CCNA Implement and manage Microsoft Entra identity and access Questions

75 of 166 questions · Page 1/3 · Implement and manage Microsoft Entra identity and access · Answers revealed

1
Multi-Selecthard

You are deploying Microsoft Entra ID Governance. Which THREE capabilities should you include to meet compliance requirements for access recertification and lifecycle management?

Select 3 answers
A.Identity Protection
B.Access Reviews
C.B2B Collaboration
D.Lifecycle Workflows
E.Entitlement Management
AnswersB, D, E

Access Reviews allow periodic recertification of access.

Why this answer

Access Reviews (B) are a core capability of Microsoft Entra ID Governance that directly enables compliance-driven access recertification. They allow administrators to create recurring reviews of group memberships, application assignments, and privileged roles, ensuring that only authorized users retain access. This satisfies regulatory requirements like SOX, GDPR, or HIPAA by providing attestation workflows and audit trails.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access with governance recertification, or assume B2B Collaboration covers lifecycle management, when in fact only Access Reviews, Lifecycle Workflows, and Entitlement Management directly address compliance-driven access recertification and lifecycle automation.

2
MCQmedium

Your company is implementing a Zero Trust security model. You need to ensure that all user access requests to corporate resources are verified continuously, not just at the initial sign-in. Which Microsoft Entra ID feature should you use?

A.Continuous Access Evaluation (CAE)
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Verified ID
AnswerA

CAE evaluates access in real-time and can revoke tokens when conditions change.

Why this answer

Continuous Access Evaluation (CAE) is the correct choice because it enforces real-time token validation and policy enforcement for every access request, not just at initial authentication. CAE works by having critical events (e.g., user disablement, IP address change, or risk elevation) trigger a revocation message to the resource provider, which then immediately blocks access—even if the token is still valid. This aligns directly with the Zero Trust principle of 'verify explicitly and continuously' rather than relying on a one-time sign-in.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access policies with continuous enforcement, but Identity Protection only triggers a block at sign-in or via a conditional access policy check, not mid-session for every subsequent request.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Protection) is wrong because it focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not provide continuous, real-time access enforcement for every resource request—it is a risk-detection and remediation tool, not a session-level enforcement mechanism. Option C (Microsoft Entra Privileged Identity Management) is wrong because it manages just-in-time privileged role activation and approval workflows, not continuous verification of all user access requests; it addresses privilege escalation, not ongoing access validation. Option D (Microsoft Entra Verified ID) is wrong because it is a decentralized identity solution for verifying credentials (e.g., employment or education claims) via verifiable credentials, not a mechanism for continuously evaluating access tokens or enforcing policy at runtime.

3
Multi-Selecthard

Which THREE are features of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Password protection
B.Entitlement management
C.Conditional access policies
D.Access reviews
E.Privileged Identity Management (PIM)
AnswersB, D, E

Entitlement management is governance.

Why this answer

Options A, C, and E are correct. Option B is wrong because conditional access is a separate feature. Option D is wrong because password protection is part of Identity Protection.

4
MCQeasy

You are troubleshooting a user who cannot sign in to Microsoft Teams. Sign-in logs show error code 53003 with additional details 'Blocked by Conditional Access'. The user is a member of a group that is excluded from the Conditional Access policy. What is the most likely cause?

A.The Conditional Access policy is in Report-only mode.
B.The user's group membership has not yet been updated in the token.
C.The user's device is not compliant.
D.The user is a member of an included group via nested group membership.
AnswerD

Nested groups can cause policy application despite exclusion.

Why this answer

The error indicates a Conditional Access block. If the user is excluded, maybe the policy was recently changed but not propagated, or the user is in an included group as well. The most common cause is that the user is a member of an included group indirectly via a nested group, and Conditional Access policies evaluate transitive membership.

So even if the user is directly excluded, if they are in an included group via nesting, the policy applies.

5
MCQmedium

Refer to the exhibit. You need to ensure that users accessing Exchange Online from unmanaged devices are blocked. What should you modify in the policy?

A.Remove the MFA control
B.Add the 'approvedClientApp' grant control with OR
C.Add a session control for app protection policies
D.Change the operator from OR to AND
AnswerD

AND requires both MFA and compliant device, blocking unmanaged devices.

Why this answer

The exhibit shows a conditional access policy with two grant controls: 'Require multi-factor authentication' and 'Require device to be marked as compliant', connected by OR. With OR, users can satisfy either control, so unmanaged devices can still authenticate via MFA alone. Changing the operator to AND forces both MFA and device compliance, blocking access from unmanaged devices that cannot be compliant.

Exam trap

The trap here is that candidates overlook the OR operator and assume both controls are already required, not realizing that OR creates an alternative path that allows unmanaged devices to authenticate with just MFA.

How to eliminate wrong answers

Option A is wrong because removing the MFA control would leave only the device compliance requirement, which still blocks unmanaged devices but weakens security by removing MFA for managed devices. Option B is wrong because adding 'approvedClientApp' with OR would introduce another alternative path, making it even easier for unmanaged devices to bypass the block. Option C is wrong because session controls for app protection policies apply after access is granted (to restrict data exfiltration), not to block initial access from unmanaged devices.

