CCNA Secure Identity Access Questions

75 of 130 questions · Page 1/2 · Secure Identity Access topic · Answers revealed

1
MCQmedium

Refer to the exhibit. A Conditional Access policy is configured to block legacy authentication for Office 365. However, users are still able to access Exchange Online using Outlook (modern authentication). What is the most likely reason?

A.The policy only blocks legacy protocols, not modern authentication
B.The policy does not include Exchange Online
C.The policy does not apply to all users
D.The policy is not enabled
AnswerA

Modern authentication is not classified as 'other'.

Why this answer

The Conditional Access policy is configured to block legacy authentication, which targets protocols like POP3, IMAP, SMTP, and Exchange ActiveSync that do not support modern authentication. Modern authentication (used by Outlook with OAuth 2.0) is not affected by this policy, so users can still access Exchange Online via Outlook. The policy explicitly allows modern authentication flows, making option A correct.

Exam trap

The trap here is that candidates assume 'block legacy authentication' means blocking all older clients, but it specifically targets authentication protocols, not client applications, so modern authentication clients like Outlook (with OAuth) are still allowed.

How to eliminate wrong answers

Option B is wrong because the policy is scoped to Office 365 cloud apps, which includes Exchange Online by default. Option C is wrong because the question does not indicate any user exclusion; even if it applied to all users, the policy would still not block modern authentication. Option D is wrong because if the policy were not enabled, it would not block any authentication at all, but the question states the policy is configured and users are still accessing via modern authentication, implying the policy is active but not blocking the intended traffic.

2
Multi-Selecthard

Which TWO features are available in Microsoft Entra ID Privileged Identity Management (PIM) for managing Azure AD roles? (Choose two.)

Select 2 answers
A.Self-service password reset
B.Just-in-time activation
D.Automatic role assignment based on group membership
E.Approval workflow for role activation
AnswersB, E

JIT activation allows temporary privileged access.

Why this answer

Just-in-time activation is a core feature of Microsoft Entra ID PIM that allows users to request temporary, time-bound assignments to privileged Azure AD roles, reducing standing access and the associated security risk. This activation can be configured to require approval and multi-factor authentication, ensuring that privileged access is granted only when needed and under controlled conditions.

Exam trap

The trap here is that candidates often confuse features that are integrated with PIM (like MFA enforcement and self-service password reset) as being features of PIM itself, when in fact PIM's core capabilities are just-in-time activation and approval workflows for role activation.

3
MCQeasy

Your organization uses Microsoft Entra ID and needs to implement a policy that blocks all sign-ins from countries that are not approved. What should you configure?

A.Enable multi-factor authentication for all users
B.Create a Conditional Access policy with a location condition set to block
C.Review sign-in logs and manually block IPs
D.Configure an Identity Protection risk policy
AnswerB

Location condition allows blocking by country.

Why this answer

A Conditional Access policy in Microsoft Entra ID allows you to define location conditions based on IP ranges, countries, or regions. By configuring the location condition to include all countries except the approved ones and setting the access control to 'Block access', you can effectively block sign-ins from non-approved countries. This is the native, policy-driven approach to enforce geographic restrictions without manual intervention.

Exam trap

The trap here is that candidates often confuse location-based blocking with risk-based policies or MFA, assuming that adding authentication factors or reviewing logs can achieve geographic restrictions, but only a Conditional Access policy with a location condition provides a direct, automated block based on country.

How to eliminate wrong answers

Option A is wrong because enabling multi-factor authentication (MFA) for all users does not block sign-ins based on location; it only adds an additional verification step, which does not prevent access from unapproved countries. Option C is wrong because manually reviewing sign-in logs and blocking IPs is not scalable, does not cover dynamic IP ranges, and is not a policy-based solution; it also fails to address the requirement for a continuous, automated block. Option D is wrong because an Identity Protection risk policy focuses on detecting and responding to risky user behavior (e.g., leaked credentials, anonymous IP addresses) rather than enforcing static geographic restrictions based on country.

4
MCQhard

Refer to the exhibit. A Microsoft Entra ID Conditional Access policy is defined as shown. You observe that the policy is blocking all users from accessing email via Exchange ActiveSync, but users can still access email via Outlook for iOS. What is the most likely reason?

A.The policy is not assigned to any locations
B.The policy does not include all applications
C.The policy does not include all users
D.Outlook for iOS uses a client app type not blocked by the policy
AnswerD

Outlook for iOS uses modern authentication (mobileAppsAndDesktopClients), not the legacy types blocked.

Why this answer

The policy blocks Exchange ActiveSync (EAS) client app type, which is used by native mail clients and older mobile apps. Outlook for iOS uses the Microsoft Authenticator and modern authentication (OAuth 2.0) with the 'Mobile apps and desktop clients' app type, not EAS. Therefore, the policy does not apply to Outlook for iOS, allowing it to access email.

Exam trap

The trap here is that candidates assume 'Exchange ActiveSync' blocks all mobile email access, but Microsoft Entra ID distinguishes between legacy EAS protocol and modern authentication clients, so Outlook for iOS bypasses the EAS-specific block.

How to eliminate wrong answers

Option A is wrong because location assignment is not required for a policy to block access; if no locations are specified, the policy applies to all locations by default. Option B is wrong because the exhibit shows the policy targets 'Office 365 Exchange Online' as the cloud app, which includes email; the issue is not about missing applications but about the client app type filter. Option C is wrong because the policy is blocking all users (as stated in the observation), so user assignment is not the limiting factor; the policy applies to all users, but the client app type condition exempts Outlook for iOS.

5
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID Protection?

Select 2 answers
A.Conditional Access session controls
B.Sign-in risk policy
C.User risk policy
D.Access reviews
E.Role-based access control (RBAC)
AnswersB, C

Sign-in risk policy automates response to risky sign-ins.

Why this answer

Microsoft Entra ID Protection provides two risk-based policies: a sign-in risk policy (Option B) and a user risk policy (Option C). The sign-in risk policy evaluates the likelihood that an authentication request is not legitimate based on real-time signals such as anonymous IP addresses, atypical travel, or malware-linked IPs, and can automatically block or require multi-factor authentication (MFA). The user risk policy assesses the probability that a user's credentials have been compromised, based on events like leaked credentials or suspicious activity, and can force a password reset or block sign-in.

Exam trap

The trap here is that candidates often confuse the risk-based policies of Entra ID Protection (sign-in risk and user risk) with Conditional Access session controls or other Entra ID features like Access Reviews and RBAC, because all are part of the broader Entra ID suite but serve distinct functions.

6
MCQmedium

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

A.Use an Azure Automation runbook to disable users after 90 days
B.Enable 'Inactive users' policy in Identity Protection
C.Configure an access review with 'Auto-apply results' enabled
D.Create a dynamic group based on sign-in activity
AnswerC

Automatically removes users after review.

Why this answer

Option C is correct because configuring an access review with 'Auto-apply results' enabled in Microsoft Entra ID Governance allows you to automatically remove guest users who have not signed in for 90 days from the critical application's access. The access review can be set to evaluate sign-in activity and, upon completion, automatically apply the results (e.g., remove access) without manual intervention, fulfilling the requirement for automated removal.

Exam trap

The trap here is that candidates often confuse Identity Protection's 'Inactive users' policy (which focuses on risk detection) with access reviews (which focus on governance and automated removal based on inactivity), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because Azure Automation runbooks are not designed to natively evaluate Entra ID sign-in activity or automatically remove access based on inactivity; they require custom scripting and lack the built-in governance policies for access reviews. Option B is wrong because the 'Inactive users' policy in Identity Protection is used to detect and remediate risky sign-ins, not to automatically remove access based on a 90-day inactivity period for guest users. Option D is wrong because dynamic groups based on sign-in activity cannot directly remove access; they can only manage group membership, and removing a user from a group does not automatically revoke application access unless the application is configured to use that group for access control, which is not the described scenario.

7
MCQmedium

You are the security administrator for a company that uses Microsoft Entra ID. You need to configure a Conditional Access policy that applies to all users except the emergency break-glass accounts. The policy must require multi-factor authentication (MFA) when accessing the Azure portal from a location that is not trusted. What should you include in the policy?

A.Include all users, exclude break-glass accounts, require MFA for Azure portal, and use 'Locations' condition to specify untrusted locations
B.Include all users, require MFA for Azure portal, and exclude all administrators
C.Include break-glass accounts, require MFA for Azure portal, and block access from untrusted locations
D.Include all users, require MFA for Azure portal, and exclude break-glass accounts
AnswerA

This correctly includes all users except break-glass accounts and uses location condition to require MFA only from untrusted locations.

Why this answer

Option A is correct because it includes all users, excludes the emergency break-glass accounts to ensure they remain accessible during outages, requires MFA for the Azure portal, and uses the 'Locations' condition to target untrusted locations. This configuration aligns with the requirement to enforce MFA only when accessing Azure portal from untrusted locations, while preserving access for break-glass accounts.

Exam trap

The trap here is that candidates often forget to include the 'Locations' condition to scope the MFA requirement to untrusted locations, leading them to choose Option D which requires MFA for all Azure portal access, not just from untrusted locations.

How to eliminate wrong answers

Option B is wrong because it excludes all administrators, which is too broad and would leave administrative accounts unprotected from untrusted locations, violating the requirement to apply the policy to all users except break-glass accounts. Option C is wrong because it includes break-glass accounts, which should be excluded to maintain their availability during emergencies, and it blocks access from untrusted locations instead of requiring MFA, which is overly restrictive. Option D is wrong because it lacks the 'Locations' condition to specify untrusted locations, so the policy would require MFA for all Azure portal access regardless of location, not just from untrusted locations.

8
MCQeasy

You need to assign the 'Security Administrator' role in Microsoft Entra ID to a user named User1. The role assignment must be eligible, and User1 must provide a justification when activating the role. What should you use?

A.Direct role assignment in Azure AD roles and administrators
B.Privileged Identity Management (PIM)
C.Global Administrator role with custom activation policy
D.User Administrator role with access reviews
AnswerB

PIM supports eligible roles with activation justification.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID is the only service that supports time-bound, eligible role assignments with activation justification. By configuring a PIM policy for the Security Administrator role, you can require User1 to provide a business justification before the role is activated for a specified duration.

Exam trap

The trap here is that candidates confuse direct role assignment (which is permanent and active) with PIM's eligible assignment (which is time-bound and requires activation), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because direct role assignment in Azure AD roles and administrators makes the role permanently active, not eligible, and does not enforce activation justification. Option C is wrong because the Global Administrator role cannot be assigned with a custom activation policy; activation policies are configured per role in PIM, not via a separate role assignment. Option D is wrong because the User Administrator role does not control activation justification for other roles; it manages user attributes and group memberships, not PIM activation policies.

9
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without contacting IT. Which feature should you enable?

A.Identity Protection
B.Self-service password reset (SSPR)
C.Multifactor authentication
D.Password Protection
AnswerB

SSPR allows users to reset their own passwords.

Why this answer

Self-service password reset (SSPR) is the correct feature because it allows users to reset their own passwords without IT intervention. SSPR integrates with Microsoft Entra ID and can be configured to require verification methods such as email, phone, or security questions before allowing a password change. This directly meets the requirement of enabling users to reset passwords independently.

