CCNA Secure identity and access Questions

55 of 130 questions · Page 2/2 · Secure identity and access · Answers revealed

76
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Select 2 answers
A.Certificate-based authentication (CBA)
B.Security questions
C.Smart card with PIN
D.OAuth 2.0 authorization code flow
E.SMS-based one-time passcode
AnswersA, E

Supported for federated domains.

Why this answer

Certificate-based authentication (CBA) is a supported authentication method in Microsoft Entra ID that allows users to authenticate using X.509 certificates issued by a trusted Certificate Authority (CA). This method is commonly used for passwordless authentication, especially in hybrid environments where smart cards or device certificates are deployed. Entra ID validates the certificate chain and maps the certificate to a user object, enabling secure sign-in without a password.

Exam trap

The trap here is that candidates often confuse authentication methods with authorization protocols (like OAuth 2.0) or confuse legacy on-premises methods (like security questions) with cloud-supported methods in Entra ID, leading them to select options that are not actual authentication methods in the Microsoft Entra ID context.

77
MCQmedium

Your company deploys Microsoft Sentinel for security operations. You need to configure just-in-time (JIT) access for Azure VMs. Which Azure security feature should you integrate with Sentinel?

A.Microsoft Defender for Cloud
B.Azure Policy
C.Azure Firewall
D.Microsoft Entra Privileged Identity Management
AnswerA

Defender for Cloud includes JIT VM access that integrates with Sentinel.

Why this answer

Microsoft Defender for Cloud provides the just-in-time (JIT) VM access capability, which can be integrated with Microsoft Sentinel to enable automated threat response. When a security incident is detected in Sentinel, a playbook can trigger Defender for Cloud to lock down or open specific ports (e.g., RDP 3389, SSH 22) for a defined time window, reducing the attack surface. This integration relies on the Defender for Cloud's JIT policy applied at the subscription or VM level, not on external network controls or identity governance.

Exam trap

The trap here is that candidates confuse just-in-time network access (JIT VM access) with just-in-time privileged role activation (PIM), because both use the term 'just-in-time' but operate at completely different layers—network vs. identity.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because Azure Policy enforces compliance rules (e.g., requiring JIT to be enabled) but does not itself grant or manage time-bound network access; it is a governance tool, not an access control mechanism. Option C (Azure Firewall) is wrong because Azure Firewall is a managed network firewall that filters traffic at the perimeter, but JIT access is a VM-level network security group (NSG) feature that dynamically modifies NSG rules, not a firewall rule. Option D (Microsoft Entra Privileged Identity Management) is wrong because PIM manages just-in-time privileged role activation for Azure AD roles and Azure resource roles (e.g., Contributor), not network-level access to VM ports; it controls who can administer resources, not how traffic reaches the VM.

78
MCQmedium

Your organization uses Microsoft Entra ID and wants to provide external partners with access to a specific SharePoint Online site. You need to ensure that partners authenticate using their own corporate credentials (SAML/WS-Fed) and that access is automatically revoked when the partner's account is disabled. Which solution should you use?

A.Azure AD B2C
B.Microsoft Entra B2B collaboration with cross-tenant access settings
C.Direct federation
D.SharePoint external sharing
AnswerB

B2B with cross-tenant access settings enables partners to use their own credentials and automatic revocation.

Why this answer

Microsoft Entra B2B collaboration with cross-tenant access settings is the correct solution because it allows external partners to authenticate using their own corporate identity provider via SAML/WS-Fed, and it automatically revokes access when the partner's account is disabled in their home tenant. This is achieved through inbound trust settings that honor the partner tenant's user lifecycle, ensuring that access tokens are invalidated when the external user account is disabled or deleted.

Exam trap

The trap here is that candidates often confuse Azure AD B2C with B2B collaboration, assuming B2C is for any external user, but B2C is specifically for customer identities, not partner federation with automatic lifecycle revocation.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing identity management with social or local accounts, not for B2B partner scenarios requiring SAML/WS-Fed federation with corporate credentials. Option C is wrong because direct federation is a legacy configuration that requires manual setup of federation trusts and does not automatically revoke access when a partner's account is disabled; it lacks the automated lifecycle management provided by cross-tenant access settings. Option D is wrong because SharePoint external sharing only controls sharing links and guest invitations at the site level, not the authentication method or automatic revocation based on the partner's account status.

79
Multi-Selectmedium

Your organization uses Microsoft Entra ID. You need to recommend solutions to reduce the risk of privileged role abuse. Which TWO actions should you recommend? (Choose two.)

Select 2 answers
A.Assign privileged roles permanently to reduce friction.
B.Configure access reviews for privileged roles to run quarterly.
C.Disable sign-in logs for privileged users to reduce noise.
D.Use Privileged Identity Management (PIM) to require approval for role activation.
E.Require all users to use MFA for all applications.
AnswersB, D

Access reviews ensure role assignments are still necessary.

Why this answer

Option B is correct because PIM provides just-in-time access and approval workflows. Option D is correct because access reviews can periodically verify that role assignments are still needed. Option A is wrong because permanent role assignment increases risk.

Option C is wrong because requiring MFA for all users does not target privileged roles. Option E is wrong because disabling sign-in logs reduces visibility.

80
Multi-Selecthard

Which TWO of the following are required to implement a successful Just-In-Time (JIT) access strategy using Microsoft Entra Privileged Identity Management (PIM) for Azure resources?

Select 2 answers
A.Enable Azure Multi-Factor Authentication for all users in the tenant
B.Create custom RBAC roles for the JIT access
C.Configure role settings to specify activation duration and require approval if needed
D.Assign users as eligible for the roles they need to activate
E.Assign users as permanently active for the roles they need
AnswersC, D

Role settings define the JIT parameters such as maximum activation duration and approval requirements.

Why this answer

Option C is correct because configuring role settings in Microsoft Entra PIM, such as activation duration and requiring approval, is essential to control how and when eligible users activate their JIT access. These settings enforce security policies like time-bound activation and multi-step approval, which are core to a successful JIT strategy.

Exam trap

The trap here is that candidates often confuse enabling MFA tenant-wide (Option A) with PIM's ability to require MFA at activation time, which is a separate setting within the role activation policy, not a prerequisite.

81
Multi-Selecthard

Which THREE Microsoft Entra ID roles can be assigned to a user to manage Microsoft Defender XDR (formerly Microsoft 365 Defender) incidents? (Choose three.)

Select 3 answers
A.Exchange Administrator
B.Security Administrator
C.Global Reader
D.Security Operator
E.Global Administrator
AnswersB, D, E

Security Administrator can manage security policies and incidents.

Why this answer

The Security Administrator role (Option B) can manage Microsoft Defender XDR incidents because it grants full access to security features, including the ability to view, investigate, and respond to incidents in the Microsoft 365 Defender portal. This role is designed for users who need to manage security policies and incidents without having full administrative control over the tenant.

Exam trap

The trap here is that candidates often confuse the Security Reader role with the Security Operator role, or assume that Global Reader (which can view security settings) is sufficient to manage incidents, but only roles with write permissions like Security Administrator, Security Operator, or Global Administrator can actually manage Defender XDR incidents.

82
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to implement a solution that automatically detects and remediates identity risks such as leaked credentials and impossible travel. The solution must use built-in Microsoft Entra capabilities without additional licensing beyond Microsoft Entra ID P2. What should you configure?

A.Enable Privileged Identity Management (PIM) for role activation.
B.Create Conditional Access policies requiring MFA for all users.
C.Set up Access Reviews for guest users.
D.Configure Identity Protection policies for sign-in risk and user risk.
AnswerD

Identity Protection detects risks like leaked credentials and impossible travel, and can auto-remediate.

Why this answer

Option A is correct because Identity Protection is a Microsoft Entra ID P2 feature that detects and remediates identity risks automatically. Option B is wrong because Conditional Access policies enforce access decisions but do not detect risks. Option C is wrong because Privileged Identity Management manages privileged roles, not risk detection.

Option D is wrong because Access Reviews are for attesting access, not risk detection.

83
MCQeasy

You need to ensure that external users who are invited to your Microsoft Entra ID tenant via B2B collaboration can only access a specific SaaS application. What should you configure?

A.Configure SharePoint Online external sharing settings.
B.Create a Conditional Access policy targeting 'All cloud apps' and include guest users.
C.Create a Conditional Access policy targeting the SaaS application and apply it to 'Guest or external users'.
D.Use Microsoft Entra application proxy.
AnswerC

Restricts access to the specific app for external users.

Why this answer

Option C is correct because a Conditional Access policy can be scoped to a specific SaaS application and applied to 'Guest or external users'. This ensures that only invited B2B collaboration users are subject to the access control for that application, while all other users and apps remain unaffected. The policy enforces authentication and authorization rules exclusively for the targeted SaaS app and guest identity type.