6
MCQeasy

You need to allow external users from a specific partner organization to access a SharePoint Online site using their own Microsoft Entra ID credentials. Which feature should you configure?

A.Direct Federation
B.Self-service password reset
C.Microsoft Entra B2C
D.Microsoft Entra B2B collaboration
AnswerD

B2B allows external users to access apps with their own credentials.

Why this answer

Option B is correct because B2B collaboration allows external users to sign in with their own identities. Option A is wrong because B2C is for customer-facing apps. Option C is wrong because federation is for identity provider integration, not direct access.

Option D is wrong because self-service password reset is for internal users.

7
MCQhard

You are troubleshooting an issue where users from a partner organization cannot access a shared app in your Microsoft Entra ID tenant. The partner uses Microsoft Entra ID with a custom domain. You have configured cross-tenant access settings. Which setting is most likely misconfigured?

A.Outbound cross-tenant access settings for the partner's tenant ID
B.The app's user assignment and provisioning configuration
C.Default inbound cross-tenant access settings for the partner's tenant ID
D.The partner's inbound cross-tenant access settings for your tenant
AnswerC

Inbound settings determine if external users can access your apps.

Why this answer

The default inbound cross-tenant access settings control how external users from other tenants access your tenant's resources. Since the partner cannot access the shared app, the most likely misconfiguration is that the default inbound settings for the partner's tenant ID are set to block access, or the partner's tenant ID is not explicitly allowed in the inbound settings. This overrides any app-level permissions, as cross-tenant access settings act as a gate before user assignment is evaluated.

Exam trap

The trap here is that candidates often focus on app-level configuration (user assignment or provisioning) or confuse inbound/outbound directions, overlooking that cross-tenant access settings act as a mandatory first gate that must explicitly allow the partner's tenant ID before any app access can occur.

How to eliminate wrong answers

Option A is wrong because outbound cross-tenant access settings control how your users access resources in the partner's tenant, not how partner users access your app. Option B is wrong because user assignment and provisioning configuration are app-level settings that only apply after cross-tenant access is allowed; if inbound access is blocked, the app settings are irrelevant. Option D is wrong because the partner's inbound cross-tenant access settings control access to their own resources, not to your tenant's app; you configure settings for your tenant, not the partner's.

8
Multi-Selecteasy

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Which TWO authentication methods are considered passwordless by Microsoft? (Choose two.)

Select 2 answers
A.Windows Hello for Business
B.Microsoft Authenticator with notification
C.Password Hash Synchronization
D.FIDO2 security keys
E.SMS-based one-time passcode
AnswersA, D

Windows Hello uses biometrics or PIN, passwordless.

Why this answer

Windows Hello for Business is a passwordless authentication method that uses biometric or PIN-based credentials tied to a user's device, leveraging asymmetric key pairs to authenticate against Microsoft Entra ID without transmitting a password. It satisfies Microsoft's definition of passwordless because the private key never leaves the device, and authentication is performed via a cryptographic challenge-response protocol.

Exam trap

The trap here is that Microsoft Authenticator with notification is often marketed as 'passwordless' in casual contexts, but Microsoft's official documentation strictly classifies it as a multi-factor authentication method, not a passwordless one, because it still requires a password as the first factor.

9
MCQeasy

Your company uses Microsoft Entra ID and wants to use Microsoft's recommendation to protect against password spray attacks. Which feature should you enable?

A.Smart Lockout
B.Identity Protection
C.Password Hash Synchronization
D.Multifactor Authentication
AnswerA

Smart Lockout locks accounts after repeated failed attempts.

Why this answer

Smart Lockout is Microsoft's recommended feature to protect against password spray attacks because it intelligently locks out bad actors after a threshold of failed attempts while allowing legitimate users to continue. It uses adaptive logic to distinguish between real users and attackers by considering the sign-in pattern and IP address, making it the correct choice for this specific threat.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risky sign-ins) with the direct mitigation feature Smart Lockout, or they assume MFA alone is sufficient to stop password spray attacks, when in fact Smart Lockout is the specific Microsoft-recommended control for this attack vector.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is a broader risk-detection and remediation service that identifies compromised identities and risky sign-ins, but it does not directly lock out attackers during a password spray attack; it relies on policies like Conditional Access to act on risks. Option C (Password Hash Synchronization) is wrong because it is a synchronization mechanism for password hashes from on-premises AD to Entra ID, not a security feature that mitigates password spray attacks. Option D (Multifactor Authentication) is wrong because while MFA adds a second layer of verification, it does not prevent the initial password spray attempts from being made, and Microsoft recommends Smart Lockout as the primary defense against this brute-force pattern.

10
Multi-Selectmedium

Your company uses Microsoft Entra ID with hybrid identity. You need to ensure that when a user is disabled in on-premises Active Directory, the corresponding cloud user is also disabled. Which TWO configurations are required?

Select 2 answers
A.Password writeback
B.Privileged Identity Management
C.Group writeback
D.Microsoft Entra Connect with directory synchronization
E.Disable the on-premises user account
AnswersD, E

Entra Connect synchronizes user attributes including account status.

Why this answer

Directory synchronization (Microsoft Entra Connect) propagates changes, and disabling the on-premises user will sync to cloud. Option B is wrong because password writeback is for password changes. Option E is wrong because PIM is for privileged access.