Exam trap

The trap here is that candidates often confuse Multifactor Authentication (MFA) with SSPR, thinking MFA alone allows password resets, when in fact MFA is only a verification step within SSPR and does not provide the self-service reset functionality itself.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based conditional access and detection tool that identifies potential vulnerabilities and suspicious sign-ins, but it does not provide password reset capabilities. Option C is wrong because Multifactor Authentication (MFA) adds an extra layer of security during sign-in but does not enable self-service password changes; it can be used as a verification method within SSPR but is not the feature itself. Option D is wrong because Password Protection is a feature that blocks weak or compromised passwords from being used in the directory, but it does not allow users to reset their own passwords.

10
MCQeasy

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users can reset their own passwords without help desk intervention, but they must register for self-service password reset (SSPR) first. Which configuration is required?

A.Configure Microsoft Entra Password Protection
B.Enable Privileged Identity Management for SSPR
C.Enable SSPR and set the registration campaign to require registration at next sign-in
D.Enable combined registration for SSPR and Microsoft Entra ID Protection
AnswerC

Registration campaign ensures users register before using SSPR.

Why this answer

Option A is correct. SSPR requires users to register authentication methods before they can reset passwords. Option B is wrong because combined registration is not mandatory.

Option C is wrong because password protection is unrelated. Option D is wrong because it applies to administrators.

11
Multi-Selectmedium

Which TWO actions should you take to implement a zero-trust identity model using Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Configure password expiration policies to force frequent changes
B.Enable password hash synchronization to Azure AD
C.Configure Privileged Identity Management to require approval for role activation
D.Assign permanent Global Administrator roles to IT staff
E.Implement Conditional Access policies that require MFA and device compliance
AnswersC, E

Enforces just-in-time access.

Why this answer

Options B and D are correct. B is correct because Conditional Access policies are a core component of zero-trust, verifying identity and device health. D is correct because PIM enforces just-in-time access, reducing standing privileges.

A is incorrect because password expiration does not enhance zero-trust. C is incorrect because permanent role assignments oppose zero-trust. E is incorrect because synchronization alone does not enforce zero-trust.

12
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement a secure passwordless authentication strategy. Which TWO solutions can be used natively in Microsoft Entra ID for passwordless sign-in?

Select 2 answers
A.FIDO2 security keys
B.Microsoft Authenticator app with OTP
C.Third-party password managers
D.Windows Hello for Business
E.Duo Security push notifications
AnswersA, D

Supported natively for passwordless sign-in.

Why this answer

FIDO2 security keys are a native passwordless authentication method in Microsoft Entra ID, leveraging the WebAuthn standard to provide phishing-resistant, hardware-based credential verification. They eliminate passwords entirely by using public-key cryptography, where the private key never leaves the device, ensuring strong security against credential theft.

Exam trap

The trap here is that candidates confuse multi-factor authentication methods (like OTP or push notifications) with true passwordless authentication, which requires eliminating the password as a primary factor entirely, not just adding a second factor.

13
Multi-Selecteasy

Your company wants to implement a least-privilege model for administrative roles in Microsoft Entra ID. Which TWO features should you use?

Select 2 answers
A.Azure RBAC roles
B.Custom roles in Microsoft Entra ID
C.Conditional Access policies
D.Microsoft Entra B2B external identities
E.Privileged Identity Management (PIM)
AnswersB, E

Allows defining roles with specific permissions.

Why this answer

Custom roles in Microsoft Entra ID allow you to define roles with precisely the permissions needed for specific administrative tasks, enabling a least-privilege model by granting only the required actions on specific resources. Privileged Identity Management (PIM) complements this by providing just-in-time (JIT) activation, time-bound assignments, and approval workflows for those custom roles, ensuring that elevated privileges are only used when necessary and are automatically revoked.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (which manage Azure resources) with Microsoft Entra ID roles (which manage directory objects), leading them to incorrectly select Azure RBAC roles as a feature for Entra ID least-privilege administration.

14
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to ensure that all privileged role activations are approved by a manager and require a ticket number. What should you configure in PIM?

A.Role settings for the privileged role
B.Audit history
C.Alerts
D.Access reviews
AnswerA

Role settings allow you to require approval and justification.

Why this answer

Option A is correct because role settings in PIM allow you to configure approval and justification. Option B is wrong because access reviews are for periodic reviews. Option C is wrong because alerts are for notifications.

Option D is wrong because audit history is for logging.

15
MCQeasy

You are troubleshooting why a user cannot sign in to a custom line-of-business application that is federated with Microsoft Entra ID. The user reports that they are repeatedly prompted for credentials and then receive an error. The application is configured for SAML-based SSO. What is the most likely cause?

A.The user's browser cookies are disabled
B.The application is not registered in the app gallery
C.The SAML certificate has expired or the configuration has a mismatch
D.The user does not have a license for Microsoft Entra ID
AnswerC

Common SAML SSO issue.

Why this answer

When a SAML-based SSO application repeatedly prompts for credentials and then fails, the most common cause is an expired or misconfigured SAML signing certificate. The certificate is used by Microsoft Entra ID to sign SAML assertions; if it has expired, or if the thumbprint, audience URI, or reply URL in the Entra ID configuration does not match what the application expects, the application will reject the assertion and force re-authentication or display an error.

Exam trap

The trap here is that candidates often confuse a SAML certificate expiration/mismatch with a licensing issue or browser configuration problem, but the repeated credential prompt followed by an error is the hallmark of a failed SAML assertion validation, not a missing license or disabled cookies.

How to eliminate wrong answers

Option A is wrong because disabled browser cookies would typically cause session persistence issues or repeated prompts, but they would not directly cause a SAML assertion validation failure with a specific error; the error described is characteristic of a token trust issue, not a cookie storage issue. Option B is wrong because an application does not need to be in the Microsoft Entra ID app gallery to function with SAML SSO; custom line-of-business applications can be registered as non-gallery applications and work identically. Option D is wrong because Microsoft Entra ID licensing is not required for a user to authenticate via SAML federation; free tier Entra ID supports SAML-based SSO for up to 10 applications per tenant, and the error is unrelated to license assignment.

16
MCQmedium

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication method that reduces password-related risks. The solution must support users signing in from unmanaged devices without installing any software. Which authentication method should you prioritize?

A.Windows Hello for Business
B.Certificate-based authentication (CBA)
C.FIDO2 security keys
D.Passwordless phone sign-in (Microsoft Authenticator)
AnswerD

Works on unmanaged devices with app installation.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator is correct because it allows users to sign in from unmanaged devices without installing any additional software (the Authenticator app is already installed on their personal phone). It eliminates password risks by using a biometric or PIN gesture tied to a key stored on the device, and it works on any device with the Authenticator app, including unmanaged ones. This method supports the requirement of no software installation on the signing-in device itself, as the authentication happens via the phone.

Exam trap

The trap here is that candidates often choose FIDO2 security keys (Option C) because they are strongly passwordless, but they overlook the 'without installing any software' requirement—FIDO2 keys require a physical device and often driver support on the signing-in device, whereas phone sign-in uses a device the user already owns without any installation on the target machine.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires Windows 10/11 devices that are either joined to Entra ID or hybrid-joined, and it does not support unmanaged devices without domain join or registration. Option B is wrong because certificate-based authentication (CBA) requires certificates to be provisioned to the device, which typically involves device management (e.g., Intune) or manual installation, and it does not work on unmanaged devices without software or certificate enrollment. Option C is wrong because FIDO2 security keys require a physical USB or NFC key to be plugged into the signing-in device, which is not a 'no software' solution but rather a hardware dependency, and unmanaged devices may not support the necessary drivers or protocols.

17
MCQhard

You executed the PowerShell script shown in the exhibit. What is the result?

A.All users are removed from the Global Administrator role
B.All users are added to the Global Administrator role
C.No users are added because of an error
D.Only users with the Global Administrator role are listed
AnswerB

The script iterates over all users and adds them to the Global Administrator role.

Why this answer

Option D is correct. The script adds all users with @contoso.com suffix to the Global Administrator role, which is a security risk. Option A is wrong because it doesn't remove.

Option B is wrong because it doesn't filter by role. Option C is wrong because it does add them.

18
MCQhard

Your company uses Microsoft Entra ID with a third-party identity provider (IdP) for federation. Users report that sometimes they are unable to sign in even though the IdP is healthy. You suspect the issue is related to token signing certificate rotation. What should you do to resolve this proactively?

A.Download the new certificate from the IdP and upload it to Microsoft Entra ID manually.
B.Configure automatic certificate rollover in Microsoft Entra ID by enabling 'Federation certificate management' and using Graph API to sync changes.
C.Set up alerts for sign-in failures and manually update the certificate when alerted.
D.Switch to pass-through authentication to bypass federation.
AnswerB

Automation ensures that certificate changes are propagated without manual intervention.

Why this answer

Option B is correct because Microsoft Entra ID supports automatic certificate rollover for federated domains when the third-party IdP publishes updated token-signing certificates via a federation metadata endpoint. By enabling 'Federation certificate management' and using the Microsoft Graph API to sync changes, Entra ID can automatically detect and apply new certificates before the old ones expire, preventing sign-in disruptions without manual intervention.

Exam trap

The trap here is that candidates often assume manual certificate upload (Option A) is the only reliable method, overlooking Entra ID's built-in automatic rollover capability that leverages the federation metadata endpoint for proactive, zero-touch certificate management.

How to eliminate wrong answers

Option A is wrong because manually downloading and uploading the new certificate is reactive and error-prone; it does not proactively prevent outages and contradicts the goal of automated certificate rotation. Option C is wrong because setting up alerts for sign-in failures and manually updating the certificate is a reactive approach that still allows users to experience downtime before the manual update occurs. Option D is wrong because switching to pass-through authentication bypasses federation entirely, which is an architectural change that may not be desired or feasible, and does not address the root cause of certificate rotation issues.

19
MCQmedium

You are a security administrator for a healthcare organization that uses Microsoft Entra ID and Microsoft 365. The organization must comply with HIPAA regulations, which require that access to protected health information (PHI) is logged and monitored. You need to configure access reviews for all users who have access to SharePoint Online sites containing PHI. The reviews must occur quarterly and be assigned to the respective site owners. Additionally, you need to ensure that inactive guest accounts are automatically removed after 90 days of inactivity. Which actions should you take?

A.Enable Microsoft Entra ID Protection to automatically block guest accounts after 90 days of inactivity. Create manual access reviews for each site using PowerShell.
B.Use Microsoft Purview to create an auto-labeling policy for PHI data. Assign site owners as reviewers and manually remove inactive guests.
C.Create an access review for the security group containing users with access to PHI sites. Assign reviewers as group owners (site owners). Set frequency to quarterly. Configure external collaboration settings to automatically remove guest accounts that have not signed in for 90 days.
D.Create a PIM access review for the SharePoint administrator role. Set frequency to quarterly. Configure Microsoft Entra ID to automatically delete guest accounts after 90 days of inactivity.
AnswerC

Access reviews for groups allow site owners to review access. Inactive guest removal is configured in external settings.

Why this answer

Option A is correct because access reviews can be configured for groups and applications, assigned to site owners, and set to quarterly frequency. Inactive guest cleanup is configured in Entra ID external settings. Option B is wrong because PIM access reviews are for privileged roles, not general access to SharePoint sites.