Exam trap

The trap here is that candidates often confuse broad Conditional Access policies (targeting 'All cloud apps') with application-specific policies, mistakenly thinking that including guest users in a blanket policy achieves the same restriction, when in fact it would block or require MFA for guest users across all apps, not just the target SaaS application.

How to eliminate wrong answers

Option A is wrong because SharePoint Online external sharing settings control sharing of documents and sites, not access to a specific SaaS application; they operate at the SharePoint level, not at the Entra ID application layer. Option B is wrong because targeting 'All cloud apps' would apply the policy to every application in the tenant, including Microsoft services and other SaaS apps, which is overly broad and does not restrict access to only the specific SaaS application. Option D is wrong because Microsoft Entra application proxy is used to publish on-premises web applications externally, not to control access for B2B guest users to a SaaS application; it does not provide granular access restriction per application for external identities.

84
MCQmedium

Refer to the exhibit. You are analyzing a Conditional Access policy JSON. The policy requires MFA for Office 365 applications. However, users report that they are still able to access Office 365 without MFA. What is the most likely reason?

A.The policy excludes some Office 365 apps
B.The 'grantControls' section is empty
C.The 'authenticationStrength' property is not a valid Conditional Access policy property
D.The policy does not include all users
AnswerC

The correct property is 'grantControls' with 'builtInControls'.

Why this answer

The 'authenticationStrength' property is not a valid property in a Conditional Access policy JSON schema. Conditional Access policies use 'grantControls' with 'builtInControls' (e.g., 'mfa') to enforce MFA. An unrecognized property like 'authenticationStrength' would be ignored by Azure AD, causing the policy to not enforce MFA as intended.

Exam trap

The trap here is that candidates assume any property in a JSON snippet is valid, but Azure AD silently ignores unrecognized properties, so the policy does not enforce MFA despite appearing correctly configured.

How to eliminate wrong answers

Option A is wrong because excluding some Office 365 apps would still require MFA for the included apps, not allow all Office 365 access without MFA. Option B is wrong because an empty 'grantControls' section would cause the policy to fail validation or not apply, but the JSON shown does not have an empty 'grantControls'; the issue is the invalid property. Option D is wrong because not including all users would only exempt those specific users, but the policy would still enforce MFA for included users; the reported behavior is that all users can bypass MFA, indicating a policy-wide failure.

85
Multi-Selectmedium

Which TWO of the following are valid configurations for Microsoft Entra ID Conditional Access policies?

Select 2 answers
A.Include all users and exclude specific groups
B.Force password change on next sign-in
C.Target a specific cloud application
D.Block access for users without MFA registered
E.Assign licenses to users based on location
AnswersA, C

Valid assignment.

Why this answer

Option A is correct because Conditional Access policies allow you to include all users as a baseline and then exclude specific groups (e.g., break-glass emergency accounts) to ensure critical access is never blocked. Option C is correct because you can target a specific cloud application (e.g., Microsoft Azure Management, SharePoint Online) to apply granular access controls only to that app, leaving other apps unaffected.

Exam trap

The trap here is that candidates confuse user risk remediation actions (like forcing a password change) with Conditional Access grant controls, or mistakenly think that Conditional Access can directly enforce MFA registration or license assignment, which are separate administrative functions.

86
MCQmedium

Your company uses Microsoft Entra ID with a hybrid identity model. You need to implement a solution that allows you to block legacy authentication attempts while still allowing modern authentication protocols. What should you use?

A.Create a Conditional Access policy to block legacy authentication
B.Enable Security defaults
C.Use Identity Protection to detect legacy authentication
D.Configure MFA for all users
AnswerA

Conditional Access can block legacy authentication while allowing modern authentication protocols.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to explicitly block legacy authentication protocols (such as POP3, IMAP, SMTP, and basic auth) while permitting modern authentication (OAuth 2.0, OpenID Connect). By targeting the 'Client apps' condition and selecting 'Exchange ActiveSync clients' and 'Other clients', you can block all legacy auth attempts without affecting modern protocol traffic. This is the precise, granular control required for a hybrid identity model.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based detection with the ability to block legacy authentication, or assume that enabling MFA alone will prevent legacy auth, when in fact legacy clients can still authenticate with just a password if the protocol is not explicitly blocked.

How to eliminate wrong answers

Option B is wrong because Security defaults enforces a blanket set of security baselines (including blocking legacy authentication for all users) but cannot be customized; it would block legacy auth for all users without the ability to selectively allow modern protocols or exclude specific accounts. Option C is wrong because Identity Protection detects and responds to risky sign-ins (e.g., leaked credentials, anonymous IP addresses) but does not block legacy authentication protocols; it is a risk-based detection tool, not a protocol-level enforcement mechanism. Option D is wrong because configuring MFA for all users forces multifactor authentication but does not inherently block legacy authentication; legacy clients that do not support MFA would still be able to authenticate using basic auth unless explicitly blocked.

87
Multi-Selecteasy

Which TWO of the following are valid methods to authenticate users in Microsoft Entra ID?

Select 2 answers
A.SMS text message one-time passcode
B.Certificate-based authentication
C.Password hash synchronization
D.Facebook account federation
E.Hardware OTP tokens
AnswersB, C

Certificate-based authentication is supported for smart card and certificate-based logins.

Why this answer

Certificate-based authentication (CBA) is a valid method in Microsoft Entra ID that allows users to authenticate using X.509 certificates issued by a trusted public key infrastructure (PKI). This method is commonly used for smart card or device-based authentication, and it supports both user and device scenarios without requiring passwords.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS OTP or hardware tokens) with primary authentication methods, leading them to incorrectly select options that are only valid as secondary factors.

88
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users accessing sensitive data from unmanaged devices are required to use a compliant device. What should you configure?

A.Configure a device registration policy
B.Configure a Conditional Access policy that requires that the device be marked as compliant
C.Configure an Identity Protection policy for user risk
D.Configure a Conditional Access policy that requires multi-factor authentication
AnswerB

This enforces device compliance for access to sensitive data.

Why this answer

Option B is correct because Conditional Access policies can enforce device compliance requirements. Option A is incorrect because MFA alone does not enforce device compliance. Option C is incorrect because Identity Protection focuses on risk, not device state.

Option D is incorrect because device registration does not enforce compliance checks.

89
MCQhard

A company uses Microsoft Entra ID and has an application registered that exposes scopes. An external partner organization needs to authenticate and access a specific scope. The partner's tenant is not federated. What is the most secure way to provide access without creating user accounts?

A.Set the application to be multitenant and allow any user to sign in
B.Create a service principal and share the client secret
C.Create guest users in the tenant and assign licenses
D.Configure an enterprise application with 'Users and groups' assignment and set 'Assignment required?' to Yes
AnswerD

This allows external users to authenticate without dedicated user accounts.

Why this answer

The correct answer is B: Configure an enterprise application with 'Users and groups' assignment and set 'Assignment required?' to Yes. This allows the partner to authenticate via their own credentials without creating user accounts. Option A is wrong because it creates guest users.

Option C is wrong because it bypasses access control. Option D is wrong because it exposes the app to all users.

90
Multi-Selectmedium

Which THREE of the following are valid methods to secure service principals in Microsoft Entra ID?

Select 3 answers
A.Use certificate-based credentials instead of client secrets
B.Assign the service principal to the Global Administrator role to monitor its activity
C.Configure Conditional Access for workload identities to restrict sign-in conditions
D.Enable Azure Multi-Factor Authentication for the service principal sign-in
E.Use Managed Identities for Azure resources to avoid managing credentials
AnswersA, C, E

Certificates provide stronger security than client secrets.

Why this answer

A, C, and E are correct. Option A is correct because certificate-based credentials are more secure than client secrets. Option B is wrong because managed identities are not 'assigning roles to a service principal' but rather an identity for Azure resources.

Option D is wrong because enabling MFA for service principals is not supported; service principals are non-interactive. Option E is correct because Conditional Access for workload identities can restrict service principal access based on conditions.

91
MCQmedium

You manage a Microsoft Entra ID tenant for a multinational company. Users in the European office report that they cannot access the company's custom line-of-business application during peak hours, while users in the US office have no issues. The application uses OAuth 2.0 authentication with Conditional Access policies applied. What is the most likely cause?

A.The application's service principal has been accidentally disabled in the European tenant location.
B.The Conditional Access policy requires compliant devices, and European devices are taking longer to report compliance during peak hours.
C.The Conditional Access policy requires multi-factor authentication for all users, and the MFA session token expired for European users.
D.The token lifetime policy for the application is set too low, causing European users to reauthenticate more frequently.
AnswerB

Device compliance checks can be delayed due to network load, affecting access.

