a specific naming convention and mandatory tags. Which THREE services or features should you use together? (Choose three.)

Select 3 answers
A.Azure RBAC
B.Azure Blueprints
C.Management Groups
D.Azure Policy
E.Resource Locks
AnswersB, C, D

Blueprints can include policy assignments and role assignments to enforce governance across subscriptions.

Why this answer

Azure Blueprints is correct because it enables the orchestrated deployment of Azure Policy, RBAC, and resource templates as a single composable artifact. By defining a blueprint that includes a policy for naming conventions and mandatory tags, you can enforce these requirements consistently across all resource groups within a subscription or management group hierarchy.

Exam trap

The trap here is that candidates often confuse Azure RBAC (which controls permissions) with Azure Policy (which enforces rules on resource properties), or they overlook that Blueprints is the orchestration layer that bundles Policy, RBAC, and templates together to enforce governance at scale.

88
MCQmedium

Your organization uses Microsoft Sentinel for security monitoring. You need to ensure that all sign-in logs from Microsoft Entra ID are ingested into a Log Analytics workspace in real time. Which diagnostic setting should you configure?

A.NonInteractiveUserSignInLogs
B.AuditLogs
C.SignInLogs
D.ServicePrincipalSignInLogs
AnswerC

SignInLogs include all interactive sign-in events from Entra ID.

Why this answer

The SignInLogs diagnostic setting captures all user sign-in activities, including interactive and non-interactive sign-ins, which is required for real-time ingestion of all sign-in logs from Microsoft Entra ID into a Log Analytics workspace. This setting ensures that every authentication event is streamed to Sentinel for security monitoring without delay.

Exam trap

The trap here is that candidates often confuse the SignInLogs category with the more specific subcategories like NonInteractiveUserSignInLogs or ServicePrincipalSignInLogs, mistakenly thinking they need to select multiple options or that a single subcategory covers all sign-in events, when in fact SignInLogs is the umbrella category that includes all sign-in types.

How to eliminate wrong answers

Option A is wrong because NonInteractiveUserSignInLogs only captures sign-ins performed by a client on behalf of a user without user interaction, such as refresh token requests, and does not include interactive sign-ins, so it does not cover all sign-in logs. Option B is wrong because AuditLogs contain directory activity logs like user and group management changes, not authentication events, so they are irrelevant for sign-in log ingestion. Option D is wrong because ServicePrincipalSignInLogs only captures sign-ins by service principals (non-human identities), not user sign-ins, and thus fails to meet the requirement for all sign-in logs.

89
MCQeasy

A company uses Microsoft Entra ID. They want to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications from outside the corporate network, but allow access without MFA when coming from the corporate office IP range. Which Microsoft Entra ID feature should they use to create this policy?

A.Conditional Access policy
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID roles
AnswerA

Conditional Access policies evaluate signals such as IP location to enforce MFA only when needed.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define access controls based on conditions such as user location, device state, and application sensitivity. By creating a policy that requires MFA for all users accessing sensitive applications from outside the corporate network, and excluding the trusted corporate office IP range from the MFA requirement, the company can enforce the desired behavior. This is the correct feature because it directly supports location-based access controls and granular policy conditions.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based policies with Conditional Access's location-based MFA enforcement, assuming that risk policies can also enforce MFA based on network location, but Identity Protection only triggers MFA based on risk level, not static IP ranges.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide the ability to enforce MFA based on network location or IP ranges. Option C (Privileged Identity Management, PIM) is wrong because it is designed for just-in-time privileged role activation and access reviews, not for enforcing MFA on end-user access to applications based on location. Option D (Microsoft Entra ID roles) is wrong because roles define administrative permissions within the directory, not access policies for end-user application access; they cannot enforce MFA based on network location.

90
MCQhard

Refer to the exhibit. You deploy this Azure Network Watcher connection monitor to test TCP connectivity on port 443 between two VMs. The test consistently shows 'Unreachable' status. Both VMs are running and have correct NSG rules allowing inbound port 443 from the source VM's IP. What is the most likely cause?

A.The source VM does not have the Network Watcher Agent installed.
B.The destination VM's NSG is blocking the traffic despite the rule.
C.The destination VM's private IP address is incorrect.
D.A firewall on the destination VM is blocking TCP port 443.
AnswerA

The agent is required for connection monitor to initiate tests.

Why this answer

The correct answer is A because Azure Network Watcher connection monitor relies on the Network Watcher Agent extension installed on both source and destination VMs to collect and report connectivity data. Without the agent on the source VM, the test cannot initiate the TCP probes, resulting in a persistent 'Unreachable' status regardless of NSG rules or VM health.

Exam trap

The trap here is that candidates often assume NSG rules are the sole cause of connectivity failures, overlooking the prerequisite that the Network Watcher Agent must be installed on both VMs for connection monitor to function.

How to eliminate wrong answers

Option B is wrong because the question states that correct NSG rules allowing inbound port 443 from the source VM's IP are in place, so the NSG is not blocking traffic. Option C is wrong because an incorrect private IP address would cause a different error (e.g., 'Invalid endpoint' or failure to resolve), not a consistent 'Unreachable' status in a connection monitor test that already references the correct VM. Option D is wrong because while a guest OS firewall could block port 443, the question specifies that the test consistently shows 'Unreachable' and both VMs are running with correct NSG rules; the most likely cause given the dependency on the Network Watcher Agent is its absence, not a firewall misconfiguration.

91
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to provide external business partners with access to an internal application. The access must be time-limited to 60 days, approved by a manager within the partner company, and automatically expire. The company also needs to generate reports of who has access. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID B2B collaboration with entitlement management
B.Microsoft Entra ID B2C custom policies
C.Microsoft Entra ID Identity Governance with Privileged Identity Management (PIM)
D.Microsoft Entra ID Conditional Access with session controls
AnswerA

Entitlement management allows creating access packages with approval, time-bound access, and reporting, while B2B collaboration handles external users.

Why this answer

Microsoft Entra ID B2B collaboration with entitlement management allows you to invite external users from partner companies and manage their access through access packages. These packages can enforce time-limited access (e.g., 60 days), require approval from the partner's manager, and automatically expire. Entitlement management also provides built-in reporting to track who has access, meeting all stated requirements.

Exam trap

The trap here is confusing Identity Governance with Privileged Identity Management (PIM) — PIM is for privileged roles, not for managing external partner access with time-limited, approved, and expiring access packages.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID B2C custom policies are designed for consumer-facing identity scenarios (e.g., sign-up/sign-in for customers), not for granting time-limited access to external business partners with manager approval and automatic expiration. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation for internal users, not on managing external partner access with time limits, approval workflows, and expiration. Option D is wrong because Conditional Access with session controls enforces policies during authentication (e.g., MFA, device compliance) but cannot manage time-limited access, approval workflows, or automatic expiration for external users.

92
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to design a monitoring solution to detect when users are assigned to high-privilege roles (e.g., Global Administrator) and ensure that any such assignment triggers an automated investigation. Additionally, you need to monitor sign-in failures for guest users and automatically block accounts after 5 failed attempts within 10 minutes. You have the following requirements: 1) Use a cloud-native solution that minimizes administrative overhead. 2) Integrate with Microsoft Sentinel for incident response. 3) Use built-in features where possible. What should you do?

A.Use Microsoft Entra audit logs streamed to Log Analytics, create Azure Logic Apps to detect role assignments and sign-in failures, and trigger Sentinel incidents.
B.Use Azure Policy to audit role assignments and create custom KQL functions in Log Analytics to detect sign-in failures, then forward to Sentinel.
C.Use Microsoft Entra Privileged Identity Management (PIM) alerts for role assignments and Microsoft Entra Identity Protection for sign-in risk policies; integrate both with Microsoft Sentinel.
D.Deploy Microsoft Identity Manager (MIM) on-premises to monitor role changes, and use Azure AD Connect Health for sign-in failures.
AnswerC

PIM alerts on role activation, Identity Protection can block after repeated failures, both integrate with Sentinel.

Why this answer

Option C is correct because Microsoft Entra Privileged Identity Management (PIM) provides built-in alerts for high-privilege role assignments, and Microsoft Entra Identity Protection offers risk-based policies for sign-in failures, including user risk policies that can automatically block accounts after a specified number of failures. Both services natively integrate with Microsoft Sentinel via built-in data connectors, enabling automated incident creation with minimal administrative overhead, meeting all requirements.

Exam trap

The trap here is that candidates often over-engineer a solution with custom Logic Apps or KQL queries, overlooking the fact that PIM and Identity Protection already provide built-in alerting and automated blocking capabilities that natively integrate with Sentinel, satisfying the 'cloud-native' and 'minimize administrative overhead' requirements.

How to eliminate wrong answers

Option A is wrong because while audit logs can be streamed to Log Analytics, using Azure Logic Apps to detect role assignments and sign-in failures introduces unnecessary custom development and administrative overhead, contradicting the requirement to use built-in features and minimize overhead. Option B is wrong because Azure Policy is designed for auditing and enforcing compliance of Azure resources, not for monitoring Entra ID role assignments or sign-in failures; custom KQL functions in Log Analytics would require manual setup and lack the automated blocking capability for guest accounts. Option D is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution that adds complexity and does not provide cloud-native monitoring; Azure AD Connect Health focuses on synchronization health, not sign-in failure monitoring or automated blocking.

93
MCQeasy

A company plans to migrate on-premises applications to Azure. They require users to authenticate using their existing on-premises Active Directory credentials without syncing password hashes to the cloud. Which Microsoft Entra ID authentication method should they use?

A.Microsoft Entra ID Pass-through Authentication
B.Microsoft Entra ID Password Hash Sync
C.Microsoft Entra ID Federation Services (AD FS)
D.Microsoft Entra ID Connect with Seamless SSO
AnswerA

Correct. Pass-through Authentication validates passwords on-premises, so no password hashes are stored in Microsoft Entra ID.

Why this answer

Pass-through Authentication (PTA) validates user passwords directly against on-premises Active Directory without storing password hashes in the cloud. A lightweight agent on-premises forwards authentication requests to the local domain controller, meeting the requirement to avoid password hash synchronization.

Exam trap

The trap here is that candidates often confuse Seamless SSO (which is a convenience feature, not an authentication method) with a primary authentication method, or they assume AD FS is required when the real constraint is avoiding password hash sync.

How to eliminate wrong answers

Option B (Password Hash Sync) is wrong because it synchronizes password hashes to Microsoft Entra ID, which violates the requirement to not sync password hashes. Option C (AD FS) is wrong because it requires deploying and managing federation infrastructure (on-premises or in Azure) and does not inherently avoid password hash sync; it also introduces additional complexity and a separate trust relationship. Option D (Seamless SSO) is wrong because it is not a standalone authentication method—it is a feature that works with Password Hash Sync or Pass-through Authentication to provide silent sign-on, and by itself it does not handle password validation without one of those methods.