Option C is wrong because group writeback is for cloud groups to on-premises. Option D is wrong because cloud sync is an alternative to Connect, but Connect is typically used.

11
MCQhard

Your company is deploying Microsoft Copilot for Microsoft 365. You need to ensure that only users who have completed a specific training course can use Copilot. What should you configure?

A.Use Terms of Use to require acceptance of training policy
B.Configure Authentication strengths to require training certificate
C.Create a Conditional Access policy that requires a custom attribute indicating training completion
D.Assign Copilot licenses only to users who completed training
AnswerC

Conditional Access can use custom security attributes to require a condition.

Why this answer

Option C is correct because a Conditional Access policy can evaluate a custom security attribute assigned to a user or group to enforce access controls. By requiring a custom attribute that indicates training completion, you can block or grant access to Copilot for Microsoft 365 based on that attribute. This approach integrates directly with Microsoft Entra ID's policy engine, allowing granular, attribute-based access control without relying on license assignment or user acceptance.

Exam trap

The trap here is that candidates often confuse license-based assignment (Option D) with attribute-based access control, assuming that simply not assigning a license is sufficient, but Microsoft Copilot for Microsoft 365 can still be accessed via trial or free features if not blocked by a Conditional Access policy; the exam tests your understanding that Conditional Access policies are the correct mechanism for enforcing granular, attribute-driven access restrictions.

How to eliminate wrong answers

Option A is wrong because Terms of Use (ToU) only require a user to accept a policy statement; they do not verify or enforce completion of a specific training course, nor can they evaluate dynamic attributes like training status. Option B is wrong because Authentication strengths control which authentication methods (e.g., FIDO2, certificate-based auth) are allowed during sign-in, not whether a user has completed training; a training certificate is not a standard authentication method and cannot be evaluated by Conditional Access as a condition. Option D is wrong because assigning Copilot licenses only to users who completed training is a manual, administrative approach that does not enforce ongoing compliance; a user could complete training, receive a license, and then later lose the training status without automatic revocation, and it does not integrate with Entra ID's policy engine for real-time enforcement.

12
Multi-Selecthard

Your company uses Microsoft Entra ID P2. You need to configure Identity Protection to automatically remediate high-risk users. Which THREE actions can you configure?

Select 3 answers
A.Require password change
B.Send email to user
C.Block sign-in
D.Require re-registration of MFA
E.Require multifactor authentication
AnswersA, C, E

Standard remediation for compromised users.

Why this answer

Option A (Require password change) is correct for high-risk users. Option B (Block sign-in) is correct as a remediation. Option D (Require MFA) is correct.

Option C (Require re-registration) is for MFA registration, not remediation. Option E (Send email) is a notification, not remediation.

13
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You need to configure a conditional access policy that blocks access from devices that are not compliant with your organization's device compliance policies, as defined by Microsoft Intune. Which assignment should you configure in the policy?

A.Grant > Require hybrid Azure AD joined device
B.Grant > Require multifactor authentication
C.Grant > Require device to be marked as compliant
D.Grant > Require approved client app
AnswerC

This enforces Intune device compliance.

Why this answer

Option C is correct because the 'Require device to be marked as compliant' grant control in a Conditional Access policy enforces access decisions based on the compliance status reported by Microsoft Intune. When a device is marked as non-compliant by Intune (e.g., missing required updates or having an unapproved app), the policy blocks access. This directly meets the requirement to block devices that do not meet the organization's device compliance policies.

Exam trap

The trap here is that candidates often confuse 'device compliance' with 'hybrid Azure AD join' or 'MFA', assuming any of those controls enforce device health, but only the 'Require device to be marked as compliant' grant directly uses Intune's compliance evaluation.

How to eliminate wrong answers

Option A is wrong because 'Require hybrid Azure AD joined device' controls access based on domain join status, not Intune compliance; a hybrid joined device could still be non-compliant with Intune policies. Option B is wrong because 'Require multifactor authentication' addresses identity verification, not device health or compliance; a non-compliant device can still satisfy MFA. Option D is wrong because 'Require approved client app' restricts access to specific applications (e.g., Outlook mobile) but does not evaluate the device's compliance with Intune policies.

14
MCQhard

Refer to the exhibit. You run this PowerShell script to disable high-risk users. However, some high-risk users remain enabled. What is the most likely reason?

A.The Set-AzureADUser cmdlet fails for disabled users
B.The script does not have permission to read risky users
C.High-risk users are protected by a Conditional Access policy
D.The Get-AzureADIdentityRiskyUser cmdlet does not support the -Filter parameter
AnswerD

The correct syntax is `Get-AzureADIdentityRiskyUser -Filter "riskLevel eq 'high'"` but the script filters by userPrincipalName first, then checks riskLevel, which might not work as expected because the filter might be invalid.

Why this answer

The Get-AzureADIdentityRiskyUser cmdlet does not support the -Filter parameter. This means the script's attempt to filter for high-risk users using -Filter "riskLevel eq high" will fail, returning no users or an error, so the subsequent Set-AzureADUser cmdlet never runs against the intended high-risk users, leaving them enabled.