Why this answer

Option C is correct because users in different regions may experience different authentication latency if the Conditional Access policy is configured to require compliant devices, and the device compliance evaluation may take longer during peak hours due to network congestion. Option A is wrong because MFA timeout is typically uniform per policy. Option B is wrong because token lifetime policies are applied globally.

Option D is wrong because session revocation is not triggered by peak hours.

92
MCQeasy

Your organization wants to ensure that users accessing Office 365 from outside the corporate network must use MFA. What is the most efficient way to enforce this?

A.Enable MFA for all users in Microsoft Entra ID.
B.Create a Conditional Access policy for all cloud apps with location condition.
C.Use Conditional Access with device compliance condition.
D.Create a Conditional Access policy for Office 365 with location condition and require MFA.
AnswerD

Efficiently applies MFA only for external access.

Why this answer

Option D is correct because it specifically targets Office 365 cloud apps and uses the location condition to restrict MFA enforcement to access from outside the corporate network. This is the most efficient approach as it applies only to the relevant application and network location, minimizing user friction while meeting the requirement exactly.

Exam trap

The trap here is that candidates often choose a broad policy (Option B) thinking it covers all scenarios, but the question specifically asks for Office 365, so the most efficient solution targets only that app to avoid unnecessary MFA prompts on other cloud services.

How to eliminate wrong answers

Option A is wrong because enabling MFA for all users globally forces MFA on every sign-in, including from inside the corporate network, which is overly broad and inefficient. Option B is wrong because creating a Conditional Access policy for all cloud apps with a location condition would enforce MFA on every cloud app (e.g., Azure Portal, Dynamics 365), not just Office 365, which is unnecessary and may disrupt non-Office 365 workflows. Option C is wrong because using a device compliance condition enforces MFA based on device health rather than network location, failing to address the specific requirement of enforcing MFA only for external access.

93
MCQmedium

You are the security administrator for a company that is integrating a third-party SaaS application (AppA) with Microsoft Entra ID for single sign-on (SSO). The application requires the following permissions: read all users, read all groups, and sign in users. The security team is concerned about over-privileged applications. They require that: - The application must not be able to read users or groups without an admin's explicit consent. - Users should be able to sign in to the application without admin consent for basic profile access. - Admin consent must be granted only for the minimal permissions required. - You must be able to review and audit all permissions granted to applications. What should you do?

A.In Microsoft Entra ID, configure user consent settings to require admin consent for permissions classified as 'high risk' (e.g., User.Read.All, Group.Read.All). Allow user consent for low-risk permissions. Grant admin consent for the required Graph permissions.
B.Allow user consent for all permissions. Grant admin consent for Graph permissions.
C.Block all user consent and require admin consent for all permissions. Grant admin consent for all required permissions.
D.Block all OAuth 2.0 applications and use SAML-based SSO instead.
AnswerA

This meets requirements by allowing user consent for basic profile and requiring admin consent for high-risk permissions.

Why this answer

Option A is correct because you can configure user consent settings to require admin consent for high-risk permissions (User.Read.All, Group.Read.All) while allowing user consent for low-risk permissions like profile access. Admin consent must be granted for Graph permissions. Option B is wrong because blocking all user consent would prevent users from signing in for basic profile.

Option C is wrong because allowing all user consent would allow users to consent to high-risk permissions. Option D is wrong because blocking all OAuth apps is too restrictive.

94
MCQhard

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

A.Privileged Identity Management (PIM) with approval workflow
B.Conditional Access with session controls
C.Continuous Access Evaluation (CAE)
D.Identity Protection with sign-in risk policy
AnswerC

Provides real-time token validation and policy enforcement.

Why this answer

Continuous Access Evaluation (CAE) is the correct feature because it enforces real-time access revocation based on critical events such as user behavior changes (e.g., account disablement, password change) and device posture shifts (e.g., device non-compliance). Unlike periodic token validation, CAE uses a near-real-time event-driven model via the Microsoft Entra ID event service and OAuth 2.0 token claims to immediately block access to sensitive applications when risk is detected.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which are applied only at initial sign-in) with Continuous Access Evaluation (which provides real-time, event-driven enforcement throughout the session), leading them to choose Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) with approval workflow manages just-in-time privileged role activation and requires manual approval; it does not evaluate user behavior or device posture in real-time for every access request. Option B is wrong because Conditional Access with session controls enforces policies at initial authentication and can apply session restrictions (e.g., app-enforced restrictions), but it does not provide continuous real-time evaluation after token issuance; it relies on token lifetime and does not react to mid-session changes in user behavior or device posture. Option D is wrong because Identity Protection with sign-in risk policy evaluates risk only at sign-in time based on historical signals and machine learning models; it does not continuously monitor user behavior or device posture during an active session.

95
Multi-Selecteasy

Which THREE of the following are recommended practices for securing administrative accounts in Microsoft Entra ID?

Select 3 answers
A.Use separate administrative accounts for day-to-day administration
B.Require multi-factor authentication (MFA) for all administrative accounts via Conditional Access
C.Create break-glass accounts that are excluded from MFA policies
D.Register all administrative accounts for self-service password reset (SSPR)
E.Assign Global Administrator role permanently to all IT staff
AnswersA, B, C

Separate accounts limit exposure of privileged credentials.

Why this answer

A, B, and E are correct. Option A is correct because break-glass accounts should be excluded from MFA to ensure access during emergencies. Option B is correct because using dedicated admin accounts reduces risk.

Option C is wrong because registering all admins for self-service password reset is not a security practice for admin accounts. Option D is wrong because permanent assignment defeats JIT. Option E is correct because Conditional Access should require MFA for admins.

96
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Entra ID Protection?

Select 3 answers
A.Enforce device compliance via Intune
B.Manage FIDO2 security keys
C.Configure risk-based conditional access policies
D.Detect leaked credentials
E.Identify sign-ins from anonymous IP addresses (e.g., Tor)
AnswersC, D, E

Integrates with Conditional Access to enforce risk-based policies.

Why this answer

Microsoft Entra ID Protection is a security service that detects identity-based risks and automates remediation. It specifically identifies sign-ins from anonymous IP addresses (e.g., Tor) by analyzing the IP address against known proxy and VPN lists, and it detects leaked credentials by cross-referencing user credentials against publicly available breach databases. These risk detections can then be used to configure risk-based Conditional Access policies, such as requiring multi-factor authentication when a sign-in risk level is medium or high.

Exam trap

The trap here is that candidates confuse the management of authentication methods (like FIDO2 keys) with the risk detection and automated remediation capabilities of Entra ID Protection, which are separate functional areas within Microsoft Entra ID.

97
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM) to manage roles. You need to ensure that when a user activates a role, the activation is automatically approved only if the user's manager approves within 30 minutes. If the manager does not respond, the activation is denied. What configuration should you implement?

A.Enable just-in-time access for the role and configure a group approval with a 30-minute timeout.
B.Configure the role settings to require approval, set the maximum activation duration to 30 minutes, and add the user's manager as an approver.
C.Create an approval workflow in Microsoft Entra ID that assigns the manager as the approver and set a timeout of 30 minutes.
D.Configure the role settings to require approval and set the approval timeout to 0 minutes.
AnswerB

This ensures the manager must approve within the activation window, or the request expires.

Why this answer

Option B is correct because in Microsoft Entra ID PIM, role settings allow you to require approval and specify approvers, including the user's manager via the 'Manager as approver' option. The maximum activation duration setting controls how long the role is active after approval, but the approval timeout (which defaults to 1 hour) can be adjusted via the 'Approval timeout' setting in the role settings; however, the question's requirement for a 30-minute timeout on the approval response itself is achieved by setting the 'Approval timeout' to 30 minutes, not the activation duration. The correct configuration is to require approval, add the manager as an approver, and set the approval timeout to 30 minutes, which matches the described behavior.

Exam trap

The trap here is confusing the 'Maximum activation duration' (how long the role is active after approval) with the 'Approval timeout' (how long the approver has to respond), leading candidates to incorrectly set the activation duration to 30 minutes instead of the approval timeout.

How to eliminate wrong answers

Option A is wrong because enabling just-in-time access and configuring a group approval with a 30-minute timeout does not specifically assign the user's manager as the approver; group approval requires a predefined group, not dynamic manager assignment. Option C is wrong because creating an approval workflow in Microsoft Entra ID is not a native PIM feature; PIM uses role settings for approval, not separate workflows, and the timeout must be configured in the role settings, not in a workflow. Option D is wrong because setting the approval timeout to 0 minutes would cause the approval request to expire immediately, not wait 30 minutes for the manager's response, and it does not specify the manager as the approver.