94
MCQmedium

A company is building a customer-facing web application. They want to allow users to sign in using their existing social accounts (Microsoft, Google, Facebook) or create a local account. The solution must be fully managed and support custom branding. Which Azure service should they use?

A.Microsoft Entra ID B2C (Business to Consumer)
B.Microsoft Entra ID External Identities
C.Microsoft Entra ID B2B collaboration
D.Microsoft Entra ID Application Proxy
AnswerA

Correct. Microsoft Entra ID B2C is built for consumer identity management with social and local accounts, including customization.

Why this answer

Microsoft Entra ID B2C (Business to Consumer) is the correct choice because it is a fully managed identity service designed specifically for customer-facing applications. It supports social identity providers (Microsoft, Google, Facebook) via OAuth 2.0 and OpenID Connect, allows local account creation, and provides extensive custom branding capabilities through customizable user flows and page layouts.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID External Identities (which includes B2B collaboration) with B2C, but External Identities is for business partner access to internal apps, not for building a consumer-facing identity system with social logins and local accounts.

How to eliminate wrong answers

Option B (Microsoft Entra ID External Identities) is wrong because it is primarily designed for B2B scenarios, allowing external business partners to sign in with their own corporate identities, not for consumer social logins or local account creation. Option C (Microsoft Entra ID B2B collaboration) is wrong because it focuses on inviting external business users from other organizations to access internal resources, not on building a customer-facing sign-in experience with social providers. Option D (Microsoft Entra ID Application Proxy) is wrong because it is a reverse proxy service for publishing on-premises web applications to external users, not an identity provider for authentication or sign-in.

95
Multi-Selecthard

Your organization uses Azure Monitor Logs to analyze application performance. You need to create a custom log query that calculates the 95th percentile of response times for a web app over the last 24 hours. Which THREE KQL functions should you use? (Choose three.)

Select 3 answers
A.percentile
B.summarize
C.project
D.sort
E.where
AnswersA, B, E

Percentile function calculates the specified percentile (e.g., 95th).

Why this answer

The `percentile` function in KQL calculates percentile values, such as the 95th percentile, which is essential for analyzing response time distributions. The `summarize` function groups and aggregates data, allowing you to apply `percentile` across the dataset. The `where` function filters the log data to include only records from the last 24 hours, ensuring the query operates on the correct time range.

Exam trap

The trap here is that candidates often confuse `project` or `sort` with filtering or aggregation functions, mistakenly thinking they can help narrow the data or compute percentiles, when in fact only `where`, `summarize`, and `percentile` perform the required operations.

96
MCQhard

Refer to the exhibit. You deploy this ARM template to create an Azure Monitor Workbook. The template deploys successfully. What will the workbook display?

A.CPU utilization averaged over 1-hour intervals.
B.CPU utilization averaged over 5-minute intervals.
C.Memory utilization over time.
D.Disk I/O utilization over time.
AnswerB

The query uses Processor % Processor Time, summarizes avg over 5min, and renders timechart.

Why this answer

The ARM template configures an Azure Monitor Workbook to query the `InsightsMetrics` table for the `cpu_usage_percentage` metric, which is collected by Azure Monitor Agent (AMA) at a default granularity of 1 minute. The workbook uses the `avg` aggregation and a time grain of `5m` (5 minutes) in the query, so it displays CPU utilization averaged over 5-minute intervals. The `summarize` operator with `bin(TimeGenerated, 5m)` explicitly groups data into 5-minute buckets, making option B correct.

Exam trap

The trap here is that candidates assume the default collection interval (1 minute) determines the display granularity, but the `bin()` function in the KQL query explicitly overrides that to 5-minute averages, making option B correct instead of a 1-hour or raw interval.

How to eliminate wrong answers

Option A is wrong because the query uses `bin(TimeGenerated, 5m)` to aggregate data into 5-minute intervals, not 1-hour intervals; a 1-hour interval would require `bin(TimeGenerated, 1h)`. Option C is wrong because the query filters for `cpu_usage_percentage` (CPU metric), not memory utilization; memory would require a metric like `memory_available_bytes` or `memory_percentage`. Option D is wrong because the query targets CPU utilization, not disk I/O; disk I/O would involve metrics such as `disk_read_bytes_per_second` or `disk_write_operations_per_second`.

97
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to analyze sign-in logs and detect patterns of anomalous access from different geographical locations within a short time frame. Which feature should you use?

A.Microsoft Sentinel Analytics Rules
B.Microsoft Sentinel Playbooks
C.Kusto Query Language (KQL) queries
D.Microsoft Sentinel Workbooks
AnswerC

KQL is used to query and analyze sign-in logs for anomalous patterns.

Why this answer

C is correct because Kusto Query Language (KQL) queries are the native query language used in Microsoft Sentinel to perform deep analysis of log data, including sign-in logs. To detect patterns of anomalous access from different geographical locations within a short time frame, you would write a KQL query that aggregates sign-in events by user, timestamp, and location, then applies threshold-based logic (e.g., multiple distinct countries within 10 minutes) to surface the anomaly. This is a custom detection scenario that requires direct querying of the Log Analytics workspace, which KQL enables.

Exam trap

The trap here is that candidates often confuse the purpose of Analytics Rules (which automate detection) with the raw querying capability of KQL, assuming that rules themselves perform the analysis rather than being a container for KQL logic.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel Analytics Rules are built on top of KQL queries to generate alerts automatically, but they are not the feature used to analyze logs directly; they consume pre-written KQL queries. Option B is wrong because Microsoft Sentinel Playbooks are automated response workflows (based on Azure Logic Apps) triggered by alerts, not a tool for analyzing sign-in logs or detecting patterns. Option D is wrong because Microsoft Sentinel Workbooks are interactive dashboards for visualizing data, not for performing ad-hoc or custom log analysis to detect specific anomalous patterns.

98
MCQmedium

Your organization uses Microsoft Entra ID. You need to allow external users to sign in using their own identity providers (e.g., Google, Facebook) to access a custom application. What should you configure?

A.Microsoft Entra Connect
B.Microsoft Entra External ID
C.Microsoft Entra B2B collaboration
D.Microsoft Entra ID (tenant)
AnswerB

External ID supports social identity providers.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) is the correct solution because it is specifically designed to allow external users to authenticate using their own social identity providers (e.g., Google, Facebook) via OAuth 2.0 and OpenID Connect protocols. This configuration enables a custom application to accept sign-ins from these external identities without requiring them to have a Microsoft Entra ID account, using a dedicated external tenant or identity experience.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which is for business-to-business guest access using work/school accounts) with Microsoft Entra External ID (which is for consumer-facing social identity providers), leading them to incorrectly select B2B collaboration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for hybrid identity synchronization between on-premises Active Directory and Microsoft Entra ID, not for enabling external social identity providers. Option C is wrong because Microsoft Entra B2B collaboration allows external users to access your organization's resources using their own work or school accounts (e.g., another Microsoft Entra tenant), but it does not natively support social identity providers like Google or Facebook for custom applications. Option D is wrong because a standard Microsoft Entra ID (tenant) alone does not provide the built-in identity provider federation for social logins; it requires the External ID configuration to add those social identity providers.

99
MCQmedium

Your company uses Microsoft Sentinel for security monitoring. You need to design a solution to detect when a user account is created in Microsoft Entra ID with Global Administrator privileges. When detected, an incident must be created in Sentinel and the account should be disabled temporarily until reviewed. You want to use built-in capabilities where possible. What should you do?

A.Use Microsoft Entra Privileged Identity Management to require approval for role activation, and audit logs to detect permanent assignments.
B.Use Microsoft Defender for Cloud Apps to monitor for privileged role assignments and send an alert to Sentinel.
C.Use a Microsoft Sentinel analytics rule template for 'Suspicious Entra ID role assignment' and configure a playbook to disable the account via Microsoft Graph API.
D.Create a custom KQL query in Log Analytics and schedule it as a Sentinel analytics rule, then use an Azure Function to disable the account.
AnswerC

Built-in rule and playbook automation meet requirements.

Why this answer

Option C is correct because it uses a built-in Sentinel analytics rule template specifically designed to detect suspicious Entra ID role assignments, which meets the requirement for built-in capabilities. The playbook, triggered by the rule, can use the Microsoft Graph API to disable the account temporarily, providing automated remediation without custom code or external services.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing custom KQL queries or external services (like Defender for Cloud Apps) when a built-in analytics rule template and playbook are available and sufficient for the detection and automated response.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) requires approval for role activation but does not detect permanent assignments or create Sentinel incidents; it focuses on just-in-time access, not post-creation detection. Option B is wrong because Microsoft Defender for Cloud Apps can monitor for privileged role assignments but is not a built-in Sentinel capability for creating incidents directly; it would require additional configuration to forward alerts to Sentinel, and it does not natively disable accounts. Option D is wrong because creating a custom KQL query and using an Azure Function introduces unnecessary custom development and complexity, whereas built-in analytics rule templates and playbooks are available and preferred for this scenario.

100
Multi-Selectmedium

Your company is planning to use Azure Monitor Workbooks to create custom dashboards for IT operations. You need to select the data sources that can be used in a workbook. Which TWO data sources are supported? (Choose two.)

Select 2 answers
A.Azure Resource Graph
B.Azure SQL Database
C.Microsoft Sentinel
D.Log Analytics workspace
E.Azure Blob Storage
AnswersA, D

Workbooks support Azure Resource Graph queries.

Why this answer

Azure Monitor Workbooks support multiple data sources including Azure Resource Graph, Log Analytics workspaces, Azure Monitor Metrics, and more. Azure Resource Graph allows querying Azure resources across subscriptions. Log Analytics workspaces allow querying log data.

Azure SQL Database is not directly a data source; you need a Log Analytics workspace that collects SQL logs. Azure Blob Storage is not a direct data source; you would need to use a Log Analytics workspace that ingests storage logs. Application Insights is supported as a data source.

101
MCQhard

You are troubleshooting access for a user named John Doe. The exhibit shows the output of Get-AzRoleAssignment. John reports he cannot create virtual machines in the Prod resource group. Other users with the same role can create VMs. What is the most likely cause?

A.John does not have multi-factor authentication enabled
B.John is not assigned the Contributor role
C.John has a deny assignment that prevents VM creation
D.The role assignment is at the wrong scope
AnswerC

A deny assignment can override the Contributor role, preventing VM creation even though he has the role.

Why this answer

The correct answer is C because Azure RBAC supports deny assignments that explicitly block specific actions even if the user has an allow assignment like Contributor. Since other users with the same role can create VMs, John's role assignment is not the issue; a deny assignment at a higher scope (e.g., management group or subscription) or directly on the resource group is overriding the allow, preventing VM creation. This is a common troubleshooting scenario where a deny assignment is the root cause.