Exam trap

Microsoft often tests the misconception that all Get-* cmdlets in Azure AD support the -Filter parameter, when in reality some cmdlets like Get-AzureADIdentityRiskyUser have limited or no filter support, leading candidates to overlook the need for client-side filtering.

How to eliminate wrong answers

Option A is wrong because Set-AzureADUser does not fail for disabled users; it can modify disabled users, and the issue is that the cmdlet never receives the target users. Option B is wrong because the script would need permission to read risky users (e.g., Identity Risky User Read.All), but the error would be an access denied, not a silent failure to return users; the core problem is the unsupported filter. Option C is wrong because Conditional Access policies do not protect users from being modified by administrative scripts; they enforce access controls during sign-in, not against PowerShell cmdlets.

15
MCQmedium

A company uses Microsoft Entra ID and has enabled self-service password reset (SSPR). Users are required to register for SSPR. Management wants to ensure that users from the HR department, who handle sensitive data, must use two methods for authentication during SSPR, while other users can use one method. What is the best way to achieve this?

A.Create a separate SSPR policy for the HR department using PowerShell
B.Use Microsoft Entra ID Governance to create an access package that requires two methods
C.Assign the HR users to a group and configure the SSPR policy for that group in the Entra admin center
D.This is not possible because SSPR authentication method requirements are tenant-wide
AnswerD

SSPR settings are global; you cannot enforce different numbers of methods per group. To achieve this, you would need separate tenants or use Conditional Access for MFA.

Why this answer

SSPR authentication method requirements in Microsoft Entra ID are configured at the tenant level, not per user or group. This means you cannot specify that one group of users must use two methods while others use one; the number of methods required applies uniformly to all users enabled for SSPR. Therefore, option D is correct because the requirement cannot be differentiated by department or group.

Exam trap

The trap here is that candidates assume group-based targeting for SSPR extends to authentication method requirements, when in reality group targeting only controls which users are enabled for SSPR, not the number of methods required, which is a tenant-wide setting.

How to eliminate wrong answers

Option A is wrong because PowerShell can be used to configure SSPR settings, but it cannot override the tenant-wide nature of authentication method requirements; any policy created would still apply to all users. Option B is wrong because Microsoft Entra ID Governance access packages manage resource access and entitlements, not SSPR authentication method requirements, which are a separate feature. Option C is wrong because while you can target SSPR to a group, the number of methods required is a tenant-wide setting and cannot be configured per group in the Entra admin center.

16
MCQhard

Your company has a Microsoft 365 tenant with Microsoft Entra ID. You are configuring Conditional Access policies to enforce multifactor authentication (MFA) for all users. However, you want to exclude break-glass emergency access accounts from MFA. What is the recommended best practice for managing these emergency access accounts?

A.Disable sign-in for the emergency access accounts until needed
B.Make the emergency access accounts cloud-only and enforce MFA
C.Configure the emergency access accounts with a long, complex password and exclude them from MFA policies
D.Assign FIDO2 security keys to the emergency access accounts
AnswerC

This ensures access during emergencies without MFA.

Why this answer

Option B is correct because Microsoft recommends that emergency access accounts be configured with a long, complex password and excluded from MFA policies to ensure access during outages. Option A is wrong because FIDO2 keys are not recommended for emergency accounts. Option C is wrong because emergency accounts should not be cloud-only; they should be cloud-only but not limited to cloud-only.

Option D is wrong because disabling sign-in for emergency accounts would prevent their use.

17
MCQhard

Your company uses Microsoft Entra ID and has a hybrid identity with PHS. You need to ensure that when an on-premises user account is disabled, the corresponding cloud user is also blocked from signing in within 5 minutes. What should you configure?

A.Deploy Azure AD Connect cloud sync
B.Enable password writeback
C.Configure Azure AD Connect to sync the 'userAccountControl' attribute
D.Configure Microsoft Entra Connect Sync to use filtered synchronization
AnswerA

Cloud sync can sync changes more frequently, down to 1 minute, meeting the 5-minute requirement.

Why this answer

Option B is correct because Azure AD Connect can be configured for password writeback and also syncs account control flags. However, the specific feature to block sign-in quickly is not password writeback. Actually, the correct approach is to use Azure AD Connect's 'Exchange hybrid deployment' or 'UserPrincipalName update'? Wait, the correct answer is to use 'Azure AD Connect Sync' with 'userAccountControl' attribute sync.

But among the options, Option B (Enable password writeback) does not block sign-in. Option A (Configure Azure AD Connect to sync the 'userAccountControl' attribute) is correct because the 'userAccountControl' attribute includes the 'ACCOUNTDISABLE' flag, and syncing it will disable the cloud account. However, the sync cycle runs every 30 minutes by default.

To achieve 5 minutes, you need to use 'Azure AD Connect cloud sync' or 'Microsoft Identity Manager'. Since the question says 'configure', the closest is to enable the 'Password writeback'? No. Let me re-evaluate: The correct answer is to use 'Azure AD Connect' with 'Exchange hybrid' to sync 'msExchUserAccountControl'? Actually, the standard way is to sync 'userAccountControl' and set the sync interval to 5 minutes.