98
MCQhard

You work for a software development company that uses GitHub Enterprise and Microsoft Entra ID for identity management. Developers need to access Azure resources from their CI/CD pipelines. You need to configure secure authentication for these service principals used in pipelines. The requirements are: - No client secrets should be used because they can be leaked. - The authentication method must be automatically rotated. - The service principal must have access only to a specific resource group. - You need to monitor and alert if the service principal is used outside of the expected geographic region. Which of the following is the most appropriate solution?

A.Create a service principal with a certificate-based credential. Assign the service principal the Contributor role at the resource group scope. Use a custom script to rotate the certificate monthly.
B.Use a user-assigned managed identity and configure PIM to require approval for each pipeline run. Assign the identity the Contributor role at the resource group scope.
C.Use a system-assigned managed identity for the Azure resource running the pipeline. Assign the managed identity the Contributor role at the resource group scope. Configure Conditional Access for workload identities to block sign-ins from unexpected geographic regions.
D.Create a service principal and use OAuth 2.0 client credentials grant with a client secret stored in Azure Key Vault. Assign the service principal the Contributor role at the resource group scope. Use Key Vault access policies to control secret access.
AnswerC

Managed identities provide automatic credential rotation and no secrets. Conditional Access for workload identities can enforce location-based policies.

Why this answer

Option B is correct. Managed identities for Azure resources eliminate secrets and are automatically rotated. They can be scoped to a resource group via RBAC.

Conditional Access for workload identities can restrict access based on location. Option A is wrong because certificate-based authentication still requires managing certificates. Option C is wrong because OAuth 2.0 with client credentials uses client secrets.

Option D is wrong because PIM is for user identities, not workload identities.

99
MCQmedium

Your company uses Microsoft Entra ID and Microsoft Sentinel. You need to detect when a user account is created outside of normal business hours (9 AM - 5 PM local time) and automatically suspend the account. What should you use?

A.Configure a session policy in Microsoft Defender for Cloud Apps
B.Configure an access review in Privileged Identity Management
C.Create an analytics rule in Microsoft Sentinel that triggers on user creation events and runs a playbook to disable the account
D.Configure a risk detection policy in Microsoft Entra ID Identity Protection
AnswerC

Sentinel can detect and respond to user creation events outside business hours.

Why this answer

Option C is correct because Microsoft Sentinel analytics rules can be configured to trigger on specific log events (such as user creation from Azure Active Directory audit logs) and then execute a playbook (an automated workflow in Azure Logic Apps) to perform actions like disabling the account. This directly meets the requirement to detect user creation outside business hours and automatically suspend the account.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel's analytics rules with Microsoft Entra ID Identity Protection policies, but Identity Protection cannot detect user creation events or automate account suspension based on time-based conditions.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps session policies control real-time access behavior (e.g., blocking downloads) but cannot trigger on user creation events or automate account suspension. Option B is wrong because Privileged Identity Management access reviews are periodic attestation processes for privileged roles, not real-time detection or automated suspension of newly created user accounts. Option D is wrong because Microsoft Entra ID Identity Protection risk detection policies focus on sign-in and user risk (e.g., leaked credentials, impossible travel) and do not detect user creation events or support automated account suspension based on creation time.

100
MCQmedium

You are designing a secure access solution for an Azure App Service web application. The application uses Microsoft Entra ID for authentication. You need to ensure that only users from specific partner organizations can access the app. Which configuration should you use?

A.Use a custom domain for the app
B.Configure the app to accept tokens from the partner tenants as external identity providers
C.Block all external users
D.Require multi-factor authentication for all users
AnswerB

This enables B2B collaboration with partner tenants.

Why this answer

Option B is correct because Azure App Service can be configured to accept tokens from multiple Microsoft Entra ID tenants as external identity providers. This allows users from specific partner organizations to authenticate using their own Entra ID tenant, while the app validates the tokens and grants access only to those partner tenants you explicitly trust.

Exam trap

The trap here is that candidates often confuse 'external identity providers' with 'blocking external users' or 'MFA', not realizing that the correct approach is to explicitly allow specific partner tenants as identity providers rather than applying a blanket security policy.

How to eliminate wrong answers

Option A is wrong because using a custom domain for the app only changes the app's URL and does not control which identity providers or tenants can authenticate users. Option C is wrong because blocking all external users would prevent access from partner organizations entirely, which contradicts the requirement to allow specific partner users. Option D is wrong because requiring multi-factor authentication for all users enhances security but does not restrict access to specific partner tenants; it applies to all authenticated users regardless of their origin.

101
MCQeasy

Your organization uses Microsoft Entra ID. The security team wants to ensure that users cannot reuse the last five passwords. Which feature should you configure?

A.Password expiration policy
B.Multifactor authentication
C.Password Protection
D.Self-service password reset
AnswerA

Password expiration policy can set password history to remember last 5 passwords.

Why this answer

Option C is correct because password expiration policy can enforce password history to prevent reuse. Option A is wrong because SSPR is for self-reset. Option B is wrong because Password Protection blocks weak passwords.

Option D is wrong because MFA adds a second factor.

102
MCQmedium

Refer to the exhibit. A user's sign-in to Azure Portal failed MFA. The risk level is medium due to leaked credentials. Conditional Access was not applied. What is the most likely reason for MFA failure?

A.The user's credentials were compromised, leading to a failed MFA attempt possibly due to incorrect code.
B.The user's password was leaked, and the sign-in was blocked by a risk-based policy.
C.The user did not have MFA registered, so the MFA attempt failed.
D.Conditional Access policy required MFA but was not applied due to licensing issue.
AnswerA

Leaked credentials indicate compromise; MFA failure could be due to user not having MFA set up correctly or token issue.

Why this answer

The user had leaked credentials (leakedCredentials risk event) which indicates their password was compromised. Even though MFA was required, the attempt failed. The MFA failure is likely because the user did not complete MFA successfully, not because MFA was not configured.

Conditional Access not applied means no policy enforced MFA; however, MFA requirement might be from user-level MFA or per-user MFA. The leaked credentials risk event suggests the user's credentials are compromised, and MFA failure could be due to the user not having MFA registered or token issues. But the best explanation is that the user's password was leaked and the sign-in was blocked by risk policy? Actually, risk policy was not applied (ConditionalAccessStatus: notApplied).

The MFA failure could be because the user attempted MFA but failed (e.g., invalid code). The leaked credentials event is a risk detection that likely triggered a user risk policy requiring MFA, but policy not applied? However, the log shows ConditionalAccessStatus: notApplied. So likely MFA was required per-user but failed.

Given the risk event, the most probable cause is that the user's credentials were compromised, and the MFA failure is due to user error or token issue.

103
MCQmedium

Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?

A.Configure conditional access policies to require device compliance
B.Enable Seamless Single Sign-On (SSO) for the domain
C.Enable B2B collaboration for the app
D.Set 'Session lifetime' to 'Permanent' in sign-in frequency
AnswerB

Allows automatic sign-in for domain-joined devices.

Why this answer

Seamless Single Sign-On (SSO) for the domain integrates with Azure AD Application Proxy to automatically authenticate users against on-premises Active Directory without prompting for credentials. This eliminates repeated password prompts while maintaining security by leveraging Kerberos delegation and the user's existing domain session.

Exam trap

The trap here is that candidates often confuse session lifetime settings (Option D) with SSO functionality, thinking that making a session 'permanent' will stop password prompts, when in fact it only extends the token lifetime without addressing the underlying lack of automatic authentication.

How to eliminate wrong answers

Option A is wrong because requiring device compliance via Conditional Access does not address the repeated password prompt; it enforces security posture but does not provide SSO to eliminate credential re-entry. Option C is wrong because B2B collaboration is designed for external guest users, not for improving the sign-in experience of internal users accessing published apps. Option D is wrong because setting 'Session lifetime' to 'Permanent' in sign-in frequency would reduce security by never re-prompting for credentials, and it does not enable the underlying SSO mechanism needed to avoid the password prompt.

104
MCQmedium

You are troubleshooting a sign-in issue. A user reports that they are repeatedly prompted for authentication when accessing a cloud app, even though they already authenticated earlier in the day. You check the Conditional Access policy and see that 'Session control - Sign-in frequency' is set to 1 hour. What is the most likely cause?

A.The sign-in frequency setting forces reauthentication after 1 hour
B.The browser is blocking persistent cookies
C.Token lifetime policy overrides the sign-in frequency
D.The user is considered high risk by Identity Protection
AnswerA

Sign-in frequency requires reauthentication after the specified time.

Why this answer

Option C is correct. A sign-in frequency of 1 hour will prompt reauthentication every hour, causing the repeated prompts. Option A is wrong because token lifetime settings are separate.

Option B is wrong because session persistence does not affect reauthentication frequency. Option D is wrong because risk policies are not configured.

105
MCQeasy

Users report that they are prompted for MFA every time they sign in, even on trusted devices. You need to reduce the frequency of MFA prompts while maintaining security. What should you configure?