Exam trap

The trap here is that candidates often assume the issue is a missing or misconfigured role assignment (like Contributor), but the question explicitly states other users with the same role succeed, pointing to a deny assignment as the only logical explanation for a user-specific block.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an authentication requirement, not an authorization control; it does not affect RBAC permissions for creating VMs. Option B is wrong because the exhibit shows Get-AzRoleAssignment output, and if John had the same role as other users who can create VMs, he would have the Contributor role; the issue is not the role itself but an overriding deny assignment. Option D is wrong because the role assignment scope is the same for all users with that role (as implied by the exhibit), and if the scope were incorrect, other users would also be affected; the problem is specific to John, indicating a deny assignment targeting him or his group.

102
MCQhard

You are reviewing a custom RBAC role in Azure. The exhibit shows the role definition. A user with this role reports they cannot read diagnostic settings for a storage account in the Production resource group. What is the most likely cause?

A.The role does not include 'Microsoft.Storage/storageAccounts/read'
B.Custom roles cannot be assigned to users
C.The role lacks the 'Microsoft.Storage/storageAccounts/listKeys/action' permission
D.The role is assigned at the wrong scope
AnswerA

Without the read action on storage accounts, the user cannot enumerate storage accounts in the portal or via API.

Why this answer

The user cannot read diagnostic settings because the custom role lacks the 'Microsoft.Storage/storageAccounts/read' permission. This permission is required to read the storage account resource itself, which is a prerequisite for accessing its diagnostic settings. Without it, the role cannot perform any read operations on the storage account, including reading diagnostic logs or metrics configuration.

Exam trap

The trap here is that candidates may confuse data plane permissions (like listKeys) with control plane permissions (like read), or assume that diagnostic settings can be read independently of the parent resource's read permission.

How to eliminate wrong answers

Option B is wrong because custom roles can be assigned to users, groups, or service principals just like built-in roles; the limitation is that custom roles must be defined in the same tenant. Option C is wrong because 'listKeys/action' is used to retrieve storage account access keys for data plane operations, not for reading diagnostic settings, which is a control plane operation. Option D is wrong because even if the role is assigned at the wrong scope, the core issue is the missing 'read' permission; assigning at the correct scope would still fail without the required permission.

103
MCQhard

A large enterprise has a management group hierarchy with 50 subscriptions. They need to enforce that every resource group must have a 'CostCenter' tag and that any new resource group without that tag is automatically denied creation. Additionally, they need to ensure that only the Finance team can modify tags on any resource. They also want to generate monthly compliance reports showing which resources are non-compliant. Which combination of Azure services should they use?

A.Azure Policy for tag enforcement, Azure RBAC for scoping tag modification to Finance, and Azure Policy for compliance reporting
B.Azure Blueprints with tag policy and Azure RBAC, and Azure Security Center for compliance
C.Azure Policy for tag enforcement, Azure Management Groups for governance, and Azure Monitor for compliance reports
D.Azure Policy for tag enforcement, Azure RBAC for tag modification, and Azure Security Center for compliance
AnswerA

Correct. Azure Policy enforces the tag requirement and provides compliance reports; RBAC restricts tag modification to the Finance team.

Why this answer

Option A is correct because Azure Policy can enforce the 'CostCenter' tag on resource groups via a 'deny' effect policy, Azure RBAC can restrict tag modification to the Finance team by assigning the 'Tag Contributor' role at the appropriate scope, and Azure Policy's compliance reporting (via the Azure Policy Compliance dashboard or export to Log Analytics) provides monthly reports on non-compliant resources without needing additional services.

Exam trap

The trap here is that candidates confuse Azure Security Center (for security compliance) with Azure Policy (for governance compliance), or assume Azure Monitor can generate compliance reports when it is designed for metrics and logs, not policy evaluation.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints are for deploying consistent environments (including policies), but they do not provide ongoing compliance reporting; Azure Security Center (now Microsoft Defender for Cloud) focuses on security posture, not tag compliance. Option C is wrong because Azure Management Groups are for organizing subscriptions and applying policies, not for governance enforcement itself, and Azure Monitor is for telemetry and alerts, not for generating compliance reports on tags. Option D is wrong because Azure Security Center is not designed for tag compliance reporting; it handles security recommendations and vulnerabilities, not resource metadata compliance.

104
Matchingmedium

Match each Azure compute service to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IaaS with full control over OS and apps

PaaS for web apps, APIs, and mobile backends

Managed Kubernetes for container orchestration

Serverless compute for event-driven code

Simple, fast container deployment without orchestration

Why these pairings

These are the main compute options in Azure.

105
MCQeasy

Your organization is moving to a cloud-only identity model using Microsoft Entra ID. You need to ensure that users can reset their own passwords without help desk intervention. The solution must support multi-factor authentication and notify administrators of password resets. What should you implement?

A.Microsoft Entra Connect Password Writeback
B.Conditional Access policies for password change
C.Microsoft Entra Self-Service Password Reset (SSPR)
D.Microsoft Entra ID Protection
AnswerC

SSPR meets all requirements: self-service, MFA support, and admin notifications.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) allows users to reset their own passwords without help desk intervention. It supports multi-factor authentication (MFA) as a verification step before resetting, and can be configured to send notifications to administrators when a password reset occurs. This directly meets all stated requirements.

Exam trap

The trap here is that candidates often confuse password writeback (a prerequisite for hybrid environments) with the actual self-service reset feature, or they mistake Conditional Access policies (which enforce MFA during sign-in) for the self-service reset process itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect Password Writeback is a feature that enables password changes from the cloud to be written back to an on-premises Active Directory; it is not a self-service reset solution and does not by itself provide MFA or admin notifications. Option B is wrong because Conditional Access policies for password change control the conditions under which a password change is allowed (e.g., requiring MFA during sign-in), but they do not provide a self-service reset portal or admin notification for password resets. Option D is wrong because Microsoft Entra ID Protection is a risk-based security service that detects and responds to identity risks (e.g., leaked credentials, anomalous sign-ins); it does not provide a self-service password reset capability.

106
MCQeasy

Refer to the exhibit. You are deploying an ARM template that assigns a policy to audit virtual machines not using managed disks. After deployment, you need to verify that the policy assignment is working. Which Azure CLI command should you run?

A.az policy assignment list --subscription 12345678-1234-1234-1234-123456789abc
B.az policy state list --resource-group myResourceGroup
C.az policy definition list --subscription 12345678-1234-1234-1234-123456789abc
D.az policy event list --subscription 12345678-1234-1234-1234-123456789abc
AnswerA

This lists policy assignments, including the one just deployed.

Why this answer

Option A is correct because the `az policy assignment list` command retrieves all policy assignments in the specified subscription, including the one deployed via the ARM template. This allows you to confirm that the policy assignment exists and is properly configured. To verify that the policy is actually evaluating resources and producing compliance states, you would then use `az policy state list` to see the compliance results, but the question specifically asks to verify that the assignment itself is working, which is done by listing assignments.

Exam trap

The trap here is that candidates confuse the command for listing policy assignments with the command for viewing compliance states, leading them to choose `az policy state list` (Option B) instead of `az policy assignment list` (Option A) when the question asks to verify that the assignment itself is working.

How to eliminate wrong answers

Option B is wrong because `az policy state list` shows the current compliance states of resources against a policy, not the existence or configuration of the policy assignment itself. Option C is wrong because `az policy definition list` retrieves the built-in or custom policy definitions, not the assignments of those definitions to a scope. Option D is wrong because `az policy event list` is not a valid Azure CLI command; the correct command for viewing policy events is `az policy state list` with the `--filter` parameter, and events are not used for verifying assignment existence.

107
MCQeasy

A company uses Microsoft Entra ID. They want to automatically detect sign-ins from anonymous IP addresses, sign-ins from unfamiliar locations, and other risky activities. When such a risk is detected, they want to block the sign-in or require multi-factor authentication. They also need a dashboard to review risk events. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Access Reviews
AnswerB

Identity Protection detects risky sign-ins, provides a risk dashboard, and allows automated remediation actions like blocking or requiring MFA when combined with Conditional Access.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to detect and respond to identity-based risks such as sign-ins from anonymous IP addresses, unfamiliar locations, and other risky activities. It provides a risk-based conditional access policy that can automatically block sign-ins or require multi-factor authentication (MFA) when a risk is detected, and it includes a dashboard for reviewing risk events and reports.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies) with Identity Protection (which provides the risk detection signals), leading them to select Conditional Access as the answer when the question explicitly asks for the feature that detects risks and provides a dashboard.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky sign-ins or provide a risk dashboard; it relies on Identity Protection to supply risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, approval workflows, and access reviews for administrative roles, not on detecting anonymous IP addresses or unfamiliar location sign-ins. Option D is wrong because Access Reviews are used for periodic recertification of group memberships or application access, not for real-time risk detection or automated blocking of risky sign-ins.

108
Matchingmedium

Match each Azure migration tool to its use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centralized hub for discovery, assessment, and migration

Migrate databases to Azure with minimal downtime

Physical device for offline data transfer

Replicate and migrate on-premises VMs to Azure

Ship hard drives to transfer large data volumes

Why these pairings

These tools facilitate different migration scenarios.

109
MCQhard

Refer to the exhibit. A user reports they cannot access a secret in the vault 'vault-prod'. The user has a Contributor role at the subscription scope and a Key Vault Secrets User role at the specific vault scope. What is the most likely reason for the failure?

A.The user does not have write permissions on the vault.
B.The vault uses access policies instead of RBAC for authorization.
C.The Key Vault Secrets User role does not allow reading secrets.
D.The scope of the Key Vault Secrets User role is incorrect.
AnswerB

If the vault uses access policies, RBAC assignments are not effective; you need to grant access via an access policy.

Why this answer

Option D is correct because Key Vault has two permission models: RBAC and access policies. If the vault is using access policies, RBAC assignments are ignored unless the vault is configured for RBAC authorization. Option A is wrong because Contributor at subscription includes write access to vaults.

Option B is wrong because the user has the secrets user role. Option C is wrong because the scope is correct.

110
MCQhard

Your company has multiple Azure subscriptions managed by different teams. You need to design a governance solution that ensures: 1) All subscriptions must have a consistent set of policies (e.g., allowed locations, allowed VM SKUs). 2) Compliance reports must be generated daily for each subscription. 3) Non-compliant resources must be automatically remediated where possible (e.g., add tags). 4) The solution must use a single management group hierarchy. What should you include in the design?

A.Create a management group hierarchy, assign Azure Policy at the root management group level with both 'audit' and 'deployIfNotExists' effects, and use a daily Logic App to query compliance via Azure Resource Graph and send reports.
B.Create a management group hierarchy and use Azure Blueprints to assign policies and role assignments per subscription.
C.Use Azure DevOps to deploy a pipeline that runs PowerShell scripts to enforce policies and generate reports.
D.Create a custom Azure Policy initiative with all required policies and assign it to each subscription individually.
AnswerA

Policy at root applies to all subscriptions; remediation task handles auto-fix; Logic App automates reporting.