Option C is wrong because Identity Protection does not manage access reviews. Option D is wrong because manual removal of guests is not automated and does not scale.

20
Multi-Selectmedium

Which TWO of the following are methods to enforce MFA in Microsoft Entra ID?

Select 2 answers
A.Identity Protection user risk policy
B.Password Protection
C.Security defaults
D.Conditional Access policy
E.Self-service password reset
AnswersC, D

Security defaults enforce MFA for all users.

Why this answer

Security defaults (Option C) is a method to enforce MFA because it automatically enables MFA for all users in a tenant, along with other baseline security policies, without requiring additional configuration. Conditional Access policy (Option D) is a method to enforce MFA because it allows granular, policy-driven MFA requirements based on conditions such as user, location, device state, or risk level, using the Microsoft Entra ID Conditional Access engine.

Exam trap

The trap here is that candidates often confuse Identity Protection user risk policy (Option A) as a direct MFA enforcement method, but it only detects risk and requires a Conditional Access policy to actually enforce MFA as a control.

21
MCQhard

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

A.Entitlement Management access packages
B.Azure AD B2B collaboration
C.Privileged Identity Management (PIM)
D.Conditional Access with session restrictions
AnswerA

Provides self-service access with approval and expiration.

Why this answer

Entitlement Management access packages are designed to allow external partners to request access to specific applications through a self-service portal. The feature supports approval workflows (e.g., manager approval) and automatically enforces time-bound access, such as a 30-day expiration. This directly matches the requirement for partner self-service with approval and expiration.

Exam trap

The trap here is that candidates often confuse Azure AD B2B collaboration (which handles identity provisioning) with Entitlement Management (which handles the full lifecycle of access requests, approvals, and expiration), leading them to pick B2B collaboration as the answer.

How to eliminate wrong answers

Option B (Azure AD B2B collaboration) is wrong because it only provides the mechanism to invite external users into the tenant and assign them access, but it does not include built-in self-service request workflows, approval processes, or automatic expiration policies. Option C (Privileged Identity Management (PIM)) is wrong because it is focused on just-in-time privileged role activation for administrators and does not handle self-service access requests for non-privileged applications or partner scenarios. Option D (Conditional Access with session restrictions) is wrong because it enforces access policies (e.g., session timeouts) on already authenticated users, but it does not provide any self-service request, approval, or expiration lifecycle management for partner access.

22
MCQhard

Refer to the exhibit. You are reviewing user sign-in activity using Microsoft Graph API. The user has not performed an interactive sign-in since December 1, but had a non-interactive sign-in on December 5. You need to determine if the user should be considered inactive for a policy that defines inactivity as no interactive sign-in for 30 days. Today is December 15. What should you do?

A.Check if the user has any sign-in in the last 30 days; since there is a non-interactive sign-in, the user is active.
B.Use the lastNonInteractiveSignInDateTime as the last sign-in time, so the user is not inactive.
C.Use the lastSignInDateTime of December 1, which is only 14 days ago, so the user is not inactive.
D.The user is inactive because the account is enabled but there is no interactive sign-in in the last 30 days.
AnswerC

The policy uses interactive sign-ins, and 14 days < 30 days.

Why this answer

Option C is correct because the policy defines inactivity as no interactive sign-in for 30 days. The user's last interactive sign-in was on December 1, which is only 14 days ago as of December 15, so the user is not inactive. Microsoft Graph API's lastSignInDateTime property specifically tracks interactive sign-ins, while non-interactive sign-ins are tracked separately via lastNonInteractiveSignInDateTime and do not reset the interactive inactivity timer.

Exam trap

The trap here is that candidates confuse 'any sign-in' with 'interactive sign-in' and incorrectly assume non-interactive sign-ins reset the inactivity timer, when the policy explicitly specifies only interactive sign-ins count.

How to eliminate wrong answers

Option A is wrong because the policy explicitly defines inactivity based on interactive sign-ins, not any sign-in; non-interactive sign-ins (e.g., token refreshes, service-to-service calls) do not count toward the interactive inactivity threshold. Option B is wrong because lastNonInteractiveSignInDateTime is irrelevant for a policy that only considers interactive sign-ins; using it would incorrectly treat the user as active when they have not performed an interactive sign-in for 30 days. Option D is wrong because the user is not inactive—the last interactive sign-in was only 14 days ago, which is within the 30-day window, so the account being enabled does not change the inactivity status.

23
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. What is the effect of this policy?

A.The policy requires all guest users to use MFA and a compliant device to access Office 365.
B.The policy requires service provider guest users accessing Office 365 to either use MFA or have a compliant device.
C.The policy requires all users accessing Office 365 to use MFA and a compliant device.
D.The policy blocks all external users from accessing Office 365.
AnswerB

The guestOrExternalUserTypes is set to ServiceProvider, and grant controls use OR.

Why this answer

The policy targets 'Guest users' and 'Service provider guest users' specifically, not all users. It applies to the Office 365 cloud app and grants access only if the user satisfies either the MFA requirement or the compliant device requirement (using an OR condition). Option B correctly identifies that service provider guest users must meet one of the two controls to access Office 365.

Exam trap

The trap here is that candidates often misread the grant control logic as 'require all' (AND) when the policy explicitly uses 'require one of the selected controls' (OR), leading them to choose an option that incorrectly mandates both conditions.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that both MFA and a compliant device are required (AND condition), but the policy uses an OR condition (require one of the selected controls). Option C is wrong because the policy targets only guest users and service provider guest users, not all users. Option D is wrong because the policy does not block access; it grants access conditionally based on MFA or compliant device.

24
MCQmedium

You are designing a privileged access strategy for Microsoft Entra ID. Your organization requires that all users who are assigned to the Global Administrator role must perform a privileged elevation only when needed, and the elevation must be approved by a security officer. Which feature should you implement?

A.Microsoft Entra Identity Governance – Privileged Identity Management
B.Azure AD administrative units
C.Conditional Access with session control
D.Microsoft Entra ID protection risk policies
AnswerA

PIM enables JIT activation with approval workflows.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged elevation for roles like Global Administrator, requiring approval from designated approvers (e.g., a security officer) before activation. This directly meets the requirement of elevation only when needed with approval, as PIM manages time-bound role assignments and approval workflows.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls sign-in access) with PIM (which controls role activation), leading them to select Option C because they think session controls can enforce approval for elevation, but Conditional Access cannot manage role activation workflows.

How to eliminate wrong answers

Option B is wrong because Azure AD administrative units restrict administrative scope to specific organizational units (e.g., departments) but do not provide JIT elevation or approval workflows for role activation. Option C is wrong because Conditional Access with session control enforces policies during sign-in (e.g., requiring MFA or device compliance) but cannot control role activation or require approval for elevation. Option D is wrong because Microsoft Entra ID Protection risk policies detect and respond to user or sign-in risks (e.g., blocking risky sign-ins) but do not manage privileged role elevation or approval processes.

25
MCQhard

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Security. You need to ensure that Copilot's access to security data is governed by the principle of least privilege and that usage is auditable. What should you implement?

A.Use Conditional Access policies to restrict Copilot access based on location and device compliance.
B.Implement Microsoft Purview for data governance and assign custom RBAC roles in Copilot for Security.
C.Enable Microsoft Entra ID Protection to detect risky usage of Copilot.
D.Assign the Copilot roles via Privileged Identity Management (PIM) with approval workflows.
AnswerB

Purview provides auditing and labeling; custom RBAC roles enforce least privilege within Copilot.

Why this answer

Option B is correct because Microsoft Purview provides the data governance framework needed to classify, label, and control access to security data, while custom RBAC roles in Copilot for Security allow granular permissions that enforce least privilege. This combination ensures that Copilot only accesses data necessary for its function and that all access is auditable through Purview's audit logs.

Exam trap

The trap here is that candidates often confuse identity-level controls (Conditional Access, PIM) with data-level governance, assuming that restricting who can access Copilot is sufficient, when the question specifically requires governing Copilot's access to security data itself.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control authentication and access to applications based on conditions like location or device compliance, but they do not govern Copilot's internal access to security data or provide the granular data-level permissions required for least privilege. Option C is wrong because Microsoft Entra ID Protection detects and responds to identity-based risks (e.g., compromised credentials) but does not govern or audit Copilot's access to security data; it focuses on user risk, not data governance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time elevation of privileged roles with approval workflows, but it does not address data governance or the principle of least privilege for Copilot's access to security data; PIM is for role activation, not data-level permissions.

26
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to prevent users from using their work accounts to access corporate resources from untrusted locations unless they have registered their devices. Which conditional access policy setting should you configure?

A.Grant access, require approved client app
B.Grant access, require device to be marked as compliant
C.Block access
D.Grant access, require multi-factor authentication
AnswerB

This ensures only compliant devices from untrusted locations can access resources.

Why this answer

Option B is correct because the 'Grant access, require device to be marked as compliant' condition ensures that only devices meeting your organization's compliance policies (e.g., BitLocker enabled, antivirus running, OS patch level) can access corporate resources. When combined with a location condition (e.g., 'All trusted locations' or 'All locations' with an exclusion for trusted IPs), this setting effectively blocks access from untrusted locations unless the device is compliant, which implies it has been registered and managed in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse 'Require multi-factor authentication' (Option D) as the solution for location-based access control, but MFA does not enforce device registration or compliance, which is the specific requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because 'Require approved client app' controls which applications can be used (e.g., Microsoft Outlook, Teams) but does not enforce device registration or compliance; a user could still access from an unmanaged device using an approved app. Option C is wrong because 'Block access' is an all-or-nothing control that would prevent access from all locations, including trusted ones, unless carefully scoped; it does not provide the conditional requirement of device registration. Option D is wrong because 'Require multi-factor authentication' only adds an authentication factor (e.g., phone call, app notification) but does not verify the device's registration or compliance status; a user could authenticate from an untrusted, unregistered device.

27
Multi-Selecthard

Which THREE of the following are required to configure Microsoft Entra ID self-service password reset (SSPR)?

Select 3 answers
A.Microsoft Entra ID P1 or P2 license
B.Microsoft Entra ID Premium P2 license
C.Password writeback must be enabled
D.Users must register for authentication methods
E.SSPR must be enabled in the tenant
AnswersA, D, E

SSPR requires a P1 or P2 license.

Why this answer

Microsoft Entra ID self-service password reset (SSPR) requires a Microsoft Entra ID P1 or P2 license because the SSPR feature is a premium capability that is not available in the Free or Office 365 app-only licenses. Without at least a P1 license, the tenant cannot enable or use SSPR for users. The P2 license adds additional protections like Identity Protection but is not strictly required for basic SSPR functionality.

Exam trap

The trap here is that candidates often assume password writeback is always required for SSPR, but it is only necessary when integrating with on-premises Active Directory; for cloud-only users, SSPR works without it.

28
MCQeasy

You need to ensure that external users who are invited to collaborate via Microsoft Entra B2B can only access the applications assigned to them. Which configuration should you use?

