1,000 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.
This is exactly what you see during practice — question, options, and a full explanation after you answer.
A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?
Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for…Read full explanation
A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?
Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the appr…Read full explanation
A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?
Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authenticat…Read full explanation
Answer at your own pace. Explanation and domain tag shown immediately after each answer.
Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.
Full explanations on every question
Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.
Domain score breakdown
After each session see your score by exam domain so you know exactly where to focus study time.
100% free, forever
No subscription, no trial, no email wall. Start a session in under 10 seconds.
Exam-style questions
Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.