Why this answer

Option A is correct because assigning Azure Policy at the root management group level ensures consistent policy enforcement across all subscriptions in the hierarchy. The 'deployIfNotExists' effect enables automatic remediation (e.g., adding missing tags), while a daily Logic App querying Azure Resource Graph can generate compliance reports without manual intervention. This design satisfies all requirements with a single management group hierarchy.

Exam trap

The trap here is that candidates may assume Azure Blueprints (Option B) are required for consistent governance, but Blueprints are for initial environment setup, not ongoing policy enforcement and automatic remediation, which is the core of this question.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints assign policies per subscription or management group, but they do not provide built-in automatic remediation or daily compliance reporting; they are primarily for environment composition, not ongoing governance. Option C is wrong because using Azure DevOps with PowerShell scripts is a custom, non-native approach that lacks the automatic remediation capabilities of Azure Policy's 'deployIfNotExists' effect and requires manual pipeline maintenance. Option D is wrong because assigning a custom initiative to each subscription individually violates the requirement to use a single management group hierarchy and creates administrative overhead, failing to enforce consistency at the root level.

111
MCQeasy

A company uses Microsoft Entra ID and wants to allow users to sign in using their existing personal Microsoft accounts, Google, and Facebook identities. They also need custom sign-up and sign-in flows with collection of specific user attributes. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID B2B
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerB

Microsoft Entra ID B2C is a customer identity access management solution that supports multiple identity providers (Microsoft, Google, Facebook) and allows custom policies for sign-up/sign-in with custom attributes.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct choice because it is specifically designed to support external identity providers like personal Microsoft accounts, Google, and Facebook, and it provides a customizable policy framework (user flows) for sign-up and sign-in that can collect custom user attributes. Unlike B2B, which focuses on business partner collaboration, B2C allows you to define attribute collection during registration via built-in or custom policies.

Exam trap

The trap here is that candidates often confuse Entra ID B2B with B2C, assuming B2B can handle consumer identities and custom sign-up flows, but B2B is strictly for business partner collaboration and lacks the user flow customization and social identity provider support that B2C provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B is intended for business-to-business collaboration, allowing external users from partner organizations to access your apps using their work or school accounts, not personal Microsoft accounts, Google, or Facebook identities, and it does not support custom sign-up flows with attribute collection. Option C is wrong because Microsoft Entra ID Identity Protection is a security feature that detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not provide federation with external identity providers or custom sign-up flows. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on conditions like user, location, or risk, but it cannot configure external identity providers or custom sign-up/attribute collection.

112
Multi-Selectmedium

Which THREE Azure services can be used to monitor the performance of a web application? (Choose three.)

Select 3 answers
A.Azure Policy
B.Application Insights
C.Azure Monitor Metrics
D.Microsoft Defender for Cloud
E.Azure Monitor Logs
AnswersB, C, E

Application Insights provides application performance monitoring.

Why this answer

Application Insights is an Azure service specifically designed for monitoring the performance and usage of live web applications. It collects telemetry data such as request rates, response times, failure rates, and dependency tracking, enabling developers to detect and diagnose performance issues in real time.

Exam trap

The trap here is that candidates often confuse governance tools like Azure Policy or security tools like Defender for Cloud with performance monitoring, but the exam specifically tests the distinction between monitoring (Application Insights, Metrics, Logs) and management/security services.

113
MCQmedium

Your company uses Microsoft Entra ID and has a custom application that requires users to have specific roles assigned. You need to ensure that role assignments are reviewed quarterly and automatically remove assignments that are not approved. Which feature should you use?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Identity Protection
C.Microsoft Entra ID Governance access reviews
D.Microsoft Entra Conditional Access
AnswerC

Access reviews allow periodic review of role assignments and automatic removal.

Why this answer

Microsoft Entra ID Governance access reviews enable you to create recurring reviews of role assignments, with automatic removal of assignments that reviewers do not approve. This directly meets the requirement for quarterly reviews and automatic removal of unapproved assignments, making it the correct choice.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with access reviews, but PIM handles just-in-time activation and approval, not recurring reviews with automatic removal of unapproved assignments.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows for privileged roles, but it does not natively support recurring access reviews with automatic removal of unapproved assignments. Option B is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, sign-in anomalies) and does not manage role assignment reviews or removals. Option D is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state, but it does not provide periodic review or automatic removal of role assignments.

114
MCQmedium

You are designing a governance strategy for Azure resources. The company has multiple departments, each requiring separate cost tracking and policy enforcement. You need to organize resources to align with the departments while minimizing management overhead. What should you use?

A.Management groups
B.Azure Blueprints
C.Resource tags
D.Resource groups
AnswerA

Management groups can contain multiple subscriptions and allow hierarchical policy and cost management.

Why this answer

Management groups are the correct choice because they allow you to organize Azure subscriptions into a hierarchy that aligns with your organizational structure, enabling you to apply Azure Policy and cost management controls at scale across multiple departments. By placing each department's subscriptions into separate management groups, you can enforce department-specific policies and track costs without managing each subscription individually, minimizing administrative overhead.

Exam trap

The trap here is that candidates often confuse resource tags with a governance mechanism for policy enforcement and cost tracking, but tags are only metadata and cannot enforce policies or aggregate costs across subscriptions like management groups can.

How to eliminate wrong answers

Option B (Azure Blueprints) is wrong because Blueprints are used to define a repeatable set of Azure resources and policies for deploying compliant environments, not for organizing existing resources or subscriptions for cost tracking and policy enforcement across departments. Option C (Resource tags) is wrong because tags are metadata key-value pairs applied to resources for filtering and reporting, but they do not provide hierarchical policy enforcement or cost aggregation at the subscription or management group level. Option D (Resource groups) is wrong because resource groups are logical containers for resources within a single subscription, and they cannot span subscriptions or provide the cross-subscription policy and cost management needed for multiple departments.

115
MCQhard

You are designing an identity governance solution for a multinational company. The company uses Microsoft Entra ID and has a requirement to automatically remove user access to critical SaaS applications when the user leaves the organization or changes roles. You need to ensure that the access removal is audited and can be reversed within 30 days if needed. What should you implement?

A.Conditional Access policies to block access for inactive users
B.Azure Automation runbooks to delete user accounts upon termination
C.Microsoft Entra Privileged Identity Management (PIM) to require approval for access assignments
D.Microsoft Entra Access Reviews with automatic removal and a grace period
AnswerD

Access Reviews can automate removal and allow reversal within the review period.

Why this answer

Microsoft Entra Access Reviews allow you to automatically remove user access to SaaS applications when a user leaves or changes roles, with a configurable grace period (up to 30 days) for reversal. This meets the audit and reversal requirements because Access Reviews provide a full audit trail of decisions and can automatically revoke access, while the grace period allows administrators to restore access within the specified timeframe.

Exam trap

The trap here is confusing identity governance features: candidates often pick PIM (Option C) because it involves approvals and access, but PIM is for privileged roles, not for ongoing user access to SaaS applications, and it lacks the automatic removal and grace period required for non-privileged access.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies block access based on conditions like sign-in risk or location, but they do not automatically remove user assignments or provide a reversal mechanism; they only prevent sign-in. Option B is wrong because Azure Automation runbooks can delete user accounts, but this is irreversible and does not provide a built-in 30-day reversal or audit trail for access removal to SaaS applications. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments, not the ongoing removal of user access to SaaS applications upon role changes or termination, and it does not offer a grace period for reversal.

116
MCQmedium

Refer to the exhibit. You are deploying NSG flow logs. After deployment, you notice that no logs are being written to the storage account. What is the most likely cause?

A.Network Watcher is not enabled in the region.
B.Retention policy is set to 0 days.
C.The storage account is in a different subscription.
D.The format version is incorrect.
AnswerA

NSG flow logs require Network Watcher to be enabled in the region.

Why this answer

NSG flow logs require Network Watcher to be enabled in the region where the NSG resides. If Network Watcher is not enabled, the flow logs cannot be written to the storage account because the logging pipeline depends on the Network Watcher agent to capture and forward flow data. Enabling Network Watcher in the region resolves this issue.

Exam trap

The trap here is that candidates often assume the retention policy (0 days) or storage account subscription mismatch is the root cause, but the actual issue is the missing regional Network Watcher dependency, which is a prerequisite for NSG flow logs to function.

How to eliminate wrong answers

Option B is wrong because a retention policy of 0 days means logs are deleted immediately after being written, but logs would still be written to the storage account initially. Option C is wrong because NSG flow logs support writing to a storage account in a different subscription as long as the appropriate RBAC permissions are configured. Option D is wrong because the format version (e.g., version 1 or 2) affects the schema of the logs but does not prevent logs from being written to the storage account.

117
MCQmedium

A company uses Microsoft Entra ID. They want to allow users to sign in to partner applications using their Microsoft Entra ID credentials. The partner applications support SAML 2.0 and OpenID Connect. They also need to customize the appearance of the sign-in pages. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID B2C
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID Enterprise Application with SAML-based SSO
D.Microsoft Entra ID Conditional Access
AnswerC

Enterprise Applications in Microsoft Entra ID support SAML/OpenID Connect SSO for partner apps and allow customization of sign-in pages.

Why this answer

Microsoft Entra ID Enterprise Application with SAML-based SSO is the correct feature because it allows you to register partner applications that support SAML 2.0 or OpenID Connect, enabling federated single sign-on using existing Microsoft Entra ID credentials. Additionally, you can customize the branding (logo, sign-in page text, etc.) for each enterprise application, meeting the requirement to customize the appearance of sign-in pages.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID B2C (designed for external customers) with the Enterprise Application gallery (designed for partner/SaaS apps), but the requirement to use existing corporate credentials and customize sign-in pages points directly to Enterprise Application SSO, not B2C.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2C is designed for customer-facing identity management with social and local accounts, not for enabling partner applications to use existing corporate Microsoft Entra ID credentials. Option B is wrong because Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications, not federation or SSO for partner SaaS apps. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine for enforcing access controls (e.g., MFA, location) after authentication, not a feature for configuring SSO or customizing sign-in pages.

118
Multi-Selecthard

Your organization has multiple Azure subscriptions and uses Azure Blueprints to enforce governance. You need to design a blueprint that includes role assignments, policy assignments, and resource groups. Which THREE components can be included in an Azure Blueprint? (Choose three.)

Select 3 answers
A.Management group
B.Role assignments
C.Policy assignment
D.Subscription
E.ARM template
AnswersB, C, E

Blueprints can include role assignments to assign RBAC roles.

Why this answer

Azure Blueprints allow you to define a repeatable set of Azure resources that adhere to your organization's standards, patterns, and requirements. Role assignments (B) are a core artifact that can be included to grant specific Azure RBAC roles at the blueprint scope, ensuring consistent access control. Policy assignments (C) are also a native blueprint artifact, enabling you to enforce compliance rules across the environment.