A.Set the 'Number of days before reauthentication' to 0.
B.Disable MFA for trusted locations.
C.Enable the 'Remember MFA for trusted devices' setting in MFA settings.
D.Adjust the sign-in session lifetime in Conditional Access.
AnswerC

This setting caches MFA on trusted devices for a configurable duration, reducing prompts.

Why this answer

Option C is correct because enabling 'Remember MFA for trusted devices' allows users to bypass MFA prompts for a configurable number of days on devices the user marks as trusted. This reduces the frequency of MFA prompts while maintaining security, as the trust is tied to a persistent token stored on the device. The setting is configured in the Azure AD MFA service settings, not in Conditional Access policies.

Exam trap

The trap here is that candidates often confuse session lifetime settings in Conditional Access (which control token expiry) with the MFA remember setting, leading them to choose Option D, but only the MFA remember setting directly reduces MFA prompts on trusted devices without compromising security.

How to eliminate wrong answers

Option A is wrong because setting 'Number of days before reauthentication' to 0 would force reauthentication every time, increasing MFA prompts, not reducing them. Option B is wrong because disabling MFA for trusted locations would bypass MFA entirely from those locations, which weakens security and does not reduce prompts on trusted devices specifically. Option D is wrong because adjusting the sign-in session lifetime in Conditional Access controls how long a session token is valid before requiring reauthentication, but it does not directly persist MFA trust across sessions; it may still prompt for MFA on each new session if no MFA remember setting is enabled.

106
MCQhard

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

A.Enroll all devices in Intune
B.Remove the conditional access policy
C.Use app protection policies instead
D.Ensure users sign in only from compliant devices
AnswerD

This resolves the issue by enforcing device compliance during sign-in.

Why this answer

The correct answer is D: Configure the conditional access policy to apply the session control 'Require device to be marked as compliant' and ensure the users sign in only from compliant devices. Users with multiple devices may inadvertently sign in from a non-compliant device. Option A (Remove the conditional access policy) would remove protection.

Option B (Enroll all devices) may not be practical. Option C (Use app protection policies) addresses app-level protection but not device-level compliance.

107
MCQmedium

Your company uses Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with company policies can access corporate resources. You have configured compliance policies in Intune. What additional step is required to enforce access control based on device compliance?

A.Create a Conditional Access policy that requires device to be marked as compliant
B.Enable certificate-based authentication for all devices
C.Deploy device configuration profiles to all devices
D.Configure app protection policies in Microsoft Defender for Cloud Apps
AnswerA

Conditional Access evaluates device compliance and allows or blocks access to corporate resources.

Why this answer

Option B is correct because Conditional Access policies in Entra ID enforce access based on device compliance status. Option A is wrong because device configuration profiles apply settings but do not enforce access. Option C is wrong because app protection policies manage data within apps.

Option D is wrong because certificates are for authentication, not compliance enforcement.

108
MCQeasy

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

A.Include 'All cloud apps' and set 'Block access'
B.Include 'Select apps' and choose all apps except admin
C.Include 'All cloud apps' and exclude 'Microsoft Entra ID Administration'
D.Include 'All cloud apps' and exclude 'Office 365'
AnswerC

Excludes the admin portal from blocking.

Why this answer

Option C is correct because the requirement is to block access from untrusted locations for all cloud apps except Microsoft Entra ID Administration. In Conditional Access, you include 'All cloud apps' to cover every app, then explicitly exclude 'Microsoft Entra ID Administration' to exempt it from the block. This ensures the policy applies broadly while honoring the exclusion.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra ID Administration' with 'Office 365' or think they must manually select all apps, missing the efficient 'All cloud apps' plus exclusion pattern.

How to eliminate wrong answers

Option A is wrong because including 'All cloud apps' and setting 'Block access' would block all cloud apps, including Microsoft Entra ID Administration, which violates the requirement to exclude it. Option B is wrong because 'Select apps' requires manually picking each app, which is impractical for 'all cloud apps except one' and does not dynamically cover future apps. Option D is wrong because excluding 'Office 365' does not match the requirement to exclude 'Microsoft Entra ID Administration'; Office 365 is a different app set and would incorrectly block the admin portal.

109
MCQeasy

You need to grant a user the ability to reset passwords for all users in the finance department. The finance department users are in a specific organizational unit (OU) in on-premises Active Directory, which syncs to Microsoft Entra ID. What is the most secure way to delegate this?

A.Add the user to the Password Administrator role
B.Create an administrative unit containing the finance users and assign the Helpdesk Administrator role scoped to that unit
C.Assign the User Access Administrator role to the user
D.Assign the Global Administrator role to the user
AnswerB

Administrative units allow scoped delegation of roles like Helpdesk Administrator.

Why this answer

Option B is correct because it uses Administrative Units (AUs) in Microsoft Entra ID to scope the Helpdesk Administrator role to only the finance department users. This provides the least-privilege delegation for password reset, as the user can only reset passwords for the specific synced users in that AU, not all users in the tenant. The Helpdesk Administrator role includes the 'Reset password' permission, and scoping it to an AU ensures the delegated user cannot affect users outside the finance OU.

Exam trap

The trap here is that candidates often assume the Password Administrator role is the most secure because it is specifically named for password resets, but they overlook the need for scoping via Administrative Units to restrict the delegation to only the finance department users.

How to eliminate wrong answers

Option A is wrong because the Password Administrator role can reset passwords for all users in the tenant, including non-finance users, which violates the principle of least privilege and is not scoped to the finance department. Option C is wrong because the User Access Administrator role is designed to manage user access to Azure resources (e.g., assigning RBAC roles), not to reset passwords, and it does not include the password reset permission. Option D is wrong because the Global Administrator role provides full, unrestricted access to all Entra ID settings and resources, which is far too permissive for the simple task of resetting passwords for a subset of users.

110
MCQmedium

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You want to detect and block sign-ins from non-compliant devices to a critical SaaS application. The solution must work for both managed (Microsoft Intune enrolled) and unmanaged devices. What should you use?

A.Deploy Microsoft Entra application proxy and require pre-authentication.
B.Use Conditional Access with device compliance condition and session control via Defender for Cloud Apps.
C.Configure Intune compliance policies and require compliant device in Conditional Access.
D.Enable Microsoft Entra ID Protection and set sign-in risk policy to block medium and above.
AnswerB

Device compliance covers managed devices; Defender for Cloud Apps session control can block unmanaged devices.

Why this answer

Option B is correct because it combines Conditional Access with a device compliance condition to evaluate device state for both managed (Intune-enrolled) and unmanaged devices, and then uses session control via Defender for Cloud Apps to block sign-ins from non-compliant devices. This approach works for unmanaged devices by leveraging device compliance signals from Intune or third-party MDM, and the session control enforces real-time blocking at the app level.

Exam trap

The trap here is that candidates often think Intune compliance policies alone (Option C) can cover unmanaged devices, but they forget that unmanaged devices cannot be evaluated for compliance without a session-level control like Defender for Cloud Apps.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra application proxy is designed for secure remote access to on-premises apps, not for detecting or blocking sign-ins based on device compliance, and pre-authentication alone does not evaluate device state. Option C is wrong because configuring Intune compliance policies and requiring a compliant device in Conditional Access only works for managed (Intune-enrolled) devices; it cannot enforce compliance on unmanaged devices, which is a requirement in the question. Option D is wrong because Microsoft Entra ID Protection sign-in risk policy focuses on user and sign-in risk (e.g., anonymous IP, leaked credentials), not on device compliance, so it cannot block non-compliant devices.

111
MCQhard

Refer to the exhibit. You run the PowerShell cmdlet Get-AzureADPolicy for a tenant. Based on the output, what is the access token lifetime for this policy?

A.24 hours
B.1 hour
C.6 hours
D.12 hours
AnswerB

AccessTokenLifetime is set to 01:00:00, which is 1 hour.

Why this answer

The output of Get-AzureADPolicy shows a policy definition with 'TokenLifetime' set to '1.00:00:00', which represents 1 day. However, the question asks for the access token lifetime. In Azure AD, the default access token lifetime is 1 hour, and the policy shown overrides the default token lifetime settings.

Since the policy definition includes 'TokenLifetime' of 1 day, but access tokens have a separate configurable lifetime, and the default access token lifetime is 1 hour unless explicitly overridden by a policy that targets access tokens. The correct answer is 1 hour because the policy shown does not specify an access token lifetime override; it only sets a general token lifetime, which applies to refresh and session tokens, not access tokens. Therefore, the access token lifetime remains the default of 1 hour.

Exam trap

The trap here is that candidates see 'TokenLifetime' set to 1 day in the policy output and incorrectly assume it applies to access tokens, but Azure AD's default access token lifetime remains 1 hour unless explicitly overridden with the 'AccessTokenLifetime' property.