A.Require guest users to register for MFA before accessing any applications.
B.Create a Conditional Access policy that applies to guest users and targets the specific applications.
C.Configure cross-tenant access settings to block all applications except those assigned.
D.Configure SharePoint external sharing settings to limit application access.
AnswerB

Conditional Access can restrict guest access to specific apps.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID can be scoped to guest/external users and specific applications, allowing you to enforce access controls such as requiring MFA or blocking access for unapproved apps. This directly meets the requirement to restrict B2B guest users to only the applications assigned to them, without affecting other sign-in behaviors or tenant-wide settings.

Exam trap

The trap here is that candidates confuse cross-tenant access settings (which manage trust and sharing at the tenant level) with per-application access control, leading them to choose Option C even though it cannot enforce app-specific restrictions for individual guest users.

How to eliminate wrong answers

Option A is wrong because requiring MFA for guest users does not restrict which applications they can access; it only adds an authentication step, not an authorization boundary. Option C is wrong because cross-tenant access settings control inbound/outbound trust and application access at the tenant level, not per-user or per-application assignment; blocking all except assigned apps would require granular app-level controls that cross-tenant settings do not provide. Option D is wrong because SharePoint external sharing settings only govern sharing of SharePoint and OneDrive content, not access to other Azure AD-integrated applications, and do not enforce application-level assignment restrictions.

29
MCQeasy

You are implementing Microsoft Entra ID Protection. You need to detect and respond to risky user behaviors such as leaked credentials and anonymous IP address usage. Which feature should you enable?

A.Privileged Identity Management
B.Conditional Access policies
C.Risk policies
D.Identity Governance
AnswerC

Risk policies in Identity Protection detect and respond to risky behaviors like leaked credentials.

Why this answer

The correct answer is D: Risk policies. Microsoft Entra ID Protection provides risk policies (user risk and sign-in risk) that automatically detect and respond to risky behaviors. Option A (Identity Governance) manages access reviews and entitlement management.

Option B (Privileged Identity Management) manages just-in-time access for privileged roles. Option C (Conditional Access policies) can use risk signals but does not detect them.

30
MCQeasy

You need to ensure that only approved iOS devices can access corporate email. Which Microsoft Intune policy should you configure?

A.Enrollment restriction
B.Device configuration policy
C.App protection policy
D.Device compliance policy
AnswerD

Device compliance policies enforce rules like requiring approved iOS devices.

Why this answer

The correct answer is B: Device compliance policy. This policy defines rules for device health, including requiring devices to be jailbreak-detected and compliant. Option A is wrong because app protection policies manage data within apps, not device-level access.

Option C is wrong because configuration policies push settings. Option D is wrong because enrollment restrictions limit which devices can enroll, but compliance ensures ongoing access.

31
Multi-Selectmedium

Which TWO actions should you perform to implement Microsoft Entra ID Password Protection for an on-premises Active Directory environment? (Choose two.)

Select 2 answers
A.Install the Azure AD Password Protection DC agent on each domain controller
B.Enable password protection for the domain in the Azure portal
C.Enable password hash synchronization
D.Install Azure AD Connect
E.Configure password writeback
AnswersA, B

The DC agent is required to enforce password policies on-premises.

Why this answer

The correct answers are B and D. Password Protection requires installing the DC agent on each domain controller and enabling password protection for the domain. Option A (Install Azure AD Connect) is needed for sync but not specifically for Password Protection.

Option C (Configure password writeback) is for self-service password reset. Option E (Enable password hash sync) is for Azure AD, not on-premises enforcement.

32
MCQhard

You are designing a Microsoft Entra ID tenant for a multinational organization. The security team requires that all administrative users must use phishing-resistant MFA. Administrators are located in different regions and may use different devices. Which MFA method should you enforce?

A.FIDO2 security keys
B.SMS-based verification
C.Phone call verification
D.Microsoft Authenticator with OTP
AnswerA

FIDO2 security keys provide phishing-resistant authentication.

Why this answer

FIDO2 security keys are the only option that provides phishing-resistant MFA, as they use public-key cryptography and are bound to a specific web origin, preventing credential theft via man-in-the-middle attacks. This satisfies the security team's requirement for all administrative users, regardless of region or device, because FIDO2 keys are hardware-based and interoperable across platforms.

Exam trap

The trap here is that candidates often confuse 'multi-factor authentication' with 'phishing-resistant MFA', and select Microsoft Authenticator with OTP because it is a common MFA method, but it does not protect against real-time phishing attacks where the OTP is captured and replayed.

How to eliminate wrong answers

Option B is wrong because SMS-based verification is vulnerable to SIM-swapping and phishing attacks, and is not considered phishing-resistant. Option C is wrong because phone call verification relies on the PSTN network, which can be intercepted or spoofed, and does not provide phishing resistance. Option D is wrong because Microsoft Authenticator with OTP (time-based one-time password) is susceptible to phishing if the user is tricked into entering the OTP on a fake site, and it does not meet the phishing-resistant requirement.

33
MCQmedium

Your company uses Microsoft Entra ID and Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with your security policies can access corporate email. You configure a Conditional Access policy targeting Exchange Online. Which grant control should you use?

A.Require multifactor authentication
B.Require device to be marked as compliant
C.Block access
D.Require hybrid Azure AD joined device
AnswerB

This grant control checks device compliance status from Intune.

Why this answer

Option A is correct because Require device to be marked as compliant ensures only compliant devices can access. Option B is wrong because Require MFA does not check device compliance. Option C is wrong because Require hybrid Azure AD join is for domain-joined devices.

Option D is wrong because Block access is too restrictive.

34
Multi-Selectmedium

A company plans to implement a Zero Trust identity strategy using Microsoft Entra ID. Which TWO actions should be taken to enforce least-privilege access for administrative roles?

Select 2 answers
A.Configure Privileged Identity Management (PIM) to require approval for role activation
B.Implement Conditional Access policies requiring MFA for all administrative roles
C.Enable legacy authentication for administrative accounts
D.Set guest user permissions to the same level as employees
E.Assign permanent Global Administrator roles to all IT staff
AnswersA, B

PIM enables just-in-time access with approval, enforcing least-privilege.

Why this answer

Options B and E are correct. Using Privileged Identity Management (PIM) for just-in-time access and enabling Conditional Access policies to require MFA for administrative roles align with Zero Trust least-privilege principles. Option A is wrong because permanent role assignment contradicts just-in-time.

Option C is wrong because legacy authentication is less secure. Option D is wrong because guest users are not the focus.

35
MCQhard

Refer to the exhibit. You are reviewing a custom Microsoft Entra role for an application developer. A developer reports that they cannot register an application even though they have the 'applications/create' permission. What is the most likely cause?

A.The developer is not a Global Administrator.
B.The developer does not have permission to consent to application permissions.
C.The role needs to be assigned at the root scope.
D.The role is not assigned to the developer.
AnswerB

Creating an app registration often requires consent capability; the role lacks consent-related actions.

Why this answer

To register applications, the user must also have consent to grant permissions. The permission 'microsoft.directory/applications/create' allows creating app registrations, but the user may not have the necessary consent permissions (e.g., 'microsoft.directory/applications/update' which includes consent management). Alternatively, the user might need to be a Global Administrator to consent to permissions.

However, the role definition includes create, update, delete, so they should be able to create. Perhaps the issue is that they need to consent to the application's permissions. The most likely cause is that the developer does not have the 'Consent to applications' permission, which is a separate action.

The exhibit does not include that action.

36
Multi-Selectmedium

Which THREE conditions can be used in a Microsoft Entra ID Conditional Access policy to control access based on sign-in risk? (Choose three.)

Select 3 answers
A.All
B.Low
C.None
D.Medium
E.High
AnswersB, D, E

Low sign-in risk is a valid condition.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies allow you to configure sign-in risk as a condition, and 'Low' is one of the three available risk levels (Low, Medium, High) that can be used to trigger access controls. Sign-in risk is calculated by Microsoft's identity protection service based on real-time signals such as anonymous IP addresses, atypical travel, or leaked credentials, and you can require multi-factor authentication or block access when the risk level meets or exceeds the selected threshold.

Exam trap

The trap here is that candidates may confuse the 'sign-in risk' condition with the 'user risk' condition (which also uses Low, Medium, High) or mistakenly think 'All' or 'None' are valid risk levels, when in fact only Low, Medium, and High are the specific conditions that can be selected to control access based on sign-in risk.

37
MCQhard

You are managing a Microsoft Entra ID tenant with external collaboration enabled. You need to restrict external user access to only the groups and applications they are explicitly granted. You also want to prevent external users from seeing other external users in the tenant directory. Which settings should you configure?

A.Set 'Guest user access restrictions' to 'Guest users have limited access...' and configure 'External collaboration settings' to restrict external user visibility
B.Use Microsoft Entra entitlement management to create access packages for external users
C.Configure cross-tenant access settings to block all external collaboration
D.Set 'Guest user access restrictions' to 'Guest users have same access as members'
AnswerA

This limits guest users to only objects they are assigned and prevents them from seeing other external users.

Why this answer

Option D is correct because collaboration restrictions limit external user visibility to groups and apps they are assigned, and external users can be restricted from seeing other users. Option A is wrong because guest user access restrictions control permissions but not visibility. Option B is wrong because cross-tenant access settings are for inbound/outbound trust.

Option C is wrong because entitlement management is for access packages.

38
MCQmedium

You have configured the Conditional Access policy shown in the exhibit. Users report that they can still access Exchange Online using legacy authentication protocols. What is the most likely reason?

A.The policy should use 'Require MFA' instead of 'Block'
B.The policy does not include the correct client app types
C.The policy state is set to reporting mode
D.The policy should include 'mobileAppsAndDesktopClients' instead
AnswerC

Reporting mode does not enforce the block.

Why this answer

Option B is correct. The policy state is 'enabledForReportingButNotEnforced', meaning it only reports without blocking. Option A is wrong because legacy authentication is included.

Option C is wrong because other clients are included. Option D is wrong because it is a valid block policy.

39
MCQmedium

Your organization uses Microsoft Entra ID. You need to manage access to a line-of-business application that supports SAML 2.0. The application should be integrated as an enterprise application in Entra ID. What steps must you take?

A.Configure user consent settings for the application
B.Register the application in App Registrations and configure SAML
C.Create a new enterprise application as a non-gallery app, configure SAML, assign users, and test
D.Add the application from the Azure AD gallery
AnswerC

This is the standard process for custom SAML apps.

Why this answer

Option C is correct because to integrate a line-of-business application that supports SAML 2.0 as an enterprise application in Microsoft Entra ID, you must create a new enterprise application using the 'Non-gallery application' option, configure SAML-based sign-on with the application's metadata, assign users or groups, and test the integration. This process allows you to define custom SAML attributes and claims specific to the application, which is necessary for non-gallery apps that are not pre-integrated.

Exam trap

The trap here is that candidates confuse App Registrations (used for OAuth/OpenID Connect) with Enterprise applications (used for SAML and gallery apps), leading them to choose Option B instead of correctly selecting the non-gallery enterprise application creation path.