ARM templates (E) can be included as an artifact to deploy infrastructure as code, making them a valid component of a blueprint definition.

Exam trap

The trap here is that candidates often confuse the target scope (management group or subscription) with the artifacts that can be included in the blueprint definition, leading them to incorrectly select management group or subscription as valid blueprint components.

119
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to ensure that users can access corporate resources without passwords while maintaining a high level of security. Which feature should you implement?

A.Azure AD B2C
B.Conditional Access policies
C.Passwordless authentication
D.Multifactor authentication (MFA)
AnswerC

Passwordless methods allow users to sign in without a password, using biometrics or FIDO2 keys.

Why this answer

Passwordless authentication (Option C) is correct because it allows users to access corporate resources without entering a password, using methods like Windows Hello for Business, FIDO2 security keys, or the Microsoft Authenticator app. This eliminates password-related risks (e.g., phishing, credential theft) while maintaining strong security through cryptographic key pairs or biometric verification, aligning with the requirement for both password-free access and high security.

Exam trap

The trap here is that candidates confuse 'passwordless' with 'multifactor authentication' (MFA), assuming MFA alone removes the password requirement, but MFA still requires a password as the first factor unless explicitly combined with a passwordless method.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is a customer-facing identity service for external users (e.g., social logins), not for internal corporate resource access without passwords. Option B is wrong because Conditional Access policies enforce access controls (e.g., requiring MFA or location checks) but do not eliminate passwords; they still rely on a password as the primary authentication factor unless combined with passwordless methods. Option D is wrong because Multifactor Authentication (MFA) adds a second factor (e.g., SMS, app notification) but still requires a password as the first factor, so it does not achieve passwordless access.

120
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to implement a solution that automatically detects identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. They want to generate reports summarizing risk events and integrate the risk data with their existing Security Information and Event Management (SIEM) system via API. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management (PIM)
D.Microsoft Entra ID Entitlement Management
AnswerB

Identity Protection detects identity risks, provides detailed reports, and offers API (Microsoft Graph) to retrieve risk events for SIEM integration. It is the primary service for risk detection and reporting.

Why this answer

Microsoft Entra ID Identity Protection is the correct feature because it is specifically designed to automatically detect identity-related risks such as leaked credentials, impossible travel, and sign-ins from anonymous IP addresses. It provides risk event reports and integrates with SIEM systems via the Microsoft Graph API, enabling automated risk data export for centralized monitoring.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies) with Identity Protection (which detects risks), but Conditional Access relies on Identity Protection's risk signals and cannot generate risk events on its own.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on signals (e.g., risk level from Identity Protection), but it does not detect or generate risk events itself. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and access reviews, not on detecting identity risks like leaked credentials or impossible travel. Option D is wrong because Entitlement Management handles access packages and lifecycle management for external users and groups, not risk detection or SIEM integration.

121
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant specific IT administrators just-in-time (JIT) access to Azure virtual machines for troubleshooting. The access must be time-bound, require approval from a senior manager, and be automatically revoked after the granted time period. The company also needs an audit log of all access requests and assignments. Which Azure service or feature should they use?

A.Azure Bastion
B.Microsoft Entra ID Privileged Identity Management (PIM) for Azure resources
C.Just-in-Time VM access (Microsoft Defender for Cloud)
D.Microsoft Entra ID Application Proxy
AnswerB

PIM for Azure resources enables just-in-time, time-bound access with approval workflows and automatic revocation. It provides full audit trail, meeting all requirements.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) for Azure resources provides just-in-time (JIT) access with time-bound activation, approval workflows, and automatic revocation. It also includes full audit logging of all requests and assignments, meeting all the specified requirements for granting temporary access to Azure VMs.

Exam trap

The trap here is that candidates confuse Just-in-Time VM access in Microsoft Defender for Cloud (which is network-level JIT) with PIM for Azure resources (which is role-level JIT), but only PIM supports the required approval workflow and audit logging for role assignments.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides secure RDP/SSH connectivity to VMs over TLS without public IPs, but it does not offer time-bound JIT access, approval workflows, or automatic revocation. Option C is wrong because Just-in-Time VM access in Microsoft Defender for Cloud provides time-bound network-level access (NSG rules) to VMs, but it lacks the built-in approval workflow from a senior manager and does not integrate with Entra ID PIM for role-based access control. Option D is wrong because Microsoft Entra ID Application Proxy enables secure remote access to on-premises web applications via pre-authentication, not to Azure VMs, and it does not provide JIT access, approval workflows, or automatic revocation.

122
MCQeasy

Your company requires that all administrative actions in Azure subscriptions be logged and retained for seven years. Which service should you use to collect and store these logs?

A.Azure Monitor Metrics
B.Azure Resource Health
C.Azure Activity Log
D.Microsoft Entra ID audit logs
AnswerC

Activity Log captures all control-plane operations and can be retained for 7 years.

Why this answer

The Azure Activity Log (now part of Azure Monitor) records all control-plane operations (create, update, delete) on Azure resources and can be retained for up to seven years by configuring a diagnostic setting to stream the logs to a Log Analytics workspace or Azure Storage. This meets the requirement for logging and long-term retention of administrative actions.

Exam trap

The trap here is that candidates confuse the Azure Activity Log (control-plane) with Microsoft Entra ID audit logs (identity-plane), or mistakenly think Azure Monitor Metrics can store long-term administrative logs instead of numerical performance data.

How to eliminate wrong answers

Option A is wrong because Azure Monitor Metrics stores numerical time-series data (e.g., CPU usage, request counts) with a default retention of 93 days, not administrative action logs for seven years. Option B is wrong because Azure Resource Health provides real-time status of resource availability and service issues, not a historical log of administrative actions. Option D is wrong because Microsoft Entra ID audit logs capture user sign-ins and directory changes, not Azure resource-level administrative actions (control-plane operations).

123
MCQhard

Refer to the exhibit. You are deploying a Log Analytics workspace using an ARM template with the parameters shown. Your compliance team requires that all log data be retained for at least 2 years. Which parameter value should you modify?

A.retentionInDays
B.workspaceName
C.sku
D.dailyQuotaGb
AnswerA

Retention is set to 365 days; must be changed to 730 or more to meet 2-year requirement.

Why this answer

The `retentionInDays` parameter controls how long log data is retained in a Log Analytics workspace. To meet the compliance requirement of at least 2 years (730 days), you must set this value to 730 or higher. The default retention is 30 days for free tiers and up to 730 days for paid tiers, but the parameter must be explicitly modified to enforce the 2-year retention.

Exam trap

The trap here is that candidates often confuse `sku` with retention capabilities, assuming that upgrading the SKU automatically extends retention, when in fact `retentionInDays` is an independent parameter that must be explicitly set to meet compliance requirements.

How to eliminate wrong answers

Option B is wrong because `workspaceName` only defines the name of the Log Analytics workspace and has no impact on data retention policies. Option C is wrong because `sku` determines the pricing tier (e.g., PerGB2018, Standalone) and affects features like ingestion costs and retention limits, but does not directly set the retention period; retention is configured separately via `retentionInDays`. Option D is wrong because `dailyQuotaGb` sets a cap on daily data ingestion to control costs, not the retention duration of stored logs.

124
MCQhard

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to enforce that all users accessing the company's internal application from mobile devices must be compliant with device management policies (e.g., require a PIN and encryption). The application does not support modern authentication. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Application Proxy
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Privileged Identity Management
AnswerB

Application Proxy publishes the legacy app to the cloud, adds Microsoft Entra ID authentication, and allows Conditional Access policies to enforce device compliance.

Why this answer

Microsoft Entra ID Application Proxy is the correct choice because it enables secure remote access to on-premises web applications that do not support modern authentication. By publishing the internal application through Application Proxy, you can enforce device compliance policies (e.g., requiring a PIN and encryption) via Conditional Access policies applied to the Application Proxy service, even though the application itself uses legacy authentication.

Exam trap

The trap here is that candidates often assume Conditional Access alone can enforce device compliance on any application, but they miss the critical requirement that the application must support modern authentication; Application Proxy is the bridge that enables Conditional Access to work with legacy apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls, but it cannot directly enforce device compliance on an application that does not support modern authentication; it requires the application to support modern authentication protocols (e.g., OAuth 2.0, OpenID Connect) to evaluate device state. Option C is wrong because Microsoft Entra ID Identity Protection is focused on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on enforcing device management policies or enabling legacy app access. Option D is wrong because Microsoft Entra ID Privileged Identity Management is designed for managing, controlling, and monitoring privileged roles and just-in-time access, not for enforcing device compliance or proxying legacy applications.

125
Multi-Selecteasy

Which TWO Microsoft Entra ID editions include Conditional Access? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P1
B.Microsoft Entra ID P2
C.Azure AD Basic (legacy)
D.Microsoft 365 Business Basic
E.Microsoft Entra ID Free
AnswersA, B

P1 includes Conditional Access.

Why this answer

Microsoft Entra ID P1 includes Conditional Access, which allows organizations to enforce access policies based on signals like user, location, device, and application. This edition provides the core Conditional Access capabilities needed for most enterprise scenarios, such as requiring multi-factor authentication or blocking access from untrusted locations.

Exam trap

The trap here is that candidates often confuse Microsoft 365 Business Basic (which includes only Azure AD Free) with a higher-tier license that includes Conditional Access, or mistakenly think legacy Azure AD Basic still supports Conditional Access.

126
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to grant temporary administrative roles to users for specific tasks. The process must require approval from a designated approver, and the access must automatically expire after a defined period. The company also needs audit logs of all role assignments and activations. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Entra ID Entitlement Management
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerA

PIM provides just-in-time (JIT) privileged access to Microsoft Entra ID roles and Azure resources. It supports approval workflows, time-bound role assignments, automatic expiration, and detailed audit logging.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access, requiring approval from designated approvers and automatically expiring role assignments after a defined duration. PIM also generates detailed audit logs for all role activations and assignments, meeting the compliance and monitoring requirements.

Exam trap

The trap here is confusing Entitlement Management (which handles access packages and reviews) with PIM (which specifically handles privileged role activation and approval workflows), leading candidates to pick Option B for its 'approval' and 'expiration' keywords.

How to eliminate wrong answers

Option B is wrong because Entitlement Management focuses on automating access requests and reviews for groups, apps, and sites, not on granting temporary administrative roles with approval workflows and automatic expiration. Option C is wrong because Identity Protection is designed to detect and remediate identity-based risks (e.g., compromised credentials, sign-in anomalies), not to manage role-based access or approvals. Option D is wrong because Conditional Access enforces policies based on signals (e.g., location, device state) at sign-in, but does not handle role activation, approval workflows, or automatic expiration of administrative roles.