How to eliminate wrong answers

Option A is wrong because 24 hours is the default lifetime for refresh tokens, not access tokens, and the policy's 'TokenLifetime' of 1 day applies to refresh/session tokens, not access tokens. Option C is wrong because 6 hours is not a default or commonly configured access token lifetime in Azure AD; the default is 1 hour. Option D is wrong because 12 hours is not the default access token lifetime; it could be a custom value but is not indicated by the policy output, which shows a 1-day token lifetime for other token types.

112
MCQmedium

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access Exchange Online. The solution must require users to reauthenticate every 12 hours. What should you configure?

A.Create a Conditional Access policy that requires MFA for Exchange Online and set sign-in frequency to 12 hours.
B.Create a Conditional Access policy that grants access to Exchange Online only if the device is compliant, and set session sign-in frequency to 12 hours.
C.Create an app protection policy for Exchange Online that requires device compliance and sets sign-in frequency.
D.Configure a device compliance policy for all devices and enable 'Reauthenticate every 12 hours' in the compliance policy.
AnswerB

This enforces both device compliance and reauthentication frequency.

Why this answer

Option B is correct because a Conditional Access policy can enforce device compliance as a grant control for Exchange Online, ensuring only compliant devices can access the service. Setting the session sign-in frequency to 12 hours forces users to reauthenticate at that interval, meeting the requirement without requiring MFA. This combines device compliance enforcement with session lifetime control in a single policy.

Exam trap

The trap here is that candidates confuse device compliance policies with Conditional Access session controls, assuming sign-in frequency can be set directly in a compliance policy, when it is actually a separate Conditional Access setting.

How to eliminate wrong answers

Option A is wrong because requiring MFA does not enforce device compliance; it only adds an authentication factor, so non-compliant devices could still access Exchange Online. Option C is wrong because app protection policies (MAM) manage data protection within apps, not device-level compliance, and they do not support a sign-in frequency setting. Option D is wrong because a device compliance policy itself does not include a 'Reauthenticate every 12 hours' setting; sign-in frequency is a Conditional Access session control, not a compliance policy setting.

113
MCQeasy

You are the identity security engineer for a multinational company that uses Microsoft Entra ID. The company has recently experienced a security breach where an attacker compromised a non-administrator user account and then used that account to enumerate all users in the tenant. The attacker then attempted to brute-force passwords for high-privilege accounts. To prevent such attacks, management requires the following: - Users with administrative roles must use phishing-resistant MFA. - Any sign-in from a risky IP address must be blocked. - Users must not be able to enumerate directory information via the Graph API unless they have a specific role. - The solution should be implemented using built-in Microsoft Entra ID features. What should you configure?

A.Enable Security defaults and configure Identity Protection user risk policy to block high-risk users.
B.Configure Conditional Access policy with authentication strength for admins requiring phishing-resistant MFA. Configure Identity Protection sign-in risk policy to block risky sign-ins. Restrict access to the Graph API by requiring a specific role assignment.
C.Configure Conditional Access policy for admins to require phishing-resistant MFA. Use PIM to require approval. Enable Identity Protection sign-in risk policy.
D.Configure PIM for all admin roles. Create access reviews for all users. Enable Identity Protection to detect risky sign-ins.
AnswerB

Authentication strength enforces phishing-resistant MFA. Sign-in risk policy blocks risky IPs. Restricting Graph API access prevents unauthorized enumeration.

Why this answer

Option C is correct. Phishing-resistant MFA can be enforced via Conditional Access with authentication strength. Sign-in risk policies in Identity Protection can block sign-ins from risky IPs.

To prevent directory enumeration, you can restrict access to the Graph API using Conditional Access or application permissions. Option A is wrong because Security defaults enforce MFA but do not block all enumeration. Option B is wrong because PIM does not block enumeration.

Option D is wrong because access reviews do not block enumeration.

114
MCQhard

Your company is implementing a zero-trust security model. You need to ensure that all access to cloud applications is continuously verified based on user identity, device health, and location. Which combination of Microsoft security solutions should you use?

A.Microsoft Sentinel and Azure Policy
B.Microsoft Entra ID Protection and Privileged Identity Management
C.Azure Active Directory Domain Services and Azure Firewall
D.Microsoft Entra ID Conditional Access, Microsoft Intune, and Microsoft Defender for Cloud Apps
AnswerD

This combination provides identity, device, and cloud app verification for zero trust.

Why this answer

Option D is correct because the zero-trust requirement for continuous verification of user identity, device health, and location is met by combining Microsoft Entra ID Conditional Access (enforces policies based on user, device, and location signals), Microsoft Intune (manages device compliance and health), and Microsoft Defender for Cloud Apps (provides continuous session-level monitoring and control of cloud app access). This trio delivers the real-time, policy-driven access checks that zero trust demands.

Exam trap

The trap here is that candidates often pick Option B (Identity Protection + PIM) because they associate identity protection with zero trust, but they miss the critical need for device health verification (Intune) and continuous session monitoring (Defender for Cloud Apps) that are explicitly required by the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR for threat detection and response, not an access control solution, and Azure Policy enforces resource compliance at the Azure infrastructure layer, not user/device/location-based access to cloud apps. Option B is wrong because Microsoft Entra ID Protection focuses on risk-based detection and remediation of compromised identities, and Privileged Identity Management (PIM) manages just-in-time privileged role activation; neither continuously verifies device health or location for all cloud app access. Option C is wrong because Azure Active Directory Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy apps, not modern conditional access, and Azure Firewall is a network-layer firewall that cannot evaluate user identity, device health, or application-level signals.

115
MCQhard

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to implement a solution that detects password changes on-premises and forces re-authentication for active sessions within minutes. Which feature should you enable?

A.Azure AD Connect Health
B.Password Writeback with password change notification
C.Azure AD Domain Services
D.Seamless SSO
AnswerB

Synchronizes password changes and can trigger re-authentication via Conditional Access.

Why this answer

Option B, Password Writeback with password change notification, is correct because it enables on-premises password changes to be synchronized back to Microsoft Entra ID in near real-time. When a password is changed on-premises, the password change notification triggers a re-authentication requirement for active sessions within minutes, ensuring that users with stale tokens are forced to re-authenticate using the new password.

Exam trap

The trap here is that candidates often confuse Password Writeback with Seamless SSO, thinking that SSO handles password changes, when in fact Seamless SSO only provides silent authentication and does not detect or propagate password changes to force re-authentication.

How to eliminate wrong answers

Option A is wrong because Azure AD Connect Health monitors the health of the synchronization infrastructure but does not detect password changes or force re-authentication. Option C is wrong because Azure AD Domain Services provides managed domain services (e.g., LDAP, Kerberos) but does not handle password change detection or session re-authentication from on-premises. Option D is wrong because Seamless SSO provides automatic sign-in for users on domain-joined devices but does not detect password changes or force re-authentication for active sessions.

116
MCQmedium

Refer to the exhibit. You are creating a custom role in Microsoft Entra ID. You want to grant read-only access to application registrations and service principals, but you need to ensure that the role cannot be assigned at the root scope. What change is required?

A.Change assignableScopes to ["/tenant-id"]
B.Add microsoft.directory/applications/allProperties/read to actions.
C.Modify the roleName to include 'Read-Only'.
D.Add dataActions for application data.
AnswerA

Restricts assignable scopes to a specific tenant, preventing root scope assignment.

Why this answer

Option A is correct because in Microsoft Entra ID custom roles, the assignableScopes property defines where the role can be assigned. To prevent assignment at the root scope (i.e., the entire tenant), you must specify a specific scope such as a management group, subscription, resource group, or resource. Using ["/tenant-id"] is not a valid scope for Entra ID roles; the correct approach is to omit the root scope or use a specific scope like a management group or subscription.

However, the question states the role cannot be assigned at the root scope, so you must set assignableScopes to a scope that is not the root, such as a specific management group or subscription. The answer option A is marked as correct in the prompt, but note that for Entra ID custom roles, the assignableScopes must be set to a valid scope like a management group or subscription, not a tenant ID. The core reasoning is that by restricting assignableScopes to a non-root scope, you prevent the role from being assigned at the tenant root level.

Exam trap

The trap here is that candidates often confuse assignableScopes with permissions, thinking that modifying the actions or dataActions will control where the role can be assigned, when in fact only the assignableScopes property determines the assignment scope.

How to eliminate wrong answers

Option B is wrong because adding microsoft.directory/applications/allProperties/read to actions would grant read access to all properties of applications, but it does not address the requirement to prevent assignment at the root scope; it only modifies permissions. Option C is wrong because modifying the roleName to include 'Read-Only' is purely cosmetic and has no effect on the assignable scopes or the ability to assign the role at the root scope. Option D is wrong because dataActions are used for data plane permissions (e.g., reading application data), not for controlling the scope of role assignment; they do not affect where the role can be assigned.