But that's not an option. Option C (Deploy Azure AD Connect cloud sync) is the best because cloud sync can sync changes more frequently than 30 minutes. Option B (Enable password writeback) is for password changes, not account disable.

Option D (Configure Microsoft Entra Connect Sync to use filtered synchronization) does not help. So Option C is correct.

18
MCQeasy

A company uses Microsoft Entra ID for identity management. The security team wants to ensure that users cannot register applications in the tenant to prevent potential data leakage. Which setting should be configured?

A.Set the 'Admin consent requests' setting to 'Allow'
B.Enable the 'Admin consent workflow'
C.Set 'Users can register applications' to 'No' in User settings
D.Set 'Users can consent to apps accessing company data' to 'No'
AnswerC

This prevents users from registering applications.

Why this answer

Option C is correct because setting 'Users can register applications' to 'No' in the Microsoft Entra ID User settings explicitly prevents non-admin users from creating application registrations in the tenant. This directly addresses the security team's goal of blocking users from registering apps, which could otherwise expose tenant data through misconfigured or malicious applications.

Exam trap

The trap here is that candidates often confuse 'users registering applications' with 'users consenting to applications,' leading them to select Option D, which only controls consent, not the creation of the app registration itself.

How to eliminate wrong answers

Option A is wrong because 'Admin consent requests' setting controls whether users can request admin consent for applications, not whether users can register applications themselves. Option B is wrong because enabling the 'Admin consent workflow' allows users to request admin approval for app permissions, but does not block user-initiated app registration. Option D is wrong because setting 'Users can consent to apps accessing company data' to 'No' prevents users from granting permissions to apps, but does not prevent users from registering new applications in the tenant.

19
MCQeasy

You are planning a migration from on-premises Active Directory to Microsoft Entra ID using cloud sync. You need to synchronize user passwords so that users can authenticate using their existing passwords. Which feature should you enable?

A.Pass-through Authentication
B.Password Hash Synchronization
C.Federation with AD FS
D.Seamless Single Sign-On
AnswerB

PHS syncs password hashes for cloud authentication.

Why this answer

Password Hash Synchronization (PHS) is the correct feature because it synchronizes the hash of a user's on-premises Active Directory password to Microsoft Entra ID, allowing users to authenticate with the same password without any additional on-premises infrastructure. Cloud sync specifically relies on PHS to replicate password hashes from AD to Entra ID, enabling seamless authentication for cloud-based services.

Exam trap

The trap here is that candidates often confuse Pass-Through Authentication with password synchronization, but PTA does not synchronize hashes—it only validates passwords in real time against on-premises AD, which is not the same as synchronizing passwords for cloud sync.

How to eliminate wrong answers

Option A is wrong because Pass-Through Authentication (PTA) validates passwords directly against on-premises AD without synchronizing password hashes, requiring agents and network connectivity, and does not meet the requirement of synchronizing passwords for cloud sync. Option C is wrong because Federation with AD FS relies on a federated trust and on-premises AD FS servers for authentication, not password synchronization, and adds complexity beyond cloud sync's scope. Option D is wrong because Seamless Single Sign-On (SSO) only provides automatic sign-in for domain-joined devices on corporate networks, but does not synchronize password hashes or enable password-based authentication from non-domain-joined devices.

20
MCQhard

A company uses Microsoft Entra ID with group-based licensing. You assign a license to a group, but some members do not receive the license. There are no error messages in the audit logs. What is the most likely cause?

A.Users have the license directly assigned
B.The group has more than 500 members
C.The group is a dynamic group
D.The product license is out of stock
AnswerA

Direct assignments conflict with group assignments.

Why this answer

When a user has a license directly assigned, group-based licensing skips that user because the direct assignment takes precedence. The group licensing engine detects the existing license and does not attempt to reassign it, so no error is logged. This is the most common cause of silent license assignment failures in Microsoft Entra ID.

Exam trap

The trap here is that candidates assume a missing license must be caused by an error or limitation, but Microsoft intentionally designs group-based licensing to silently skip users with direct assignments to avoid duplicate license conflicts.

How to eliminate wrong answers

Option B is wrong because group-based licensing supports groups with up to 500 members per licensing operation, and larger groups are processed in batches without silent failures. Option C is wrong because dynamic groups are fully supported for group-based licensing; the group type does not cause silent license assignment failures. Option D is wrong because Microsoft Entra ID does not have a concept of 'out of stock' for product licenses; license availability is managed at the tenant level and would generate an error if insufficient.

21
Multi-Selectmedium

Which TWO of the following are valid conditions that can be used in a Microsoft Entra ID conditional access policy? (Choose two.)

Select 2 answers
A.Network location
B.Sign-in risk
C.Application sensitivity label
D.User risk
E.Device manufacturer
AnswersB, D

Valid condition in conditional access.

Why this answer

Sign-in risk (B) and user risk (D) are both valid conditions in Microsoft Entra ID Conditional Access policies. These risk levels are calculated by Microsoft Entra ID Protection using real-time signals such as anonymous IP addresses, atypical travel, or leaked credentials, and can be used to trigger policies like requiring multi-factor authentication or blocking access.

Exam trap

The trap here is that candidates may confuse 'Network location' with the valid 'Locations' condition, or assume that application sensitivity labels (which are part of Microsoft Purview) can be used directly in Conditional Access policies, when in fact they are not a supported condition.