127
MCQmedium

A company uses Microsoft Entra ID. They want to integrate their security operations with a third-party SIEM tool. They need to export all Microsoft Entra ID sign-in logs and audit logs to the SIEM for analysis. The solution should be automated and near real-time. Which Azure service should they configure?

A.Azure Event Hubs
B.Azure Logic Apps
C.Azure Monitor
D.Azure Storage
AnswerA

Event Hubs can receive log streams from Microsoft Entra ID diagnostic settings and forward to SIEM tools.

Why this answer

Azure Event Hubs is the correct service because it provides a high-throughput, low-latency data ingestion platform that can receive streaming diagnostic data from Microsoft Entra ID. By configuring diagnostic settings in Entra ID to stream sign-in and audit logs to an Event Hubs namespace, you enable near real-time export to a third-party SIEM tool via the Event Hubs-compatible endpoint, typically using the AMQP or HTTPS protocol.

Exam trap

The trap here is that candidates often confuse Azure Monitor's log collection capability with real-time streaming, not realizing that Monitor itself cannot natively push logs to external SIEMs without Event Hubs as the intermediary pipeline.

How to eliminate wrong answers

Option B (Azure Logic Apps) is wrong because Logic Apps is an orchestration and workflow service, not a streaming data ingestion platform; it would introduce latency and complexity for continuous, near real-time log export. Option C (Azure Monitor) is wrong because Azure Monitor is a monitoring and alerting service that can collect logs but does not natively stream them to external SIEM tools in near real-time; it relies on Event Hubs as a pipeline for such exports. Option D (Azure Storage) is wrong because Azure Storage is a batch-oriented, blob/table storage service that does not support real-time streaming; logs exported there would require additional processing and polling, breaking the near real-time requirement.

128
MCQmedium

You are designing a monitoring solution for a global e-commerce application hosted on Azure. The application experiences intermittent performance degradation that is difficult to reproduce. You need to ensure that you can capture detailed diagnostic data when the degradation occurs, without permanently storing large amounts of data. Which Azure feature should you use?

A.Use Application Insights continuous export to send all telemetry to a storage account.
B.Implement an Azure Monitor Data Collection Rule with a schedule-based filter to capture detailed logs during degradation.
C.Configure a Log Analytics workspace to collect all performance counters and IIS logs.
D.Enable Azure Metrics for the application to monitor performance in real-time.
AnswerB

DCRs allow conditional data collection, enabling targeted troubleshooting.

Why this answer

Option B is correct because Azure Monitor Data Collection Rules (DCRs) allow you to define a schedule-based filter that triggers detailed log collection only during specific conditions, such as when performance degradation is detected. This enables capturing granular diagnostic data exactly when needed without permanently storing large volumes of telemetry, aligning with the requirement to avoid persistent high storage costs.

Exam trap

The trap here is that candidates often confuse continuous data collection (options A, C, D) with conditional data capture, overlooking that Data Collection Rules can be dynamically enabled or disabled via schedule or alert triggers to meet the 'capture only when needed' requirement.

How to eliminate wrong answers

Option A is wrong because Application Insights continuous export sends all telemetry to a storage account continuously, resulting in permanent storage of large amounts of data, which contradicts the requirement to avoid permanently storing large volumes. Option C is wrong because configuring a Log Analytics workspace to collect all performance counters and IIS logs would continuously ingest and store all data, leading to high storage costs and not addressing the need for selective capture during degradation. Option D is wrong because Azure Metrics provides real-time monitoring but lacks the ability to capture detailed diagnostic logs on a conditional or scheduled basis; it is designed for lightweight, high-frequency metric data, not verbose diagnostic data.

129
MCQeasy

Your company uses Azure Resource Manager templates for infrastructure deployment. You need to ensure that all deployments are validated against organizational policies before resources are provisioned. Which Azure service should you use?

A.Azure RBAC
B.Management Groups
C.Azure Policy
D.Azure Blueprints
AnswerC

Azure Policy with deny effect can prevent non-compliant resource creation during deployment.

Why this answer

Option B is correct because Azure Policy can be used with a 'deny' effect to prevent non-compliant deployments. Option A is wrong because Azure Blueprints bundles artifacts but does not enforce policies. Option C is wrong because RBAC controls access but not resource compliance.

Option D is wrong because Management Groups organize subscriptions but do not validate deployments.

130
MCQeasy

A company requires all users to use multi-factor authentication (MFA) when accessing cloud applications. However, they want to exempt users from MFA when they connect from the company's headquarters, which has a trusted IP range. They want to enforce this policy centrally. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Self-Service Password Reset
AnswerA

Conditional Access policies can include location conditions to require MFA for all access except from trusted IP ranges.

Why this answer

Microsoft Entra ID Conditional Access is the correct feature because it allows administrators to create policies that enforce MFA based on conditions such as user location, device state, and application sensitivity. By configuring a Conditional Access policy with a 'trusted location' condition (defined via named locations with specific IP ranges), the company can require MFA for all cloud app access except when users connect from the headquarters' trusted IP range. This provides centralized, granular control over authentication requirements without needing to modify individual user settings.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based MFA prompts) with Conditional Access (which handles location-based MFA exemptions), leading them to select Identity Protection because it also deals with MFA, but it lacks the trusted IP range exclusion capability.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anonymous IP addresses) and can trigger automated remediation like requiring MFA on risky sign-ins, but it does not natively support exempting users based on trusted IP ranges; its primary focus is risk-based policies, not location-based conditional access. Option C is wrong because Microsoft Entra ID Privileged Identity Management (PIM) manages just-in-time privileged role activation, approval workflows, and access reviews for elevated roles, not general user MFA enforcement or location-based exemptions. Option D is wrong because Microsoft Entra ID Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, but it does not enforce or exempt MFA based on network location; it is a password management feature, not an authentication policy engine.

131
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Entra ID Identity Governance? (Select THREE.)

Select 3 answers
A.Entitlement management
B.Access reviews
C.Privileged Identity Management
D.Conditional Access
E.Identity Protection
AnswersA, B, C

Manages access packages and requests.

Why this answer

Microsoft Entra ID Identity Governance is a suite of capabilities designed to help organizations manage and govern access to resources. Entitlement management (A) enables the creation of access packages to automate access requests, approvals, and assignments. Access reviews (B) allow periodic recertification of group memberships and application access to ensure only the right users have access.

Privileged Identity Management (C) provides just-in-time privileged access and role activation workflows for Azure AD roles and Azure resources, directly supporting governance of elevated access.

Exam trap

The trap here is that candidates often confuse Conditional Access and Identity Protection (which are security-focused features) with Identity Governance capabilities, but the exam specifically tests that governance includes entitlement management, access reviews, and PIM as the three core pillars.

132
MCQmedium

A company uses Microsoft Entra ID and wants to enforce that all users must use multi-factor authentication (MFA) when accessing sensitive applications. However, they want to exclude users when connecting from the corporate office IP range and only allow access from devices that are compliant with Intune policies. Which Microsoft Entra ID feature should they use to create this policy?

A.Microsoft Entra ID Identity Protection
B.Microsoft Entra ID Privileged Identity Management
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Identity Governance
AnswerC

Conditional Access policies allow you to specify conditions (e.g., IP location, device compliance) and controls (e.g., require MFA, block access). This enables the described scenario: require MFA for sensitive apps, but exclude corporate IP range and require compliant device.

Why this answer

C is correct because Microsoft Entra ID Conditional Access is the feature specifically designed to enforce granular access policies based on conditions such as user, location, device compliance, and application sensitivity. By configuring a Conditional Access policy, you can require MFA for sensitive applications, exclude the corporate office IP range, and restrict access to Intune-compliant devices, all within a single policy.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, thinking risk-based policies can enforce location or device compliance, but Identity Protection only triggers actions based on risk scores, not static conditions like IP ranges or Intune compliance.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA based on risk level, but it cannot enforce device compliance or exclude specific IP ranges directly. Option B is wrong because Microsoft Entra ID Privileged Identity Management manages just-in-time privileged role activation and access reviews, not general user access policies for sensitive applications. Option D is wrong because Microsoft Entra ID Identity Governance handles access lifecycle, entitlement management, and certification campaigns, not real-time access enforcement based on location or device compliance.

133
Multi-Selecthard

Which THREE of the following are required to collect Windows security events into Microsoft Sentinel?

Select 3 answers
A.Log Analytics workspace
B.Data collection rule (DCR)
C.Azure Policy
D.Azure Monitor Agent (AMA)
E.Microsoft Defender for Cloud
AnswersA, B, D

The workspace stores the collected logs.

Why this answer

A Log Analytics workspace is required because Microsoft Sentinel is built on top of it; all security events collected by Sentinel are stored in the workspace's tables, and Sentinel uses the workspace as its data repository for analytics, alerting, and investigation.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a security management service) with a data collection agent, or think Azure Policy can be used to collect logs, when in fact only the combination of a Log Analytics workspace, a DCR, and the AMA fulfills the requirement.

134
MCQeasy

You are designing identity governance for a company that uses Microsoft Entra ID. The company wants to grant external partners access to an internal application for 90 days. After 90 days, access must be automatically removed. Additionally, the application requires that users have multi-factor authentication (MFA) and a compliant device. You need to design a solution that meets these requirements with minimal administrative effort. What should you do?

A.Create an access package in Microsoft Entra entitlement management with a 90-day policy and conditional access policies for MFA and device compliance.
B.Manually create guest user accounts, assign app, and set calendar reminder to delete after 90 days.
C.Create a dynamic group in Microsoft Entra ID that includes partners and assign the app; use a scheduled script to remove membership after 90 days.
D.Use Microsoft Entra Privileged Identity Management to grant just-in-time access for 90 days.
AnswerA

Entitlement management automates access lifecycle and policy enforcement.

Why this answer

Option A is correct because Microsoft Entra entitlement management allows you to create an access package that automatically grants external partners access to the application for exactly 90 days, after which access is automatically removed via an expiration policy. Additionally, you can enforce multi-factor authentication (MFA) and device compliance by configuring conditional access policies that are applied to the access package, meeting all requirements with minimal administrative effort through automation.

Exam trap

The trap here is that candidates may confuse Privileged Identity Management (PIM) with entitlement management, thinking PIM's time-limited role activation can be applied to application access, but PIM is for Azure AD roles and Azure resource roles, not for granting external user access to applications with conditional access enforcement.

How to eliminate wrong answers

Option B is wrong because manually creating guest accounts and setting a calendar reminder is not automated, requires ongoing administrative effort, and does not enforce MFA or device compliance policies. Option C is wrong because using a dynamic group with a scheduled script to remove membership after 90 days is not a native, automated solution; dynamic groups are based on user attributes, not time-based expiration, and scripting adds complexity and potential failure points. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) is designed for just-in-time privileged role activation, not for granting time-limited access to applications for external partners, and it does not natively enforce MFA or device compliance for application access.

