AZ-500 · topic practice

Secure identity and access practice questions

Practise Microsoft Azure Security Engineer Associate AZ-500 Secure identity and access practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Secure identity and access

What the exam tests

What to know about Secure identity and access

Secure identity and access questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Secure identity and access exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Secure identity and access questions

20 questions · select your answer, then reveal the explanation

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using a one-time passcode sent to their mobile device, without requiring any additional app or software installation. Which authentication method should you enable?

Your company has a Microsoft Entra ID tenant and uses Azure AD Application Proxy to publish on-premises web apps. Users report that they are prompted for their password every time they access the app, even though they selected 'Keep me signed in'. You need to improve the sign-in experience without compromising security. What should you configure?

Your organization is implementing a zero-trust security model using Microsoft Entra ID. You need to ensure that all access requests to sensitive applications are evaluated in real-time based on user behavior and device posture before granting access. Which Microsoft Entra ID feature should you use?

You are configuring a conditional access policy to block access from untrusted locations. The policy should apply to all cloud apps except Microsoft Entra ID Administration. How should you configure the policy?

Your company uses Microsoft Entra ID Governance features for access reviews. You need to ensure that guest users who do not sign in for 90 days are automatically removed from access to a critical application. The removal should happen without manual intervention. What should you configure?

Your organization uses Microsoft Entra ID to manage access for employees and partners. You need to implement a solution that allows partners to self-service request access to specific applications, with approval from their manager, and access expires after 30 days. Which feature should you use?

You are troubleshooting why a user cannot sign in to a custom line-of-business application that is federated with Microsoft Entra ID. The user reports that they are repeatedly prompted for credentials and then receive an error. The application is configured for SAML-based SSO. What is the most likely cause?

Your company has a Microsoft Entra ID tenant with 10,000 users. You need to implement a secure authentication method that reduces password-related risks. The solution must support users signing in from unmanaged devices without installing any software. Which authentication method should you prioritize?

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to implement a solution that detects password changes on-premises and forces re-authentication for active sessions within minutes. Which feature should you enable?

Which TWO of the following are valid configurations for Microsoft Entra ID Conditional Access policies?

Which THREE of the following are capabilities of Microsoft Entra ID Protection?

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Refer to the exhibit. You are analyzing a Conditional Access policy JSON. The policy requires MFA for Office 365 applications. However, users report that they are still able to access Office 365 without MFA. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "tenantId": "contoso.onmicrosoft.com",
  "authenticationStrength": {
    "allowedAuthMethods": ["password", "mfa"],
    "requireMfa": true
  },
  "conditions": {
    "applications": {
      "includeApplications": ["Office365"]
    },
    "users": {
      "includeUsers": ["all"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa"],
    "termsOfUse": [],
    "customAuthenticationFactors": []
  }
}

Refer to the exhibit. You are reviewing the output of the Get-AzureADGroup PowerShell cmdlet. You need to create a Conditional Access policy that dynamically includes users based on their department attribute set to 'Finance'. Which group should you use in the policy?

Exhibit

Refer to the exhibit.

Get-AzureADGroup -Top 5 | ConvertTo-Json
[
  {
    "ObjectId": "11111111-1111-1111-1111-111111111111",
    "DisplayName": "All Users",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "22222222-2222-2222-2222-222222222222",
    "DisplayName": "Administrators",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": ["DynamicMembership"]
  },
  {
    "ObjectId": "33333333-3333-3333-3333-333333333333",
    "DisplayName": "External Users",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "44444444-4444-4444-4444-444444444444",
    "DisplayName": "Finance Team",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": []
  },
  {
    "ObjectId": "55555555-5555-5555-5555-555555555555",
    "DisplayName": "Sales Team",
    "SecurityEnabled": true,
    "MailEnabled": false,
    "GroupTypes": ["DynamicMembership"]
  }
]

Refer to the exhibit. You are configuring an Entitlement Management access package. The policy allows any existing user to request access without approval, and access expires after 30 days. However, security requirements dictate that all access to Finance applications must be reviewed by the finance team manager every quarter. What should you add to the policy?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Finance App Access Package",
    "description": "Access to Finance applications for employees",
    "resources": [
      {
        "originId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "type": "Application"
      }
    ],
    "assignmentPolicies": [
      {
        "accessPackageId": "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy",
        "accessReviewSettings": null,
        "durationInDays": 30,
        "expirationRequired": true,
        "isAccessReviewEnabled": false,
        "isApprovalRequiredForAdd": false,
        "isApprovalRequiredForRemove": false,
        "requestorSettings": {
          "scopeType": "AllExistingDirectorySubjects"
        }
      }
    ]
  }
}

Your organization uses Microsoft Entra ID for identity management. You need to prevent users from using their work accounts to access corporate resources from untrusted locations unless they have registered their devices. Which conditional access policy setting should you configure?

You are implementing Microsoft Entra ID Protection. You need to detect and respond to risky user behaviors such as leaked credentials and anonymous IP address usage. Which feature should you enable?

Your company deploys Microsoft Sentinel for security operations. You need to configure just-in-time (JIT) access for Azure VMs. Which Azure security feature should you integrate with Sentinel?

You are designing a secure access solution for an Azure App Service web application. The application uses Microsoft Entra ID for authentication. You need to ensure that only users from specific partner organizations can access the app. Which configuration should you use?

Your organization uses Microsoft Intune for mobile device management. You need to implement a conditional access policy that only allows access to corporate email from devices that are enrolled in Intune and compliant with security policies. However, the policy is not working for some users who report that they cannot access email even though their devices are compliant. You discover that the users have multiple devices and are signing in from a device that is not enrolled. What should you do?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Secure identity and access sessions

Start a Secure identity and access only practice session

Every question in these sessions is drawn from the Secure identity and access domain — nothing else.

Related practice questions

Related AZ-500 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-500 exam test about Secure identity and access?
Secure identity and access questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Secure identity and access questions in a focused session?
Yes — the session launcher on this page draws every question from the Secure identity and access domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-500 topics?
Use the topic links above to move to related areas, or go back to the AZ-500 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-500 exam covers. They are not copied from any real exam or dump site.