How to eliminate wrong answers

Option A is wrong because configuring user consent settings controls whether users can consent to permissions for applications, but it does not create or integrate the enterprise application itself; consent settings are a separate administrative control. Option B is wrong because registering the application in App Registrations creates a service principal for custom-developed apps, but enterprise applications for SAML integration are created directly under 'Enterprise applications' in the portal, not via App Registrations; App Registrations is for OAuth/OpenID Connect apps, not SAML. Option D is wrong because adding the application from the Azure AD gallery is only possible if the application is pre-integrated and listed in the gallery; for a custom line-of-business application that supports SAML 2.0 but is not in the gallery, you must use the non-gallery option.

40
MCQhard

Your organization uses Microsoft Entra ID and requires that all accesses to sensitive applications be approved by the application owner. You need to implement a solution where users can request access to these applications, and the request is automatically routed to the owner for approval. What should you configure?

A.Microsoft Entra roles and administrative units
B.Entitlement management access packages
C.Privileged Identity Management for groups
D.Cross-tenant access settings
AnswerB

Access packages can require custom approvals from specified approvers.

Why this answer

Option D is correct. Microsoft Entra entitlement management allows you to create access packages requiring approval from the application owner. Option A is wrong because it is for role activation.

Option B is wrong because it is for administrative roles. Option C is wrong because it is for external collaboration.

41
MCQhard

You are a security engineer for a company that uses Microsoft Entra ID. You need to implement a solution that automatically blocks sign-ins from users detected as compromised credentials. The solution should work in real-time and require no manual intervention. What should you use?

A.Azure AD Identity Protection weekly digest
B.Conditional Access policy with sign-in risk policy
C.Microsoft Defender for Cloud Apps session policy
D.User risk policy in Microsoft Entra ID Protection
AnswerD

User risk policy automatically blocks users with high risk due to compromised credentials.

Why this answer

Option B is correct. Microsoft Entra ID Protection automatically detects and blocks compromised credentials using user risk policies. Option A is wrong because it is not real-time.

Option C is wrong because it is not specific to compromised credentials. Option D is wrong because it is a reporting tool.

42
MCQhard

Refer to the exhibit. You are reviewing the output of the Get-AzureADGroup PowerShell cmdlet. You need to create a Conditional Access policy that dynamically includes users based on their department attribute set to 'Finance'. Which group should you use in the policy?

A.All Users
B.Sales Team
C.Administrators
D.Finance Team
AnswerD

This group is static, but you can use it to assign access, but for dynamic inclusion based on department, you should create a dynamic group with rule user.department -eq 'Finance'. However, of the given groups, only this one is finance-related.

Why this answer

Option D is correct because the 'Finance Team' group is a dynamic group configured with a membership rule that automatically includes users whose department attribute equals 'Finance'. Conditional Access policies can target dynamic groups, and using this group ensures that only users with the 'Finance' department attribute are included in the policy without manual updates.

Exam trap

The trap here is that candidates may assume any group can be used for dynamic inclusion, but only a dynamic group with the correct membership rule (e.g., department equals 'Finance') will automatically include users based on the attribute, whereas static groups like 'Sales Team' or 'Administrators' require manual membership changes.

How to eliminate wrong answers

Option A is wrong because 'All Users' would include every user in the tenant, not just those with the 'Finance' department attribute, which violates the requirement for dynamic inclusion based on department. Option B is wrong because 'Sales Team' is a static group that contains users from the Sales department, not Finance, so it would not include the intended users. Option C is wrong because 'Administrators' is a role-based group that includes privileged users, not users filtered by the 'Finance' department attribute.

43
MCQeasy

You need to grant a group of users the ability to read Microsoft Entra ID sign-in logs in the Azure portal. Which role should you assign?

A.Security Reader
B.Reports Reader
C.Global Reader
D.Global Administrator
AnswerB

Reports Reader can read sign-in logs.

Why this answer

The Reports Reader role is specifically designed to grant read-only access to monitoring data, including Microsoft Entra ID sign-in logs and audit logs, without granting broader read permissions to the entire directory. This role is the least-privileged option that directly meets the requirement to read sign-in logs in the Azure portal.

Exam trap

The trap here is that candidates often confuse the Security Reader role (which covers security center and security policies) with the Reports Reader role (which specifically covers sign-in and audit logs), leading them to choose Security Reader because it sounds security-focused.

How to eliminate wrong answers

Option A is wrong because the Security Reader role provides read access to security-related data (e.g., security policies, security alerts) but does not include read access to sign-in logs or audit logs. Option C is wrong because the Global Reader role grants read access to all directory resources, which is overly permissive and not the least-privileged role for reading only sign-in logs. Option D is wrong because the Global Administrator role has full administrative access to all directory features, including the ability to modify settings and manage users, which far exceeds the required read-only access to sign-in logs.

44
Multi-Selecthard

You are designing a security baseline for Microsoft Entra ID. Which THREE settings are recommended by Microsoft as part of the identity security baseline?

Select 3 answers
A.Enable risk-based Conditional Access policies
B.Allow self-service group management for all users
C.Set sign-in session timeout to 8 hours
D.Enable MFA for all Global Administrators
E.Block legacy authentication protocols
AnswersA, D, E

Automatically respond to risky sign-ins and users.

Why this answer

Option A is correct because risk-based Conditional Access policies are a core recommendation in the Microsoft identity security baseline. These policies automatically respond to detected user or sign-in risks (e.g., anonymous IP, leaked credentials) by requiring MFA or blocking access, aligning with the Zero Trust principle of continuous verification. Microsoft explicitly includes risk-based policies in its security baseline to proactively mitigate identity threats.

Exam trap

The trap here is that candidates often confuse Microsoft's general best practices (like self-service group management) with the specific, hardened settings in the identity security baseline, which prioritizes risk-based controls and blocking legacy protocols over convenience features.

45
MCQmedium

Refer to the exhibit. You are configuring an Entitlement Management access package. The policy allows any existing user to request access without approval, and access expires after 30 days. However, security requirements dictate that all access to Finance applications must be reviewed by the finance team manager every quarter. What should you add to the policy?

A.Add a connected organization for external users
B.Set 'isApprovalRequiredForAdd' to true
C.Set 'durationInDays' to 90
D.Enable access reviews and assign the finance team manager as reviewer
AnswerD

Adds periodic review as required.

Why this answer

Option D is correct because the security requirement mandates quarterly reviews by the finance team manager, which is exactly what an access review does in Entitlement Management. Access reviews allow you to require periodic attestation of access by a designated reviewer, ensuring ongoing compliance even though the initial request does not require approval. The policy already sets a 30-day expiration, but a quarterly review adds a separate recurring governance check that overrides the shorter duration for compliance purposes.

Exam trap

The trap here is that candidates confuse 'approval at request time' with 'periodic review after access is granted' — the question explicitly says no approval is needed for the initial request, so adding approval (Option B) is incorrect, but the quarterly review (Option D) is a separate governance control that satisfies the security requirement without changing the request flow.

How to eliminate wrong answers

Option A is wrong because a connected organization is used to allow external users from a specific partner or tenant to request access; the scenario specifies 'any existing user' (internal users), so external user configuration is irrelevant. Option B is wrong because setting 'isApprovalRequiredForAdd' to true would require approval at the time of request, but the question explicitly states the policy allows access without approval; adding approval would contradict the requirement. Option C is wrong because setting 'durationInDays' to 90 would extend the access expiration to 90 days, but the requirement is to keep the 30-day expiration and add a quarterly review; changing the duration does not enforce periodic review by the finance team manager.

46
MCQhard

Refer to the exhibit. A user is eligible for a role in PIM. When they activate the role, how long will the activation last?

A.8 hours
B.1 hour
C.24 hours
D.Indefinite
AnswerA

PT8H means 8 hours.

Why this answer

In Azure AD Privileged Identity Management (PIM), the default maximum activation duration for an eligible role is 8 hours. This is configurable by administrators, but the question refers to the standard default setting. When a user activates a role, the activation lasts for this predefined period unless a different duration is explicitly set in the role settings.

Exam trap

The trap here is that candidates may confuse the default activation duration with the default assignment duration (which is permanent by default) or assume the activation lasts indefinitely until deactivated, but PIM always enforces a finite, configurable time limit.

How to eliminate wrong answers

Option B (1 hour) is wrong because while PIM allows activation durations as low as 1 hour, the default maximum is 8 hours, not 1 hour. Option C (24 hours) is wrong because 24 hours is not the default; it is a possible custom value but exceeds the standard default of 8 hours. Option D (Indefinite) is wrong because PIM activations always have a finite duration; indefinite activation would defeat the purpose of just-in-time privileged access and is not supported by default.

47
Multi-Selecthard

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication strategy that satisfies the following requirements: - Users must not be able to bypass security verification using alternate authentication methods. - Passwordless authentication should be used where possible. - Legacy authentication protocols must be blocked. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Create a Conditional Access policy to block legacy authentication protocols.
B.Configure per-user MFA to require verification.
C.Enable FIDO2 security keys as an authentication method and configure passwordless sign-in.
D.Enable the 'Security defaults' feature in Microsoft Entra ID.
E.Disable SMS and voice call authentication methods in Microsoft Entra ID.
AnswersA, C, E

Blocks insecure protocols like POP, IMAP, SMTP.

Why this answer

Option A is correct because a Conditional Access policy can explicitly block legacy authentication protocols (such as POP3, IMAP, SMTP, and older Office clients) by targeting 'Exchange ActiveSync' and 'Other clients' in the client apps condition. This prevents users from bypassing modern authentication requirements and ensures that only modern authentication flows (e.g., OAuth 2.0) are allowed, which is a key requirement to block legacy protocols.

Exam trap

The trap here is that candidates often assume Security defaults is the simplest way to block legacy authentication and enforce MFA, but they overlook that Security defaults cannot be customized to selectively enable FIDO2 or disable specific methods, making it incompatible with the requirement for passwordless authentication and granular control.

48
MCQeasy

Refer to the exhibit. You are reviewing a Conditional Access policy JSON definition. What is the MOST likely result of this policy?

A.Users with low sign-in risk accessing Office 365 from trusted locations will be blocked.
B.Only external guest users accessing Office 365 from any location will be blocked.
C.All users accessing Office 365 from trusted locations will be required to perform MFA.
D.All users accessing Office 365 from trusted locations will be blocked.
AnswerD

The policy blocks access from trusted locations for Office 365 apps.

Why this answer

Option B is correct: The policy targets Office 365 applications and blocks access from trusted locations, which is the opposite of typical security requirements. Option A is wrong because the policy blocks access, not requires MFA. Option C is wrong because external identities are not explicitly included; the policy applies to 'All' users.

Option D is wrong because low sign-in risk is not a condition here.

49
MCQeasy

You are configuring Microsoft Entra ID Connect to synchronize on-premises Active Directory identities to the cloud. You need to ensure that password hashes are synchronized to enable Microsoft Entra ID Password Protection and Identity Protection. Which option should you enable?

A.Pass-through authentication
B.Federation with AD FS
C.Password hash synchronization
D.Azure AD Connect Health
AnswerC

PHS syncs password hashes for Identity Protection and Password Protection.

Why this answer

Password hash synchronization (PHS) is the correct option because it is the specific feature that synchronizes password hashes from on-premises Active Directory to Microsoft Entra ID. This enables Microsoft Entra ID Password Protection (which blocks weak passwords by comparing against a global banned password list) and Identity Protection (which detects leaked credentials by comparing synchronized hashes against known compromised password databases). Without PHS, these cloud-based security features have no access to the on-premises password hashes.