135
MCQeasy

Your organization uses Microsoft Azure and has a subscription with multiple resource groups. You need to ensure that only users in the Finance department can access storage accounts in the 'Finance' resource group. The solution must use role-based access control (RBAC). What should you assign?

A.Assign the Contributor role to the Finance users at the management group scope
B.Assign the Storage Blob Data Reader role to the Finance users at the Finance resource group scope
C.Assign the Reader role to the Finance users at the subscription scope
D.Assign the Storage Account Contributor role to the Finance users at each storage account scope
AnswerB

This assignment grants read access to blob data in all storage accounts within the Finance resource group.

Why this answer

Option B is correct because assigning the Storage Blob Data Reader role at the Finance resource group scope grants Finance users read access to blob data within all storage accounts in that resource group, using RBAC. This meets the requirement of restricting access to only the Finance department while leveraging Azure RBAC's built-in data plane role for storage.

Exam trap

The trap here is that candidates often confuse management plane roles (like Contributor or Storage Account Contributor) with data plane roles (like Storage Blob Data Reader), mistakenly thinking Contributor grants data access, when in fact it only grants management access unless combined with a data plane role.

How to eliminate wrong answers

Option A is wrong because assigning the Contributor role at the management group scope would grant full management access to all resources across multiple subscriptions, far exceeding the requirement to restrict access to only storage accounts in the Finance resource group. Option C is wrong because the Reader role at the subscription scope provides read-only access to all resources in the subscription, including non-Finance resource groups, violating the principle of least privilege. Option D is wrong because assigning the Storage Account Contributor role at each storage account scope grants management access to the storage account itself (e.g., configuration, networking) but not necessarily data access (e.g., blobs), and it requires individual assignments per account, which is less efficient than a single resource group scope assignment.

136
Multi-Selecthard

An enterprise wants just-in-time elevation for Azure administrators and periodic validation that privileged users still require access. Which two Microsoft Entra features should you recommend? (Choose 2.)

Select 2 answers
A.Microsoft Entra Privileged Identity Management.
B.Microsoft Entra access reviews.
C.Microsoft Entra Domain Services.
D.Azure Policy guest configuration.
AnswersA, B

PIM supports eligible assignments, approvals, MFA, and time-bound activation.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) elevation by allowing time-bound and approval-based activation of privileged roles, such as Global Administrator. This ensures administrators only gain elevated permissions when needed and for a limited duration, directly addressing the requirement for JIT elevation.

Exam trap

The trap here is confusing Microsoft Entra Domain Services (a legacy domain join service) with identity governance features, or assuming Azure Policy guest configuration can manage user access reviews instead of VM configuration compliance.

137
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They want to automatically review and remove guest accounts that have not signed in for 90 days. They also need to generate reports for auditors. Which Microsoft Entra ID feature should they use?

A.Identity Protection
B.Access Reviews
C.Privileged Identity Management
D.Conditional Access
AnswerB

Access Reviews allow periodic review of guest access, automated removal based on criteria like no sign-in activity, and generate audit reports.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews of guest users' access. By configuring a review with a 'days since last sign-in' condition (e.g., 90 days), Entra ID automatically flags and can remove guest accounts that have not authenticated within that period. The review process also generates detailed audit logs and reports suitable for auditor compliance, directly meeting the stated requirements.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve 'reviewing' access, but PIM is strictly for privileged roles, not for reviewing inactive guest accounts.

How to eliminate wrong answers

Option A is wrong because Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not provide scheduled, automated access reviews or removal of inactive guest accounts. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation and approval workflows for administrators, not on reviewing or removing standard guest user accounts based on inactivity. Option D is wrong because Conditional Access enforces policies during sign-in (e.g., requiring MFA, blocking locations) but cannot perform scheduled reviews or automatically remove guest accounts that have not signed in for a specific period.

138
MCQeasy

Your company plans to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from multiple Azure resources and on-premises servers. Which data connector should you use for Windows servers on-premises?

A.Azure Monitor Agent
B.Log Analytics agent
C.Microsoft Defender for Cloud agent
D.Azure Arc agent
AnswerA

AMA is the current agent for collecting logs and forwarding to Sentinel.

Why this answer

The Azure Monitor Agent (AMA) is the correct choice because it is the current, recommended data collection agent for Microsoft Sentinel, replacing the legacy Log Analytics agent. It supports collecting security logs from Windows servers on-premises via the Windows Security Events via AMA connector, which uses data collection rules (DCRs) for flexible, scalable log ingestion. AMA is optimized for Sentinel's SIEM requirements and provides better performance, security, and manageability than its predecessor.

Exam trap

The trap here is that candidates often confuse the Azure Monitor Agent with the Log Analytics agent, assuming the older agent is still the primary choice for Sentinel, when in fact Microsoft has deprecated the Log Analytics agent and now mandates the Azure Monitor Agent for all new deployments.

How to eliminate wrong answers

Option B (Log Analytics agent) is wrong because it is the legacy agent that Microsoft is deprecating in favor of the Azure Monitor Agent; it lacks support for newer Sentinel features and data collection rules. Option C (Microsoft Defender for Cloud agent) is wrong because it is designed for vulnerability assessment and security posture monitoring, not for general SIEM log ingestion into Sentinel; it does not collect Windows Security Event logs directly. Option D (Azure Arc agent) is wrong because it is used for managing on-premises servers as Azure Arc-enabled resources (e.g., policy, extensions), but it does not natively collect and forward security logs to Sentinel; you still need the Azure Monitor Agent for log ingestion.

139
MCQmedium

A company uses Microsoft Entra ID and wants to automate the lifecycle management of user accounts in their SaaS applications, such as Salesforce and ServiceNow. The solution should automatically create, update, and deactivate accounts when users join, move, or leave the organization. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID Provisioning
B.Microsoft Entra ID Connect
C.Microsoft Entra ID Application Proxy
D.Microsoft Entra ID Entitlement Management
AnswerA

Microsoft Entra ID Provisioning automates user account creation, update, and deactivation in SaaS applications via SCIM or built-in connectors.

Why this answer

Microsoft Entra ID Provisioning (specifically, HR-driven provisioning) automates the creation, update, and deactivation of user accounts in SaaS applications like Salesforce and ServiceNow based on changes in the organization's HR system or directory. It uses SCIM (System for Cross-domain Identity Management) protocol to synchronize identity lifecycle events, ensuring accounts are automatically created when users join, updated when they move, and deactivated when they leave.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Connect (which syncs to Entra ID) with provisioning to external SaaS apps, or they mistakenly think Entitlement Management handles account creation when it only manages access rights, not identity lifecycle.

How to eliminate wrong answers

Option B (Microsoft Entra ID Connect) is wrong because it is designed for synchronizing on-premises Active Directory objects to Microsoft Entra ID, not for provisioning user accounts into third-party SaaS applications. Option C (Microsoft Entra ID Application Proxy) is wrong because it provides secure remote access to on-premises web applications via reverse proxy, not lifecycle management of user accounts. Option D (Microsoft Entra ID Entitlement Management) is wrong because it manages access packages and approval workflows for resource access, not the automated creation, update, and deactivation of user accounts in SaaS apps.

140
MCQmedium

Refer to the exhibit. You run this PowerShell script in an Azure subscription. The script executes successfully. What is the outcome?

A.All existing tags are replaced with 'Environment'='Unknown'.
B.All resources without tags get the tag 'Environment' with value 'Unknown'.
C.All resources in the subscription get the tag 'Environment' with value 'Unknown'.
D.The script fails because Update-AzTag does not support merge.
AnswerB

The script filters resources with no tags and adds the tag via merge.

Why this answer

The `Update-AzTag` cmdlet with the `-Operation Merge` parameter merges the specified tags into existing resource tags without removing any existing tags. When a resource already has tags, only the specified tag is added or updated; when a resource has no tags, the specified tag is applied. This matches option B: all resources without tags get the tag 'Environment' with value 'Unknown'.

Exam trap

The trap here is that candidates often assume `Update-AzTag` with Merge behaves like a full replacement (Option A) or applies to all resources (Option C), when in fact Merge only adds or updates the specified tags and only targets resources that match the resource ID pipeline input — in this case, resources without tags due to the `Where-Object` filter.

How to eliminate wrong answers

Option A is wrong because `-Operation Merge` does not replace existing tags; it only adds or updates the specified tags, leaving all other existing tags intact. Option C is wrong because the script targets only resources without tags, not all resources in the subscription; resources that already have tags are not affected unless they lack the 'Environment' tag. Option D is wrong because `Update-AzTag` does support the `Merge` operation; the script executes successfully, proving the operation is valid.

141
MCQeasy

Refer to the exhibit. You are creating a role assignment in Azure. The role definition ID is for the Contributor role. What is the effect of this assignment?

A.The principal can manage all resources in resource group RG1.
B.The principal can read all resources in resource group RG1.
C.The principal can manage all resources in the subscription.
D.The principal can manage access to resource group RG1.
AnswerA

Contributor role at RG scope grants full management of that RG.

Why this answer

The Contributor role in Azure provides full management access to all resources within the assigned scope, but it cannot grant access to other users (role assignments). Since the scope is resource group RG1, the principal can manage all resources in that resource group, including creating, deleting, and modifying them, but cannot manage access to the resource group itself.

Exam trap

The trap here is that candidates often confuse the Contributor role with the Owner role, mistakenly thinking Contributor can manage access (role assignments), or they overlook the scope and assume the assignment applies to the entire subscription.

How to eliminate wrong answers

Option B is wrong because the Contributor role includes write and delete permissions, not just read; the Reader role provides read-only access. Option C is wrong because the scope is explicitly resource group RG1, not the subscription; assigning the Contributor role at the resource group scope limits management to that resource group only. Option D is wrong because managing access (role assignments) requires the Owner role or a custom role with Microsoft.Authorization/roleAssignments/write permission, which the Contributor role does not include.

142
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID). They need to ensure that users who access sensitive cloud applications from untrusted networks (e.g., public Wi-Fi) are prompted for multi-factor authentication (MFA). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra ID B2C
AnswerA

Conditional Access policies evaluate conditions like network location and can require MFA when accessing from untrusted networks.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define conditions (e.g., network location, device state) under which access to cloud applications is granted. By configuring a policy that targets sensitive applications and requires MFA when the user's IP address is from an untrusted network (such as public Wi-Fi), the company can enforce MFA only when the risk condition is met, without affecting access from trusted corporate networks.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA with Conditional Access's location-based MFA, but Identity Protection alone cannot enforce MFA based solely on network location—it requires a Conditional Access policy to act on the risk signal.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can trigger MFA via risk-based Conditional Access, but it is not the feature that directly configures network-location-based MFA prompts; it requires integration with Conditional Access. Option C (Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not network-based access controls for all users. Option D (Microsoft Entra ID B2C) is wrong because it is a customer-facing identity service for external users (e.g., social logins) and does not apply to internal corporate users accessing sensitive cloud apps.