117
MCQeasy

You need to ensure that when a user's role in Microsoft Entra ID is changed (e.g., from User to Global Administrator), the change is approved by a manager before it takes effect. Additionally, you need to enforce just-in-time (JIT) access for that role. What should you use?

A.Configure Microsoft Entra Privileged Identity Management (PIM) for the role with approval required and JIT activation.
B.Use Microsoft Entra access reviews to review role assignments monthly.
C.Create a Conditional Access policy requiring manager approval for role assignment.
D.Assign the role via Azure RBAC with a custom role.
AnswerA

PIM provides JIT access and approval workflows for role assignments.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) with approval workflows and JIT activation. Option B is wrong because Conditional Access does not manage role activation. Option C is wrong because access reviews are for periodic review, not JIT.

Option D is wrong because role-based access control is for Azure RBAC, not Microsoft Entra roles.

118
MCQhard

Your company has Microsoft Entra ID and uses Azure Bastion for secure VM access. You need to ensure that only administrators with PIM-activated roles can access the Bastion host. What should you configure?

A.Configure Azure Bastion with just-in-time access
B.Use a Conditional Access policy to require privileged access for the Azure Bastion application
C.Assign the Bastion Reader role to administrators
D.Configure network security groups to restrict access to Bastion
AnswerB

Conditional Access can enforce PIM activation for Bastion access.

Why this answer

Option B is correct because Bastion does not support Conditional Access directly, but you can use a Conditional Access policy targeting the Bastion service with a session control for privileged access. Option A is incorrect because Bastion does not support just-in-time access natively. Option C is incorrect because network policies are not granular enough.

Option D is incorrect because RBAC alone does not enforce activation.

119
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that users accessing internal applications from unmanaged devices are required to use Microsoft Edge with specific security configurations. Which Conditional Access control should you use?

A.Grant control: Require device to be marked as compliant
B.Grant control: Require trusted location
C.Grant control: Require approved client app
D.Session control: Use app enforced restrictions
AnswerD

App enforced restrictions can enforce Microsoft Edge with cloud-managed security.

Why this answer

Option D is correct because the 'Use app enforced restrictions' session control in Conditional Access allows you to require that users access internal applications using Microsoft Edge with specific security configurations (such as preventing copy/paste or downloads) when coming from unmanaged devices. This control works by sending a device claim to the application, which then enforces the restrictions at the app level, rather than relying on device compliance or location.

Exam trap

The trap here is that candidates often confuse 'Require approved client app' (which targets mobile app protection) with browser-based restrictions, or assume that device compliance or location controls can enforce browser-specific security configurations on unmanaged devices.

How to eliminate wrong answers

Option A is wrong because 'Require device to be marked as compliant' requires the device to be enrolled in Microsoft Intune and meet compliance policies, which is not applicable to unmanaged devices that are not enrolled. Option B is wrong because 'Require trusted location' relies on IP address ranges defined as trusted locations, which does not enforce browser-specific security configurations on unmanaged devices. Option C is wrong because 'Require approved client app' is used to restrict access to specific mobile applications (like Outlook or Teams) that support Intune app protection policies, not to enforce browser security settings on desktop browsers like Microsoft Edge.

120
MCQeasy

Refer to the exhibit. You run the command and see the output. What does the UserType 'Member' indicate?

A.The user is a service principal
B.The user is a guest user
C.The user is an administrator
D.The user is a member of the tenant
AnswerD

Member indicates an internal user.

Why this answer

The UserType 'Member' indicates that the user is a member of the tenant, meaning the user's identity is native to the Azure AD tenant and not from an external directory. This is distinct from 'Guest' (UserType = Guest), which represents external users invited via B2B collaboration. The command shown is likely Get-AzureADUser or a similar cmdlet, where the UserType property directly reflects the user's relationship to the tenant.

Exam trap

The trap here is that candidates confuse the UserType property with the user's role or administrative status, when in fact UserType only distinguishes between native tenant members and external B2B guests, not their permissions or directory roles.

How to eliminate wrong answers

Option A is wrong because a service principal is represented by a ServicePrincipal object, not a User object, and its UserType would not be 'Member'; service principals have their own object type and are not users. Option B is wrong because a guest user has UserType = 'Guest', not 'Member'; the 'Member' value explicitly indicates the user is not a guest. Option C is wrong because being an administrator is a role assignment, not a user type; a user can be a Member and have no admin roles, or be a Guest and have admin roles, so UserType does not indicate administrative status.

121
MCQhard

Your organization has a Microsoft Entra ID tenant with 50,000 users. You are designing a solution to automatically revoke access for users who have not signed in for 90 days. The solution must be cost-effective and use built-in Microsoft Entra ID features. What should you do?

A.Create a Power Automate flow that triggers monthly to check sign-in logs and disable inactive users.
B.Use Microsoft Entra Connect to synchronize a 'disable' attribute from on-premises and set it for inactive users.
C.Configure the 'User sign-in frequency' setting in the 'User feature' settings to automatically remove users inactive for 90 days.
D.Write a PowerShell script using Microsoft Graph API to check last sign-in times and disable users.
AnswerC

This built-in feature disables users who haven't signed in for the specified period.

Why this answer

Option C is correct because Microsoft Entra ID includes a built-in 'User sign-in frequency' setting under 'User feature' preview that can automatically revoke access for users who have not signed in for a specified period (e.g., 90 days). This feature is cost-effective as it requires no additional licensing beyond the base Entra ID P1 or P2, and it operates natively without custom scripts or external automation.

Exam trap

The trap here is that candidates often confuse the 'User sign-in frequency' setting with session lifetime controls in Conditional Access, or assume that only custom scripting (PowerShell or Power Automate) can handle inactivity-based revocation, missing the fact that Entra ID has a native, built-in feature for this exact purpose.

How to eliminate wrong answers

Option A is wrong because Power Automate flows require additional licensing (e.g., Power Automate per user plan) and introduce complexity, whereas the built-in Entra ID feature achieves the same goal without extra cost or maintenance. Option B is wrong because Microsoft Entra Connect synchronizes attributes from on-premises Active Directory, but there is no built-in 'disable' attribute that automatically reflects sign-in inactivity; this would require custom scripting and manual attribute updates, defeating the 'cost-effective and built-in' requirement. Option D is wrong because writing a PowerShell script using Microsoft Graph API is a custom solution that requires ongoing maintenance, error handling, and does not leverage built-in Entra ID features, making it less cost-effective and more complex than the native setting.

122
MCQmedium

Your organization, Fabrikam, uses Microsoft Entra ID and has recently deployed Microsoft Copilot for Azure to assist administrators with troubleshooting. You need to ensure that access to Copilot for Azure is restricted to a specific group of security administrators and that all interactions are logged for compliance. You have created a security group named 'Copilot-Admins' and assigned it the appropriate role. However, you notice that users outside this group can still access Copilot for Azure. Additionally, you need to ensure that all Copilot interactions are stored in a Log Analytics workspace for analysis. What should you do?

A.Configure PIM to require approval for Copilot access
B.Create a Conditional Access policy that requires the user to be a member of 'Copilot-Admins' and enable diagnostic settings for Copilot to send logs to Log Analytics
C.Use Azure Policy to deny access to Copilot for users not in the group
D.Assign the 'Copilot-Admins' group the 'Reader' role to the Copilot service
AnswerB

This ensures only the group can access and logs are sent to Log Analytics.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID can enforce access controls based on group membership, ensuring only members of 'Copilot-Admins' can access Copilot for Azure. Additionally, diagnostic settings for Copilot can be configured to stream all interaction logs to a Log Analytics workspace, meeting the compliance requirement for logging and analysis.

Exam trap

The trap here is confusing Azure Policy (which governs resource compliance) with Conditional Access (which governs user authentication and access), leading candidates to incorrectly choose Azure Policy for access restriction.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) manages just-in-time role activation and approval workflows for privileged roles, not direct access control to a service like Copilot for Azure; it does not restrict initial access or log interactions. Option C is wrong because Azure Policy is used to enforce compliance rules on Azure resources (e.g., resource configurations, tagging), not to control user access to a service like Copilot; access control is handled by Entra ID Conditional Access or RBAC, not Azure Policy. Option D is wrong because assigning the 'Reader' role to the Copilot service would grant read-only permissions to the service itself (if such a scope existed), but it does not restrict who can access Copilot for Azure; the issue is about access control, not permissions within the service.

123
MCQhard

Your company uses Microsoft Entra ID with a custom domain. You need to implement a solution that allows users to sign in using their social identity providers (e.g., Google, Facebook) but still enforce your organization's MFA policies. What should you configure?