22
Multi-Selectmedium

You are configuring Microsoft Entra ID for your organization. You need to enable passwordless authentication for users. Which TWO authentication methods are passwordless and supported by Microsoft Entra ID?

Select 2 answers
A.SMS-based one-time passcode (OTP)
B.Hardware OATH tokens
C.Microsoft Authenticator app
D.OAuth 2.0 device authorization grant
E.FIDO2 security keys
AnswersC, E

Supports passwordless phone sign-in.

Why this answer

The Microsoft Authenticator app supports passwordless authentication by allowing users to approve sign-in requests via a notification or a number match on their mobile device, eliminating the need for a password. FIDO2 security keys are also a passwordless method, using public-key cryptography to authenticate users without a password, and are fully supported by Microsoft Entra ID for both Azure AD joined and hybrid joined devices.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS OTP or OATH tokens) with passwordless methods, but passwordless requires the primary authentication factor to be something you have or are, not something you know (a password), and both SMS OTP and OATH tokens still require a password as the first factor in most configurations.

23
MCQhard

Your company deploys Microsoft 365 Copilot. You need to enforce that Copilot responses are based only on data within the tenant, not external sources. Which setting should you configure?

A.Copilot's 'Responses' setting in the Microsoft 365 admin center
B.Sensitivity labels
C.Data Loss Prevention (DLP) policies
D.Microsoft Purview Compliance Manager
AnswerA

This setting restricts Copilot to tenant data.

Why this answer

The 'Responses' setting in the Microsoft 365 admin center controls whether Copilot can use data from external sources (such as the public web) or is restricted to your tenant's data. By configuring this setting to 'Only use data from your organization,' you enforce that Copilot responses are grounded solely in your Microsoft 365 tenant content (emails, documents, chats, etc.), preventing any reliance on external internet sources. This is the direct administrative toggle for Copilot's data grounding scope.

Exam trap

The trap here is that candidates often confuse data source control with data protection features like sensitivity labels or DLP, but the correct answer is the administrative toggle specifically designed for Copilot's grounding scope, not a security or compliance policy.

How to eliminate wrong answers

Option B is wrong because sensitivity labels classify and protect data based on sensitivity (e.g., confidential, general), but they do not control the data sources Copilot can query for generating responses. Option C is wrong because Data Loss Prevention (DLP) policies prevent accidental sharing of sensitive information but have no mechanism to restrict Copilot's grounding to tenant-only data. Option D is wrong because Microsoft Purview Compliance Manager provides compliance score and recommendations for regulatory standards, not a setting to limit Copilot's data source scope.

24
MCQhard

A company has Microsoft Entra ID P2 licenses. They need to implement a conditional access policy that requires multifactor authentication (MFA) when accessing the Microsoft Entra admin center from a non-compliant device. However, they want to allow access from compliant devices without MFA. What is the best approach?

A.Create one conditional access policy with a grant control that combines 'Require compliant device' and 'Require multifactor authentication' as a single control
B.Create one conditional access policy with grant controls set to 'Require one of the selected controls' and select both 'Require compliant device' and 'Require multifactor authentication'
C.Create two conditional access policies: one for compliant devices requiring only compliant device, and one for non-compliant devices requiring MFA and compliant device
D.Create one conditional access policy with grant controls set to 'Require all the selected controls' and select both 'Require compliant device' and 'Require multifactor authentication', and include all devices
AnswerC

This allows MFA only for non-compliant devices, and compliant devices can access without MFA.

Why this answer

Option C is correct because the requirement is to allow access from compliant devices without MFA while requiring MFA from non-compliant devices. This conditional logic cannot be achieved in a single policy with a single grant block because 'Require compliant device' and 'Require multifactor authentication' are both satisfied by compliant devices (which are already compliant), but you need to differentiate behavior based on device compliance state. By creating two policies—one targeting compliant devices with only 'Require compliant device' as a grant, and another targeting non-compliant devices with both 'Require compliant device' and 'Require multifactor authentication'—you can enforce different access requirements based on the device's compliance status.

Exam trap

The trap here is that candidates often think a single policy with 'Require one of the selected controls' can differentiate behavior based on device state, but in reality, a single policy applies the same grant logic to all matching devices, so you must use separate policies to enforce different requirements for compliant vs. non-compliant devices.