143
MCQmedium

Refer to the exhibit. You create this Conditional Access policy in Microsoft Entra ID. What is the result?

A.Only administrators are prompted for MFA.
B.All users are prompted for MFA when accessing any application from a browser or mobile app.
C.External users are prompted for MFA.
D.Access is blocked for all users.
AnswerB

The policy requires MFA for all users and all apps for browser and mobile clients.

Why this answer

The exhibit shows a Conditional Access policy that applies to 'All users' and targets 'All cloud apps' with the grant control set to 'Require multi-factor authentication'. This configuration forces every user, including administrators and external users, to complete MFA when accessing any cloud application from any platform (browser or mobile app). Option B correctly states this universal MFA requirement.

Exam trap

The trap here is that candidates often assume a policy targeting 'All users' only applies to internal users or that 'All cloud apps' excludes certain Microsoft services, but in reality both scopes are comprehensive and include external users and every registered application.

How to eliminate wrong answers

Option A is wrong because the policy targets 'All users', not just administrators, so administrators are not the only group prompted for MFA. Option C is wrong because while external users are included under 'All users', the policy also applies to internal users, so the result is not limited to external users. Option D is wrong because the grant control is set to 'Require multi-factor authentication', not 'Block access', so access is not blocked; it is allowed after MFA is satisfied.

144
MCQeasy

Your company is implementing a monitoring solution for Azure virtual machines. You need to collect performance counters and log events from the VMs and send them to a centralized Log Analytics workspace. Which agent should you install on the VMs?

A.Azure Monitor Agent
B.Log Analytics agent (MMA)
C.Diagnostics Extension
D.Dependency Agent
AnswerA

AMA is the modern agent for collecting performance and event data to Log Analytics.

Why this answer

Azure Monitor Agent (AMA) is the current recommended agent for collecting performance counters and log events from Azure VMs and sending them to a Log Analytics workspace. It replaces the legacy Log Analytics agent (MMA) and offers centralized management via data collection rules (DCRs), improved security, and support for both Windows and Linux VMs. The AMA uses the Azure Monitor service pipeline and supports multi-homing to multiple workspaces natively.

Exam trap

The trap here is that candidates often confuse the legacy Log Analytics agent (MMA) as the correct choice because it was the standard for years, but Azure Monitor Agent is the modern replacement explicitly tested in the AZ-305 exam as the recommended solution for centralized log and performance collection.

How to eliminate wrong answers

Option B (Log Analytics agent, MMA) is wrong because it is the legacy agent that is being deprecated in favor of Azure Monitor Agent; it lacks support for data collection rules and does not provide the same level of centralized configuration or security. Option C (Diagnostics Extension) is wrong because it is designed to collect guest OS diagnostics and boot diagnostics for Azure VMs, not to send performance counters and log events to a Log Analytics workspace; it uses Azure Storage as its primary destination, not Log Analytics. Option D (Dependency Agent) is wrong because it is specifically used for collecting network and process dependency data for Azure Monitor's Service Map and VM Insights features, not for general performance counters and log events.

145
MCQeasy

Your company is deploying Microsoft Entra ID Governance and needs to ensure that guest users' access to internal applications expires after 90 days. Which feature should you configure?

A.Privileged Identity Management (PIM)
B.Access reviews
C.Conditional Access policies
D.Entitlement management
AnswerD

Entitlement management allows creating access packages with a specified expiration duration for guest users.

Why this answer

Entitlement management in Microsoft Entra ID Governance allows you to create access packages that govern guest user access to internal applications. You can configure an access package with a specific expiration policy, such as setting the access to expire after 90 days, ensuring automatic removal of guest access without manual intervention.

Exam trap

The trap here is that candidates often confuse Access reviews (which require manual attestation) with automatic expiration, but Entitlement management provides the automated, policy-driven expiration that the question explicitly requires.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for managing expiration of guest user access to applications. Option B is wrong because Access reviews provide periodic attestation and manual review of access, but they do not enforce automatic expiration after a fixed duration like 90 days; they require reviewer action to remove access. Option C is wrong because Conditional Access policies enforce real-time access controls based on conditions (e.g., location, device state), but they cannot automatically expire or remove access after a set time period.

146
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) Premium P2. They want to automatically block sign-ins from malicious IP addresses and require users to perform multi-factor authentication (MFA) when signing in from untrusted locations. Which Microsoft Entra ID feature should they use?

A.Conditional Access policies
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerB

Identity Protection provides risk detections (like malicious IPs) and risk-based conditional access policies to auto-block or require MFA.

Why this answer

Identity Protection (option B) is the correct feature because it uses machine learning and heuristics to detect risky sign-ins, such as those from malicious IP addresses or untrusted locations. It can automatically block sign-ins from known malicious IPs and, when combined with Conditional Access, require MFA for sign-ins from untrusted locations. This directly addresses the requirement to block malicious IPs and enforce MFA based on location risk.

Exam trap

The trap here is that candidates often confuse Conditional Access (the policy engine) with the risk detection source, forgetting that Identity Protection provides the risk signals (like malicious IPs) that Conditional Access then enforces.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls based on conditions like location or device state, but they do not natively detect or block malicious IP addresses; they rely on Identity Protection to provide the risk signals. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not sign-in risk detection or MFA enforcement from untrusted locations. Option D is wrong because Access Reviews are used to audit and recertify group memberships or role assignments periodically, not to block sign-ins or enforce MFA based on real-time risk.

147
MCQhard

Refer to the exhibit. You deploy this Azure Monitor scheduled query rule to alert when CPU usage exceeds 90% for sustained periods. However, alerts are not firing even when the condition is met. What is the most likely cause?

A.The KQL query syntax is incorrect and returns no results.
B.The action group is not configured with a valid email address.
C.The evaluation frequency is too short compared to the window size.
D.The threshold of 5 with 'Count' aggregation requires more than 5 data points above 90% in the window, which may not be happening.
AnswerD

The alert condition is too strict; it requires >5 occurrences in 15 minutes.

Why this answer

Option D is correct because the alert rule uses a 'Count' aggregation with a threshold of 5, meaning the alert fires only when the number of data points exceeding 90% CPU within the evaluation window is greater than 5. If the sustained high CPU usage produces fewer than 5 such data points (e.g., due to a short burst or insufficient sampling), the condition is not met, and the alert will not fire. This is a common misconfiguration where the threshold value is set too high relative to the actual data point frequency.

Exam trap

Microsoft often tests the misconception that any sustained high metric value will trigger an alert, ignoring how the 'Count' aggregation and threshold value interact with the number of data points in the evaluation window.

How to eliminate wrong answers

Option A is wrong because if the KQL query syntax were incorrect, the alert rule would typically show an error during creation or evaluation, and the rule would not be in a 'healthy' state; the question implies the rule is deployed and running. Option B is wrong because the action group's email validity affects notification delivery, not the firing of the alert itself; the alert can still trigger even if the action group is misconfigured. Option C is wrong because a short evaluation frequency relative to a long window size actually increases the chance of detecting sustained high CPU, as the rule checks more frequently; this would not prevent alerts from firing.

148
MCQmedium

You are designing a governance strategy for Azure resources. Your organization has multiple departments, each with its own set of Azure subscriptions. You need to enforce consistent policies across all subscriptions, such as allowed resource locations and required tags, while allowing departments to manage their own resources within those constraints. Which Azure service should you use?

A.Azure Blueprints
B.Azure Policy
C.Azure Management Groups
D.Azure Role-Based Access Control (RBAC)
AnswerB

Azure Policy enforces rules on resources at scale.

Why this answer

Azure Policy is the correct service because it enforces organizational standards and compliance rules across all Azure resources, such as allowed locations and required tags, at scale. It applies policies to management groups, subscriptions, or resource groups, ensuring consistent governance while allowing departments to manage their own resources within those constraints. Unlike Azure Blueprints, which deploys a full environment template, Azure Policy focuses solely on rule enforcement and remediation.

Exam trap

The trap here is confusing Azure Policy with Azure Blueprints, as both involve governance, but Blueprints is for deploying a full environment template while Policy is for ongoing rule enforcement and compliance auditing.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used to deploy a repeatable set of Azure resources and policies as a package (e.g., ARM templates, RBAC assignments), but it does not enforce ongoing compliance or prevent non-compliant resources from being created after deployment. Option C is wrong because Azure Management Groups provide a hierarchical structure for organizing subscriptions and applying policies at scale, but they are not the service that enforces rules; they are the container for policy assignment. Option D is wrong because Azure Role-Based Access Control (RBAC) manages who can perform actions on resources (authorization), not what resource configurations are allowed (compliance); RBAC cannot enforce tag requirements or restrict resource locations.

149
MCQmedium

You are designing a governance strategy for a new Azure subscription. The security team requires that all resources must have a 'CostCenter' tag and an 'Environment' tag. Which Azure policy effect should you use to automatically apply the tags to new resources?

A.audit
B.modify
C.deny
D.deployIfNotExists
AnswerB

modify can automatically add or replace tags during resource creation or update.

Why this answer

The 'modify' effect is correct because it can automatically append or replace missing tags on new or existing non-compliant resources during resource creation or update. Unlike 'deployIfNotExists', which only runs remediation tasks after creation, 'modify' applies the tags inline as part of the resource creation request, ensuring compliance without requiring a separate remediation task.

Exam trap

The trap here is that candidates often confuse 'deployIfNotExists' with 'modify', thinking both can automatically apply tags, but 'deployIfNotExists' requires a separate remediation task and does not apply tags inline during resource creation, making 'modify' the correct choice for automatic tag application on new resources.

How to eliminate wrong answers

Option A is wrong because 'audit' only logs non-compliance without taking any action to apply the tags. Option C is wrong because 'deny' blocks resource creation if tags are missing, but does not automatically apply them. Option D is wrong because 'deployIfNotExists' can deploy a remediation task to apply tags, but it runs after resource creation and requires a separate remediation trigger, whereas 'modify' applies tags inline during the creation or update request.

150
Multi-Selectmedium

Your organization uses Azure Monitor to collect metrics from Azure resources. You need to create a custom metric alert that triggers when the average CPU usage of a specific virtual machine exceeds 80% for 10 minutes. Which TWO components are required? (Choose two.)

Select 2 answers
A.Metric alert rule
B.Automation runbook
C.Action group
D.Log Analytics workspace
E.Diagnostic setting
AnswersA, C

The metric alert rule defines the resource, metric, condition (avg CPU > 80%), and evaluation frequency.

Why this answer

Option A is correct because an action group defines who gets notified. Option C is correct because a metric alert rule defines the condition. Option B is wrong because a Log Analytics workspace is not needed for metrics.

Option D is wrong because a diagnostic setting is for sending logs, not for metrics alerts. Option E is wrong because a runbook is not required; you can use action groups to trigger automation.

← PreviousPage 2 of 4 · 273 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Identity Governance Monitoring questions.