Exam trap

The trap here is that candidates often confuse Pass-through authentication with Password hash synchronization, assuming that any password validation method that touches on-premises AD will automatically provide hash data for cloud security features, but only PHS actually stores the hashes in Microsoft Entra ID.

How to eliminate wrong answers

Option A is wrong because Pass-through authentication validates passwords directly against on-premises AD without storing password hashes in the cloud, so it does not provide the hash data needed for Password Protection or Identity Protection. Option B is wrong because Federation with AD FS relies on on-premises authentication and does not synchronize password hashes to Microsoft Entra ID, making it incompatible with cloud-only password analysis features. Option D is wrong because Azure AD Connect Health is a monitoring and diagnostics tool for the synchronization infrastructure, not a mechanism for synchronizing password hashes.

50
Multi-Selectmedium

Your organization uses Microsoft Entra ID and has a hybrid identity with Microsoft Entra Connect. You need to ensure that all user password changes and resets are synchronized to the cloud within 30 minutes. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Configure federation with AD FS.
B.Set the Azure AD Connect synchronization frequency to 30 minutes.
C.Enable password writeback in Microsoft Entra Connect.
D.Enable Azure AD Connect Health to monitor synchronization.
E.Configure pass-through authentication for user sign-ins.
AnswersB, C

This ensures password changes are synced every 30 minutes.

Why this answer

Option B is correct because the Azure AD Connect synchronization frequency can be configured to run every 30 minutes (the minimum supported interval) to ensure password changes and resets are synchronized to the cloud within that timeframe. Option C is correct because enabling password writeback in Microsoft Entra Connect allows password changes and resets initiated in the cloud to be written back to the on-premises directory, ensuring bidirectional synchronization within the 30-minute window.

Exam trap

The trap here is that candidates often confuse password writeback (which writes cloud changes to on-premises) with password hash synchronization (which syncs on-premises changes to the cloud), but both are required for bidirectional password sync within the specified time window.

51
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

A.One-time passcode (OTP)
B.Microsoft Authenticator app
C.FIDO2 security keys
D.Certificate-based authentication
AnswerA

Built-in feature sending passcode via SMS or email.

Why this answer

Option A is correct because the one-time passcode (OTP) authentication method in Microsoft Entra ID allows users to sign in with a temporary code sent via SMS to their mobile device, requiring no additional app or software installation. This method is specifically designed for scenarios where users cannot or should not install the Microsoft Authenticator app, such as for guest users or in bring-your-own-device (BYOD) environments. The OTP is generated by Entra ID and delivered over the mobile network, satisfying the requirement of no extra software.

Exam trap

The trap here is that candidates often confuse the 'one-time passcode' option with the Microsoft Authenticator app's push notification or time-based code feature, but the question explicitly requires no additional app installation, making the SMS-based OTP the only correct choice.

How to eliminate wrong answers

Option B is wrong because the Microsoft Authenticator app requires installation of a mobile application on the user's device, which contradicts the requirement of 'without requiring any additional app or software installation.' Option C is wrong because FIDO2 security keys are hardware-based devices that must be physically plugged in or used via NFC, and they require additional software (browser support and platform attestation) to function, not meeting the no-software-installation condition. Option D is wrong because certificate-based authentication requires digital certificates to be provisioned and installed on the user's device, which involves software (certificate store, enrollment) and is not a simple one-time passcode delivered via SMS.

52
MCQmedium

Refer to the exhibit. You are configuring a PIM role setting for an Azure AD role. The exhibit shows the activation settings. A user activates the role and provides a justification. An approver from the Security Team does not see any pending requests. What is the most likely reason?

A.The role is permanently assigned
B.The activation duration is set to 0 days
C.The user did not provide a justification
D.The user is a member of the approver group
AnswerD

If the user is in the Security Team, they cannot self-approve; the request may be hidden.

Why this answer

Option D is correct because the user who activated the role is a member of the approver group. In Azure AD Privileged Identity Management (PIM), when a user is both the requester and a member of the approver group, the approval request is automatically approved and does not appear as a pending request for other approvers. This self-approval behavior prevents the request from being visible in the pending requests queue.

Exam trap

The trap here is that candidates assume the issue is with the activation settings or justification, but the real cause is the self-approval behavior when the user is a member of the approver group, which automatically completes the request without leaving a pending item.

How to eliminate wrong answers

Option A is wrong because a permanently assigned role does not require activation at all, so there would be no pending request to see. Option B is wrong because the activation duration cannot be set to 0 days; the minimum activation duration in PIM is 30 minutes (0.5 days), and a 0-day setting would be invalid. Option C is wrong because the user did provide a justification, as stated in the question, so the absence of justification is not the reason the approver sees no pending requests.

53
MCQmedium

You executed the PowerShell script shown in the exhibit to set a token lifetime policy for an application. What is the effect on users accessing the application?

A.Session tokens expire after 1 hour
B.The policy applies to all applications in the tenant
C.Access tokens expire after 2 hours
D.Users are forced to reauthenticate every hour
AnswerC

The policy sets AccessTokenLifetime to 2 hours.

Why this answer

The PowerShell script sets an access token lifetime of 2 hours via the `New-AzureADPolicy` cmdlet with `TokenLifetimePolicy` type. This policy is then assigned to a specific service principal (application) using `Add-AzureADServicePrincipalPolicy`. Therefore, for users accessing that application, access tokens will expire after 2 hours, requiring a new token to be obtained once the lifetime is exceeded.

Exam trap

The trap here is that candidates confuse access token lifetime with session token lifetime or assume the policy applies tenant-wide, when in fact the `Add-AzureADServicePrincipalPolicy` cmdlet binds it to a specific application.

How to eliminate wrong answers

Option A is wrong because session tokens are not configured in this script; the `TokenLifetimePolicy` specifically controls access token lifetime, not session token lifetime, and the value set is 2 hours, not 1 hour. Option B is wrong because the policy is assigned to a single service principal via `Add-AzureADServicePrincipalPolicy`, making it application-specific, not tenant-wide. Option D is wrong because the policy does not force reauthentication; it only sets the access token lifetime to 2 hours, meaning users may still have a valid session token that allows silent token refresh without reauthentication.

54
Multi-Selecteasy

Which TWO of the following are valid authentication methods in Microsoft Entra ID?

Select 2 answers
A.Temporary Access Pass
B.App registration
C.FIDO2 security key
D.Managed identity
E.Azure AD Connect
AnswersA, C

Temporary Access Pass is a time-limited password used for onboarding.

Why this answer

Temporary Access Pass (TAP) is a valid authentication method in Microsoft Entra ID that allows users to register passwordless methods (like FIDO2 or Microsoft Authenticator) by providing a time-limited passcode. It is designed for scenarios where users have forgotten their credentials or need to onboard new devices without a password. TAP is configured via the Authentication methods policy in Entra ID and supports both one-time use and configurable lifetimes.

Exam trap

The trap here is that candidates confuse identity infrastructure tools (like Azure AD Connect) or workload identities (like Managed identities) with user authentication methods, leading them to select options that are related to identity but not valid for user sign-in.

55
MCQeasy

An organization requires that all Azure SQL Database connections from non-corporate networks must be blocked unless initiated through Azure Bastion. Which Microsoft Entra ID Conditional Access policy setting should be configured?

A.Block access
B.Require sign-in frequency
C.Require multifactor authentication (MFA)
D.Require device to be marked as compliant
AnswerA

Block access combined with a network location policy can block all access from non-corporate networks.

Why this answer

Option A is correct because the requirement is to block all Azure SQL Database connections from non-corporate networks unless they go through Azure Bastion. In Microsoft Entra ID Conditional Access, the 'Block access' control explicitly denies authentication requests that match the policy conditions. By configuring a policy that targets the Azure SQL Database application and includes conditions for non-corporate network locations, the 'Block access' grant effectively enforces the restriction, allowing only connections routed through Azure Bastion (which originates from a corporate network or a trusted IP).

Exam trap

The trap here is that candidates often confuse network-based access control with authentication or device compliance controls, mistakenly selecting 'Require multifactor authentication' or 'Require device to be marked as compliant' instead of the explicit 'Block access' grant that directly enforces the network restriction.

How to eliminate wrong answers

Option B is wrong because 'Require sign-in frequency' controls how often users must re-authenticate, not whether access is permitted from specific networks; it does not block connections from non-corporate networks. Option C is wrong because 'Require multifactor authentication (MFA)' adds an additional authentication factor but does not prevent access from non-corporate networks; users could still connect from those networks after completing MFA. Option D is wrong because 'Require device to be marked as compliant' enforces device health policies but does not restrict access based on network location; a compliant device on a non-corporate network would still be allowed.

56
MCQmedium

Your company uses Microsoft Entra ID with P2 licenses. You need to implement a policy that automatically revokes access for users who are detected as high risk by Microsoft Entra ID Protection. The policy must allow users to self-remediate by performing MFA. What should you configure?

A.Enable the 'Require password change' user risk policy in ID Protection.
B.Create a Conditional Access policy that requires MFA for users with high user risk.
C.Configure a sign-in risk policy in Microsoft Entra ID Protection to require MFA.
D.Configure a user risk policy in Microsoft Entra ID Protection to block access.
AnswerB

Allows high-risk users to satisfy MFA and regain access, while blocking if they fail MFA.

Why this answer

A Conditional Access policy with 'Require multifactor authentication' grant and 'High risk' user risk condition allows users to self-remediate via MFA while blocking access if high risk is detected. Option A is wrong because user risk policy in ID Protection triggers automatic remediation or block, not user self-remediation. Option C is wrong because session risk policy focuses on sign-in risk, not user risk.

Option D is wrong because it blocks access without self-remediation.

57
Multi-Selecthard

Which THREE of the following can be used to provide just-in-time (JIT) privileged access to Azure resources?

Select 3 answers
A.Conditional Access
B.Privileged Access Groups (PAG)
C.Azure Bastion with just-in-time access
D.Microsoft Entra Privileged Identity Management (PIM)
E.Azure RBAC role assignment
AnswersB, C, D

PAG allows JIT membership.

Why this answer

Privileged Access Groups (PAG) allow you to manage just-in-time (JIT) access by assigning users to a group that has time-bound, activated roles. When a user activates their membership in a PAG via Microsoft Entra Privileged Identity Management (PIM), they receive the necessary permissions for a specified duration, providing JIT privileged access to Azure resources.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access conditions) with just-in-time elevation, or think that any RBAC assignment can be made JIT, when in fact only PIM-based activation (including PAG) provides the time-bound, approval-based elevation required for JIT privileged access.

58
MCQhard

Your organization uses Microsoft Entra ID and has several applications registered. You need to ensure that only specific applications can call a particular web API. The web API is also registered in Microsoft Entra ID. What should you configure?

A.Configure an app role assignment policy for the web API.
B.Set a token lifetime policy on the web API to accept tokens only from approved client applications.
C.Create a Conditional Access policy targeting the web API and require that the client application is managed.
D.In the web API's application registration, configure the 'expose an API' blade to define scopes, and then pre-authorize the specific client applications in the web API's manifest.
AnswerD

Pre-authorization allows the API to accept tokens from specified client apps.