How to eliminate wrong answers

Option A is wrong because combining 'Require compliant device' and 'Require multifactor authentication' as a single control (using 'Require all the selected controls') would require both conditions to be met for all devices, meaning compliant devices would still be prompted for MFA, which violates the requirement to allow access without MFA from compliant devices. Option B is wrong because setting grant controls to 'Require one of the selected controls' with both 'Require compliant device' and 'Require multifactor authentication' would allow access if either condition is met, meaning a non-compliant device could bypass MFA by simply being compliant (which it is not), but more critically, it would allow a compliant device to access without MFA (which is desired) but also allow a non-compliant device to access if it provides MFA (which is not desired because the policy requires MFA for non-compliant devices, but the grant logic would let a non-compliant device in with just MFA, which is acceptable per the requirement, but the real issue is that this single policy cannot differentiate behavior based on device state—it applies the same grant logic to all devices, so compliant devices would still be subject to the 'Require one of the selected controls' logic, which could allow them in without MFA if they are compliant, but the policy does not exclude non-compliant devices from accessing without MFA if they provide MFA, which is actually fine, but the core problem is that the policy does not enforce MFA only on non-compliant devices; it applies the same grant to all, so compliant devices could be prompted for MFA if the policy is configured incorrectly, and more importantly, the requirement is to have different behavior based on device compliance, which requires separate policies. Option D is wrong because setting grant controls to 'Require all the selected controls' with both 'Require compliant device' and 'Require multifactor authentication' would require every device (including compliant ones) to satisfy both conditions, meaning compliant devices would still be forced to perform MFA, which contradicts the requirement to allow access from compliant devices without MFA.

25
MCQmedium

Your organization, Fabrikam Inc., uses Microsoft Entra ID with a hybrid identity configuration. You have 500 cloud-only users and 5,000 synced users from on-premises Active Directory. The company wants to implement a passwordless authentication strategy. The following requirements must be met: 1) All users must be able to sign in without a password on Windows 10/11 devices that are Microsoft Entra joined. 2) Users who are not assigned a mobile phone must be able to use a security key (FIDO2). 3) The solution must work for both cloud-only and synced users. 4) The passwordless method should require the lowest administrative overhead for enrollment. Which passwordless authentication method should you recommend?

A.Certificate-based authentication
B.Microsoft Authenticator app
C.FIDO2 security keys
D.Windows Hello for Business
AnswerD

Works on joined devices, supports all users, and can be deployed via policy.

Why this answer

Option C is correct because Windows Hello for Business works on Microsoft Entra joined devices and supports both cloud-only and synced users, and can be deployed with minimal enrollment effort. Option A is wrong because FIDO2 security keys require key distribution and enrollment. Option B is wrong because Microsoft Authenticator requires a mobile device.

Option D is wrong because certificate-based authentication requires PKI infrastructure.

26
MCQmedium

Your company uses Microsoft Entra ID and has an application that requires users to consent to permissions. You want to allow users to consent to low-risk permissions but require admin approval for high-risk permissions. What should you configure?

A.Set user consent to 'Do not allow user consent'.
B.Set user consent to 'Allow user consent for apps'.
C.Configure the 'Admin consent settings' to allow user consent for low-risk permissions and require admin consent for high-risk permissions.
D.Create a Conditional Access policy that blocks high-risk consent.
AnswerC

This enables differentiated consent based on risk.

Why this answer

Option C is correct because Microsoft Entra ID's admin consent settings allow you to configure a policy that permits user consent for low-risk permissions (e.g., those with no admin-restricted scopes) while requiring admin approval for high-risk permissions (e.g., those requiring admin consent). This granular control is achieved through the 'Admin consent settings' blade, where you can enable 'Allow user consent for apps' and then define a permission classification policy to categorize permissions as low or high risk.

Exam trap

The trap here is that candidates often confuse the 'Admin consent settings' with the 'User consent settings' or 'Conditional Access policies', mistakenly thinking that blocking all user consent or using a Conditional Access policy can achieve granular permission-level control, when in fact only the permission classification combined with admin consent settings provides this capability.

How to eliminate wrong answers

Option A is wrong because setting user consent to 'Do not allow user consent' would block all user consent, including low-risk permissions, which contradicts the requirement to allow users to consent to low-risk permissions. Option B is wrong because setting user consent to 'Allow user consent for apps' would permit users to consent to all permissions, including high-risk ones, without requiring admin approval, which fails to meet the requirement for admin approval on high-risk permissions. Option D is wrong because Conditional Access policies cannot directly block high-risk consent; they can control access based on risk but not the consent process itself, which is managed through consent and permission settings.

27
MCQmedium

Your company has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the security administrator. You need to implement a solution that automatically detects and remediates identity risks. Requirements: - Risky sign-ins (e.g., from anonymous IP addresses) should be automatically blocked. - Users with confirmed compromised credentials should be forced to reset their password at next sign-in. - You need to receive alerts when high-risk events occur. - The solution must minimize false positives. Which Microsoft Entra ID features should you combine?

A.Set up Microsoft Entra Identity Governance access reviews and enable self-service password reset.
B.Configure Conditional Access policies to block sign-ins from anonymous IP addresses and require password reset for all users.
C.Enable Microsoft Entra Identity Protection, configure a sign-in risk policy to block high-risk sign-ins, and a user risk policy to require password reset for high-risk users. Set up alerts for risk events.
D.Deploy Microsoft Defender for Cloud Apps to detect risky sign-ins and configure session policies.
AnswerC

Identity Protection provides automated risk-based policies and alerts.

Why this answer

Option C uses Identity Protection's risk policies for sign-in risk (block) and user risk (password reset), along with risk detection alerts. Option A (CA policies with generic conditions) does not use risk detection. Option B (identity governance) is about access reviews.

Option D (Defender for Cloud Apps) is more for cloud app discovery.

28
MCQhard

Your organization uses Microsoft Entra ID and has a hybrid identity setup with password hash synchronization. You need to ensure that when a user's on-premises Active Directory account is disabled, their Microsoft Entra ID account is also disabled within 30 minutes. What should you do?