A.Configure federation with the social IdP in Microsoft Entra ID.
B.Use Microsoft Entra B2B collaboration and invite users with their social accounts.
C.Configure Custom Authentication Extension to federate with social IdPs and apply Conditional Access policy requiring MFA.
D.Enable self-service password reset (SSPR) with identity verification.
AnswerC

Custom Authentication Extension allows integration with social IdPs; Conditional Access enforces MFA.

Why this answer

Create a Custom Authentication Extension that calls an external identity provider, then apply Conditional Access with MFA. Option B is wrong because B2B collaboration is for external users, not for your own users using social IdPs. Option C is wrong because self-service password reset does not provide social sign-in.

Option D is wrong because federation does not support social IdPs natively.

124
MCQeasy

Your organization uses Microsoft Entra ID and has deployed Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud applications based on user behavior and device health. Which feature should you use?

A.Microsoft Purview Information Protection
B.Conditional Access App Control
C.Cloud App Discovery
D.OAuth app policies
AnswerB

This feature provides real-time session monitoring and control based on user behavior and device health.

Why this answer

Option A is correct because Conditional Access App Control in Defender for Cloud Apps allows session-level monitoring and control based on user and device conditions. Option B is wrong because Cloud App Discovery only discovers shadow IT. Option C is wrong because OAuth app policies govern third-party app permissions.

Option D is wrong because Information Protection is for data classification and labeling.

125
MCQmedium

Refer to the exhibit. You are reviewing the external collaboration settings for your Microsoft Entra ID tenant. Based on the exhibit, which of the following statements is true about the current configuration?

A.Only administrators can invite external users.
B.B2B direct connect is enabled for Teams external access.
C.Users with email-verified accounts can join the organization automatically.
D.External users will receive a one-time passcode via email when they are invited.
AnswerD

'enableB2BEmailOneTimePasscode' is true, so guests can use email OTP.

Why this answer

Option C is correct because enableB2BEmailOneTimePasscode is true, allowing guests to authenticate using a one-time passcode if they cannot use other identity providers. Option A is wrong because allowInvitationsFrom is set to 'adminsAndGuestInviters', meaning guests can also invite. Option B is wrong because allowEmailVerifiedUsersToJoinOrganization is false, so email-verified users cannot join automatically.

Option D is wrong because enableB2BDirectConnect is false, so Teams external access is not enabled.

126
MCQhard

Your organization has Microsoft Entra ID and uses Microsoft Copilot for Microsoft 365. You need to ensure that Copilot interactions are logged and accessible for security investigations. What should you configure?

A.Configure Microsoft Sentinel to collect Copilot logs via the Office 365 connector
B.Enable diagnostic settings in Azure Monitor to collect Copilot logs
C.Ensure that auditing is enabled in Microsoft Purview to capture Copilot interactions
D.Deploy Microsoft Defender for Cloud Apps to monitor Copilot usage
AnswerC

Copilot interactions are audited in Purview.

Why this answer

Option C is correct because Microsoft Copilot for Microsoft 365 interactions are audited through the Microsoft Purview audit log. Enabling auditing in Purview captures detailed records of Copilot prompts and responses, which are then accessible for security investigations via the Purview compliance portal or through the Office 365 Management Activity API. This is the designated mechanism for logging Copilot activity, as Copilot interactions are considered Microsoft 365 workload events.

Exam trap

The trap here is that candidates often assume Copilot logs are collected via Azure Monitor or Microsoft Sentinel connectors by default, when in reality Copilot auditing is a Microsoft Purview feature that must be explicitly enabled and is not automatically routed to Azure monitoring tools.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel's Office 365 connector ingests logs from the Office 365 Management Activity API, but it does not natively collect Copilot-specific interaction logs; Copilot logs require Purview auditing to be enabled first, and even then, Sentinel can only consume them if Purview auditing is already active. Option B is wrong because Azure Monitor diagnostic settings are used to collect telemetry from Azure resources (e.g., VMs, App Services), not from Microsoft 365 workloads like Copilot; Copilot logs are not emitted to Azure Monitor. Option D is wrong because Microsoft Defender for Cloud Apps focuses on shadow IT discovery and session-level monitoring for SaaS apps, not on capturing detailed Copilot prompt/response audit logs; it can use Purview audit logs as a source but does not replace the need for Purview auditing.

127
MCQeasy

Your organization is using Microsoft Entra ID Conditional Access to enforce MFA for all external users. A partner company reports that their users are prompted for MFA every time they access your resources, even though they already authenticated in their home tenant. What should you configure to reduce repeated prompts?

A.Modify the external user’s home tenant conditional access policy
B.Set sign-in frequency to 0 (zero) for the conditional access policy
C.Configure session control to use persistent browser session
D.Configure MFA lifetime settings via cross-tenant access settings
AnswerD

MFA lifetime settings allow you to trust MFA claims from external tenants for a specified duration.

Why this answer

Option B is correct. Configuring MFA lifetime settings for federated users reduces the frequency of MFA prompts by allowing longer token validity. Option A is wrong because session control does not reduce MFA frequency.

Option C is wrong because it does not apply to external users. Option D is wrong because sign-in frequency controls session reauthentication, not MFA lifetime.

128
MCQhard

You are troubleshooting an issue where users are unable to access a sensitive application protected by a Conditional Access policy. The policy requires MFA from trusted locations, but users are reporting that they are prompted for MFA even when connecting from the corporate office, which is defined as a trusted location. What is the most likely cause?

A.The corporate office's public IP address is not correctly defined in the trusted location
B.The policy is configured to require MFA for all locations regardless of trust
C.The policy is set to 'Require MFA' instead of 'Require MFA from trusted locations'
D.Users are not assigned to the policy
AnswerA

The location might have changed or been misconfigured.

Why this answer

Option A is correct because the most likely cause is that the corporate office's public IP address is not correctly defined in the trusted location. Conditional Access policies evaluate location based on named locations configured in Azure AD, which must include the exact public IP ranges (CIDR notation) of the trusted network. If the IP address is missing, misconfigured, or the user's outbound IP differs (e.g., due to a VPN or proxy), the policy treats the location as untrusted and enforces MFA.

Exam trap

The trap here is that candidates may assume the policy is misconfigured to require MFA for all locations (Option B) or that the policy type is wrong (Option C), but the real issue is a misalignment between the actual public IP and the defined trusted location, which is a common oversight in real-world deployments.

How to eliminate wrong answers

Option B is wrong because if the policy were configured to require MFA for all locations regardless of trust, users would be prompted for MFA everywhere, not just from the corporate office, and the question specifies the issue is only from the corporate office. Option C is wrong because the policy setting 'Require MFA' versus 'Require MFA from trusted locations' is not a distinct toggle; Conditional Access policies use grant controls like 'Require multi-factor authentication' combined with a condition for locations, so this option misrepresents the configuration. Option D is wrong because if users were not assigned to the policy, they would not be prompted for MFA at all, contradicting the reported behavior.

129
MCQeasy

Your organization has Microsoft Entra ID P2 licenses. You want to automatically detect and respond to compromised identities by requiring MFA when a sign-in risk is medium or above. Which policy should you configure?

A.Enable self-service password reset
B.Configure a Conditional Access policy with sign-in risk condition
C.Configure an Identity Protection user risk policy to require MFA
D.Configure an Identity Protection sign-in risk policy
AnswerC

User risk policy can require MFA when risk is medium or higher.

Why this answer

Option A is correct because Identity Protection user risk policy can automatically trigger MFA based on risk level. Option B is incorrect because sign-in risk policy is for sign-in risk, not user risk. Option C is incorrect because Conditional Access is the foundation but the policy type is Identity Protection.

Option D is incorrect because it requires user action.

130
Multi-Selectmedium

Your company uses Microsoft Entra ID (P2 licensed) and requires that all user logins from untrusted networks be blocked unless the user's device is marked as compliant by Microsoft Intune. You need to implement this requirement. Which TWO components should you use together to achieve this? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Microsoft Entra Identity Protection
C.Conditional Access policy with device compliance condition
D.Microsoft Intune Device Compliance policy
E.Microsoft Entra Access Reviews
AnswersC, D

Conditional Access can block access from untrusted networks if device is not compliant.

Why this answer

Correct: B (Conditional Access) and D (Device Compliance policy). Conditional Access evaluates conditions like network location and device compliance. Device Compliance policy in Intune defines what constitutes a compliant device.

Option A is wrong because Identity Protection detects risks but does not enforce device compliance. Option C is wrong because PIM manages privileged roles. Option E is wrong because Access Reviews attest access after the fact.

← PreviousPage 2 of 2 · 130 questions total

Ready to test yourself?

Try a timed practice session using only Secure identity and access questions.