Why this answer

Option D is correct because pre-authorizing specific client applications in the web API's manifest (via the 'expose an API' blade) explicitly grants those clients permission to call the API without requiring user consent. This ensures that only the listed applications can acquire tokens for the API, as the API's application registration defines the scopes and pre-authorizations that control access.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control user access) with application-level permission restrictions, leading them to select Option C, even though Conditional Access cannot filter which client applications can call an API.

How to eliminate wrong answers

Option A is wrong because an app role assignment policy controls which users or groups can be assigned to app roles, not which client applications can call the API. Option B is wrong because token lifetime policies control the lifespan of tokens (e.g., access or refresh tokens), not which client applications are allowed to call the API. Option C is wrong because Conditional Access policies control user access conditions (e.g., device compliance, location) and cannot restrict which client applications can call an API; they apply to users and sign-in risk, not to application-level permissions.

59
MCQmedium

You are designing a privileged identity management strategy for Microsoft Entra ID. You need to ensure that eligible role assignments require approval from a designated group before activation. What configuration is required?

A.Configure the role as eligible and set activation duration
B.Configure a Conditional Access policy with approval control
C.In PIM, configure the role settings to require approval and specify an approver group
D.Create an access review for the role
AnswerC

This enables approval workflow for activation.

Why this answer

Option C is correct because Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure role settings to require approval for activation. By specifying an approver group, you ensure that eligible role assignments cannot be activated without explicit approval from designated members, enforcing a just-in-time (JIT) access control model.

Exam trap

The trap here is that candidates often confuse Conditional Access approval controls (used for session policies) with PIM role activation approval, which is a separate configuration within the role settings in Privileged Identity Management.

How to eliminate wrong answers

Option A is wrong because configuring the role as eligible and setting activation duration only defines the eligibility and time limit for activation, but does not enforce an approval workflow. Option B is wrong because Conditional Access policies with approval control are used for session or sign-in risk scenarios, not for PIM role activation approval. Option D is wrong because creating an access review for the role is a periodic review mechanism to confirm ongoing access, not a real-time approval gate for activation.

60
MCQhard

A company uses Microsoft Entra ID and has a custom application that authenticates via OAuth 2.0 device authorization grant. The app recently started receiving 'access_denied' errors for some users. The errors occur only for users who have Conditional Access policies applied. What change should be made to fix the issue while maintaining security?

A.Require MFA for the application instead of device compliance
B.Disable Conditional Access for the affected users
C.Change the application to use authorization code grant flow
D.Configure the Conditional Access policy to exclude the custom application's service principal from requiring device compliance
AnswerD

Device authorization grant flow does not support device compliance, so exclusion resolves the error.

Why this answer

The correct answer is C: Configure the Conditional Access policy to exclude the custom application's service principal from requiring device compliance. The device authorization grant flow does not support device compliance, causing the error. Option A is wrong because MFA can work with device code flow.

Option B is wrong because disabling Conditional Access is not secure. Option D is wrong because the error is not due to authentication method.

61
MCQeasy

You are a security engineer for a company that uses Microsoft Entra ID. You need to ensure that all users accessing the company's Salesforce application from unmanaged devices are prompted for multi-factor authentication (MFA) every time. What should you configure?

A.Enable per-user MFA for all users in the Salesforce application.
B.Create a Conditional Access policy that targets the Salesforce application, apply to all users, include 'All device platforms' with 'Device state' filter for 'Unmanaged', and grant access requiring MFA with session control 'Sign-in frequency - Every time'.
C.Configure device compliance policy to require MFA on non-compliant devices.
D.Configure MFA registration policy to require all users to register MFA.
AnswerB

This enforces MFA on every sign-in for unmanaged devices.

Why this answer

Option B is correct because a Conditional Access policy with a 'Device state' filter for 'Unmanaged' and 'Sign-in frequency - Every time' session control forces MFA prompts on every access attempt from unmanaged devices. This meets the requirement to prompt MFA every time for users accessing Salesforce from unmanaged devices, without affecting managed devices or requiring per-user MFA.

Exam trap

The trap here is that candidates often confuse per-user MFA (Option A) with Conditional Access MFA, not realizing that per-user MFA cannot target specific applications or device states, and that 'Sign-in frequency' is a session control, not a grant control.

How to eliminate wrong answers

Option A is wrong because per-user MFA applies MFA to all sign-ins for the user, regardless of device state or application, and does not provide the granularity to target only unmanaged devices or enforce 'every time' frequency. Option C is wrong because device compliance policies evaluate device health (e.g., encryption, OS version) but do not directly trigger MFA prompts; they can block or grant access but cannot enforce 'Sign-in frequency - Every time' as a session control. Option D is wrong because the MFA registration policy only ensures users have registered MFA methods; it does not enforce MFA prompts during sign-in, nor does it target specific applications or device states.

62
MCQeasy

You are a security administrator for a financial institution. You need to implement a solution that allows users to authenticate using biometrics and prevents password-based attacks. Which Microsoft Entra ID feature should you enable?

A.Microsoft Entra ID Protection
B.Passwordless authentication (FIDO2 or Windows Hello for Business)
C.Password hash synchronization
AnswerB

Passwordless methods eliminate passwords entirely and support biometric authentication.

Why this answer

Option A is correct because Passwordless authentication methods like FIDO2 security keys or Windows Hello for Business eliminate passwords and support biometrics. Option B is wrong because password hash sync still uses passwords. Option C is wrong because MFA requires something you know (password) and something you have, but still uses passwords.

Option D is wrong because Identity Protection detects risks but does not eliminate passwords.

63
MCQhard

You are implementing a B2B collaboration solution in Microsoft Entra ID. You need to ensure that external users from a partner tenant can access your internal applications, but they must use MFA from their home tenant. The partner tenant does not support MFA. What should you do?

A.Configure a Conditional Access policy targeting external users that requires MFA
B.Configure cross-tenant access settings to trust MFA from the partner tenant
C.Use Microsoft Entra ID Governance to enforce MFA
D.Disable MFA for external users
AnswerA

You can enforce MFA directly for external users if their home tenant does not support MFA.

Why this answer

Option A is correct because you can configure a Conditional Access policy that targets external users (guest users) and requires MFA. Since the partner tenant does not support MFA, you cannot rely on cross-tenant trust; instead, you enforce MFA directly in your tenant using Microsoft Entra ID's own MFA capabilities. This ensures external users must complete MFA using your tenant's authentication methods, even if their home tenant lacks MFA support.

Exam trap

The trap here is that candidates often assume cross-tenant trust (Option B) is the only way to handle MFA for external users, but when the partner tenant lacks MFA, you must enforce MFA directly in your own tenant using Conditional Access.

How to eliminate wrong answers

Option B is wrong because cross-tenant trust for MFA requires the partner tenant to support and enforce MFA; since the partner tenant does not support MFA, trusting their MFA claims is impossible. Option C is wrong because Microsoft Entra ID Governance focuses on identity lifecycle, access reviews, and entitlement management, not on enforcing MFA for external users in a Conditional Access context. Option D is wrong because disabling MFA for external users would weaken security and violate the requirement that external users must use MFA.

64
MCQhard

A company is implementing Privileged Identity Management (PIM) in Microsoft Entra ID for Azure resources. The security team wants to ensure that all privileged role activations require approval and are logged. They also want to require Azure MFA during activation. However, they notice that some users are able to activate roles without approval. What is the most likely cause?

A.Users have permanent eligible assignments that bypass approval
B.The audit log is not enabled for PIM
C.Users are assigned the role directly instead of through eligibility
D.The role settings for approval are not configured at the resource scope, and the users are using inherited settings from a management group
AnswerD

Role settings can be configured at different scopes (management group, subscription, resource group). If the approval requirement is not set at the specific scope, inherited settings may not require approval.

Why this answer

Option D is correct because PIM role settings for Azure resources can be configured at the management group, subscription, or resource group scope. If approval is required only at the subscription scope but users activate roles at a resource group scope that inherits from a management group where approval is not configured, the activation will proceed without approval. This is a common misconfiguration where the approval requirement is not applied at the correct scope.

Exam trap

The trap here is that candidates assume PIM role settings are applied globally or uniformly across all scopes, but Azure resource PIM settings are scoped and inherited, so a missing approval configuration at a higher scope (like a management group) can silently bypass approval requirements at lower scopes.

How to eliminate wrong answers

Option A is wrong because permanent eligible assignments still require activation and are subject to the role settings (including approval) configured for that role; there is no concept of 'bypassing approval' for eligible assignments. Option B is wrong because the audit log being disabled would prevent logging of activations, but it does not affect whether approval is required during activation. Option C is wrong because if users are assigned the role directly (permanent active assignment), they do not need to activate at all, so they would not see an activation approval prompt; however, the question states users are 'able to activate roles without approval,' implying they are using activation, which means they have eligible assignments, not direct assignments.

65
MCQhard

You are a security architect for Contoso, a global financial services company with 10,000 employees. Contoso uses Microsoft Entra ID (P2 licensed), Microsoft Intune, and Microsoft Defender for Cloud Apps. All corporate devices are enrolled in Intune and marked as compliant. The company is adopting Microsoft Copilot for Microsoft 365 to boost productivity. The security team requires that access to Copilot for Microsoft 365 be restricted to users who have completed the required training (confirmed by HR system). Additionally, any access to Copilot from unmanaged devices must be blocked. You need to design an access control solution that meets these requirements with minimal administrative overhead and without custom code. Which action should you take?

A.Create a dynamic group in Microsoft Entra ID based on the department attribute and assign the Copilot license to that group.
B.Create an access package in Microsoft Entra ID Governance that includes the Copilot for Microsoft 365 app, with a policy requiring a custom extension to verify training completion via the HR system, and configure Conditional Access to allow access only from compliant devices.
C.Use Microsoft Entra Identity Protection to create a risk policy that blocks access if the user's training is incomplete.
D.Configure Privileged Identity Management (PIM) for the Copilot for Microsoft 365 application, requiring approval for activation.
AnswerB

Access packages can manage user access with policies, and Conditional Access can enforce device compliance.

Why this answer

Option C is correct: Use Microsoft Entra ID Governance with Access Packages. This allows you to create an access package that requires a custom attribute (training completion) and automatically restricts access to managed devices via Conditional Access integration. Option A is wrong because PIM is for privileged roles, not user access to apps.

Option B is wrong because dynamic groups do not enforce device compliance; they are for group membership. Option D is wrong because Identity Protection does not handle HR-based attributes or device compliance in one policy.

66
MCQhard

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user accounts and enable self-service password reset (SSPR) for cloud users. You have set up Microsoft Entra Connect Sync. Which additional configuration is required to allow password writeback for SSPR?

A.Enable password writeback in Microsoft Entra Connect and assign Azure AD Premium licenses
B.Configure pass-through authentication
C.Enable password hash synchronization
D.Install the Azure AD Password Protection proxy
AnswerA

Writeback requires Premium licenses and enabling the feature.

Why this answer

Option C is correct because password writeback requires an Azure AD Premium license and the writeback feature enabled in Entra Connect. Option A is incorrect because password hash sync alone does not enable writeback. Option B is incorrect because PHS is not required for writeback.

Option D is incorrect because Password Protection is a separate feature.

67
MCQmedium

Your company uses Microsoft Entra ID and has Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud apps based on user behavior. Which feature should you use?

A.Conditional Access for Cloud Apps (session control)
B.Information Protection (DLP)
C.Cloud Discovery
D.Application Proxy
AnswerA

Session control allows real-time monitoring and control of user actions.

Why this answer

Option B is correct because session control in Conditional Access for Cloud Apps enables real-time monitoring and control. Option A is wrong because app proxy is for on-prem apps. Option C is wrong because DLP is for data protection.

Option D is wrong because Cloud Discovery identifies shadow IT.

68
MCQhard

You are the security engineer for Contoso, a multinational company with 50,000 users in Microsoft Entra ID Premium P2. The company has a strict security policy requiring that all administrative actions be performed using just-in-time (JIT) access with approval, and that all privileged role activations be audited. Additionally, you need to ensure that Global Administrators are required to use phishing-resistant MFA (e.g., FIDO2 security keys) when activating their role. You have already configured Privileged Identity Management (PIM) for Azure AD roles. However, during a recent audit, you discovered that several Global Administrators were able to activate their role using only a text message (SMS) for MFA, violating the policy. You need to enforce the use of phishing-resistant MFA for all privileged role activations. What should you do?

A.Create a Conditional Access policy that targets all cloud apps and requires authentication strength 'Phishing-resistant MFA'
B.In PIM, configure the role settings to require Azure MFA and set the authentication method to FIDO2
C.Create a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' app and requires authentication strength 'Phishing-resistant MFA'
D.Configure authentication methods policy to allow only FIDO2 security keys for all users
AnswerC

This policy enforces FIDO2 specifically for PIM activation.

Why this answer

Option C is correct because Privileged Identity Management (PIM) role activation is triggered by signing in to the Azure AD Privileged Identity Management application (the PIM blade or API). By creating a Conditional Access policy that targets this specific app and requires the 'Phishing-resistant MFA' authentication strength, you enforce FIDO2 or Windows Hello for Business during the activation step, regardless of the user's baseline MFA method. This directly addresses the audit finding that Global Administrators were using SMS to activate their roles.

Exam trap

The trap here is that candidates mistakenly think PIM role settings can enforce a specific MFA method (like FIDO2) directly, when in reality PIM only requires MFA generically and the method is controlled by Conditional Access policies targeting the PIM application.

How to eliminate wrong answers

Option A is wrong because targeting all cloud apps would apply the phishing-resistant MFA requirement to every application access, not just PIM role activations, which is overly broad and could block legitimate non-privileged access. Option B is wrong because PIM role settings only offer a toggle to 'Require Azure MFA' on activation; they do not allow you to specify a particular authentication method like FIDO2—that granularity is handled by Conditional Access authentication strengths. Option D is wrong because restricting the authentication methods policy to only FIDO2 for all users would prevent users from using other allowed methods (e.g., Microsoft Authenticator) for everyday sign-ins, causing widespread disruption and violating the principle of least privilege for non-administrative tasks.

69
MCQeasy

Your company uses Microsoft Entra ID. You need to block sign-ins from countries where your company does not operate. Which approach should you use?

A.Configure MFA for all users
B.Create a Conditional Access policy to block access from those countries
C.Use Identity Protection user risk policy
D.Add those countries as Named locations
AnswerB

Conditional Access can block sign-ins from specific locations.

Why this answer

Option B is correct because Conditional Access policies can block sign-ins by geographic location. Option A is wrong because MFA doesn't block by location. Option C is wrong because Named locations are used in Conditional Access, but they define trusted locations, not block others.

Option D is wrong because Identity Protection detects risky sign-ins but does not block by country.

70
MCQhard

Your company uses Microsoft Entra ID with hybrid identity. You have a custom line-of-business application that uses SAML 2.0 for authentication. The application is registered in Microsoft Entra ID as an enterprise application. Users report that they are prompted for credentials twice when accessing the app from a domain-joined Windows 10 device. You need to prevent the second prompt. What should you do?

A.Configure the application to include a domain hint (whr parameter) in the SAML request.
B.Create a Conditional Access policy requiring device compliance.
C.Enable Seamless Single Sign-On (SSO) for all users.
D.Implement Password Hash Sync (PHS) for the directory.
AnswerA

A domain hint directs authentication to the on-premises domain, enabling Seamless SSO and eliminating the second prompt.

Why this answer

Option D is correct because the double prompt for SAML apps on domain-joined devices typically occurs when Kerberos authentication fails to the application's domain or when the app expects a different authentication method. Configuring a domain hint (whr parameter) in the SAML request tells Entra ID to use the on-premises domain for authentication, enabling Seamless SSO and avoiding the second prompt. Option A is wrong because Seamless SSO alone may not fix the SAML app issue without a domain hint.

Option B is wrong because Password Hash Sync is unrelated to SAML authentication flow. Option C is wrong because Conditional Access policies do not affect the number of prompts.

71
MCQmedium

Refer to the exhibit. You are creating a custom Azure RBAC role for a security analyst. The role as shown allows read access to storage accounts. The analyst reports that they cannot read the contents of a blob container in a storage account. Why is this?

A.The role is not assigned to the analyst's user account.
B.The role does not include dataActions to read blob data.
C.The assignable scope is incorrect; it should be at the resource group level.
D.The storage account does not exist in the specified subscription.
AnswerB

Management plane actions do not allow data plane access.

Why this answer

The custom RBAC role only includes read permissions for the storage account's control plane (e.g., listing keys, reading properties) but lacks the necessary dataActions to read blob data. To read blob container contents, the role must include 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' under dataActions, which governs access to the data plane. Without this, the analyst can see the storage account but cannot access the blobs within it.

Exam trap

The trap here is that candidates often assume that 'read' access to a storage account automatically grants read access to its data, but Azure RBAC requires explicit dataActions for data plane operations, a distinction that is frequently tested on the AZ-500 exam.

How to eliminate wrong answers

Option A is wrong because the question states the role is created and assigned, so the issue is not a missing assignment but a missing permission. Option C is wrong because the assignable scope (subscription) is broader than the resource group level and does not prevent reading blob data; the problem is the lack of dataActions, not the scope. Option D is wrong because the storage account exists in the specified subscription (the analyst can see it), and the error is about reading blob contents, not account existence.

72
Multi-Selecthard

Which THREE components are part of Microsoft Entra Conditional Access? (Choose three.)

Select 3 answers
A.Multi-factor authentication service settings
B.Conditions (sign-in risk, device state, location)
C.Access controls (grant, block, session controls)
D.Role assignments
E.Assignments (users, groups, workload identities)
AnswersB, C, E

Conditions define when the policy applies.

Why this answer

Microsoft Entra Conditional Access is a policy-based engine that evaluates signals to enforce access decisions. The three core components are Assignments (who the policy applies to, such as users, groups, or workload identities), Conditions (the signals evaluated, like sign-in risk, device state, or location), and Access Controls (the enforcement actions, such as grant or block access, and session controls). These three elements form the complete structure of a Conditional Access policy.

Exam trap

The trap here is that candidates often confuse the 'Assignments' component (users/groups/workload identities) with Azure RBAC role assignments, but Conditional Access Assignments define who the policy applies to, not what permissions they have.

73
MCQmedium

Refer to the exhibit. A custom role definition is created with the JSON above. A user assigned this role in the Prod resource group attempts to restart a VM but receives an authorization error. What is the most likely cause?

A.The assignable scope should include the subscription
B.The role definition includes 'restart' but not 'start'
C.The role definition lacks the 'Microsoft.Compute/virtualMachines/read' action
D.The user is not assigned the role at the correct scope
AnswerC

The read action is required to perform start/restart operations.

Why this answer

The correct answer is A: The role definition is missing the 'Microsoft.Compute/virtualMachines/read' action. Without read, the user cannot see or interact with the VM, leading to authorization errors. Option B is wrong because the assignable scope is correct.

Option C is wrong because the user is assigned the role. Option D is wrong because the role is not missing the restart action.

74
Multi-Selectmedium

Which TWO methods can be used to protect privileged accounts in Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Enable external identities for guest users
B.Enable self-service password reset for all users
C.Register all devices with Azure AD
D.Create a Conditional Access policy that requires MFA for privileged roles
E.Configure Privileged Identity Management for just-in-time access
AnswersD, E

MFA adds protection for privileged accounts.

Why this answer

Option D is correct because requiring MFA for privileged roles via a Conditional Access policy adds a critical layer of security, ensuring that even if credentials are compromised, an attacker cannot authenticate without the second factor. This directly mitigates the risk of credential theft for high-privilege accounts. Option E is correct because Privileged Identity Management (PIM) provides just-in-time (JIT) access, reducing the attack surface by granting administrative roles only when needed and for a limited duration, with approval workflows and auditing.

Exam trap

The trap here is that candidates often confuse general security best practices (like SSPR or device registration) with specific privileged account protection mechanisms, overlooking that only MFA enforcement for privileged roles and JIT access via PIM directly reduce the standing privileges and credential exposure of high-value accounts.

75
MCQhard

You are the security architect for a large enterprise that uses Microsoft Entra ID with 50,000 users. The company recently adopted a cloud-first strategy and is migrating on-premises applications to Azure. You need to design a secure identity and access solution that meets the following requirements: - All access to cloud applications must be authenticated using modern authentication protocols. - Legacy authentication protocols (such as POP3, IMAP4, SMTP, and basic authentication) must be blocked. - Users must be required to use multi-factor authentication (MFA) when accessing any application from outside the corporate network. - Administrative access to Azure resources must be time-bound and require approval. - The solution must minimize user friction for internal users on the corporate network. - All sign-in risks must be detected and automatically remediated. You have deployed Microsoft Entra ID P2 licensing and configured Microsoft Defender for Cloud Apps. Which of the following is the most appropriate combination of actions to meet all requirements?

A.Enable Security defaults for all users and configure risk-based Conditional Access policies for admin roles. Use PIM for time-bound access.
B.Configure device compliance policies in Intune and require compliant devices for access. Use PIM with time-bound roles but without approval. Enable Identity Protection for risk detection.
C.Create a Conditional Access policy to require MFA for all cloud apps and allow legacy authentication for non-interactive service accounts. Use PIM without approval for admin roles.
D.Create a Conditional Access policy to block legacy authentication and require MFA for all users when accessing from outside the corporate network. Exclude trusted locations from MFA. Use PIM with approval for admin roles. Enable Identity Protection for risk detection and automatic remediation.
AnswerD

This meets all requirements: blocks legacy auth, requires MFA for external access, uses trusted locations to minimize friction for internal users, PIM with approval for time-bound admin access, and Identity Protection for risk remediation.

Why this answer

Option B is correct because it addresses all requirements: Conditional Access policies block legacy auth, require MFA from outside, and include trusted locations for no MFA. PIM provides time-bound admin access with approval. Identity Protection detects and remediates risks.

Option A is wrong because Security defaults would block legacy auth but enforce MFA globally, causing friction for internal users. Option C is wrong because allowing legacy auth for some users violates the requirement to block all legacy auth. Option D is wrong because device compliance does not block legacy auth, and PIM without approval does not meet the approval requirement.

Page 1 of 2 · 130 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure Identity Access questions.