A.Enable Azure AD Connect cloud sync.
B.Configure password hash synchronization to run every 30 minutes.
C.Configure Azure AD Connect to sync the 'userAccountControl' attribute and set the sync frequency to 30 minutes.
D.Enable password writeback.
AnswerC

By syncing the userAccountControl attribute and setting a short sync interval, account status changes are reflected quickly.

Why this answer

Option D is correct because you need to enable password hash sync (which is already enabled) and also enable Azure AD Connect sync for account status changes. Option A is wrong because that only changes password behavior. Option B is wrong because that does not affect account status.

Option C is wrong because that is for writing back password resets, not sync.

29
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Manage device compliance policies
B.Automate user access reviews
C.Configure single sign-on for SaaS apps
D.Delegate administrative roles
E.Manage entitlement management
AnswersB, E

Access reviews are a core governance feature.

Why this answer

Options B and D are correct. Option A is wrong because managing device compliance is Intune. Option C is wrong because configuring SSO is not governance.

Option E is wrong because delegation is not a primary governance feature.

30
MCQeasy

Your company uses Microsoft Entra ID and wants to enforce that all users register for MFA within 14 days of account creation. Which policy should you configure?

A.Authentication methods policy with 'Registration campaign' targeting users
B.Conditional access policy with 'Require multifactor authentication'
C.Microsoft Entra ID Protection sign-in risk policy
D.Microsoft Entra ID Protection user risk policy
AnswerA

The registration campaign forces users to register MFA within a set number of days.

Why this answer

Option B is correct because the Authentication methods policy in Microsoft Entra ID can be used to set a registration campaign that requires users to register for MFA within a specified timeframe. Option A is wrong because conditional access policies enforce MFA during sign-in, not registration. Option C is wrong because Identity Protection policies address risk, not registration.

Option D is wrong because the user risk policy is for risk-based remediation. Option E is wrong because MFA registration policy is part of Authentication methods policy.

31
MCQhard

You are a Microsoft 365 administrator. Your organization uses Microsoft Entra ID and Microsoft Intune for device management. You need to ensure that only compliant devices can access corporate email via Microsoft Outlook on mobile devices. What should you configure?

A.Create a Conditional Access policy with 'Require device to be marked as compliant'
B.Deploy app protection policies (MAM) for Outlook
C.Enable Microsoft Entra device registration
D.Create a device compliance policy in Intune
AnswerA

This enforces that only compliant devices can access.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID can enforce 'Require device to be marked as compliant' as a grant control. This ensures that only devices meeting your Intune compliance policies (e.g., encryption, OS version, threat level) are allowed to access corporate email via Outlook on mobile devices. The policy evaluates device compliance status reported by Intune and blocks access if the device is non-compliant.

Exam trap

The trap here is that candidates often confuse device compliance policies (which define rules) with Conditional Access policies (which enforce access decisions), or they assume MAM policies alone can block non-compliant devices, but MAM does not evaluate device compliance status.

How to eliminate wrong answers

Option B is wrong because app protection policies (MAM) manage data protection at the app level (e.g., prevent copy-paste, require PIN) but do not enforce device-level compliance; they can be applied to unmanaged devices but do not check Intune compliance status. Option C is wrong because enabling Microsoft Entra device registration is a prerequisite for device-based Conditional Access but alone does not enforce compliance; it merely creates a device identity in Entra ID. Option D is wrong because a device compliance policy in Intune defines the compliance rules (e.g., require BitLocker, minimum OS) but does not enforce access control; it must be paired with a Conditional Access policy to block non-compliant devices.

32
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to ensure that access reviews are automatically created for all guest users in the tenant and that reviews are sent to the guest users' managers for approval. You configure an access review policy. Which identity governance feature should you use?

A.Terms of Use
B.Entitlement Management
C.Access Reviews
D.Privileged Identity Management
AnswerB

Entitlement Management automates access reviews for guest users.

Why this answer

B is correct because Entitlement Management in Microsoft Entra ID Governance allows you to configure access review policies that automatically create reviews for guest users and assign them to the guest users' managers for approval. This feature integrates with access reviews to enforce governance over external identities, ensuring that guest access is periodically recertified by the appropriate authority.

Exam trap

The trap here is that candidates confuse the Access Reviews feature (which is the review execution engine) with the policy configuration layer (Entitlement Management) that actually automates the creation and assignment of reviews for guest users.

How to eliminate wrong answers

Option A is wrong because Terms of Use is a feature for presenting legal or policy documents to users before granting access, not for creating automated access reviews or routing them to managers. Option C is wrong because Access Reviews is the underlying mechanism for reviewing access, but it does not by itself automatically create reviews for all guest users or send them to managers; it requires configuration through Entitlement Management or another policy to define the scope and reviewer assignment. Option D is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation and approval workflows for elevated roles, not on recurring access reviews for guest users or manager-based approvals.

33
MCQmedium

Your organization plans to use Microsoft Entra ID as the identity provider for a third-party SaaS application that supports SAML 2.0. You need to configure single sign-on (SSO) for the application. What should you create in Microsoft Entra ID?

A.An enterprise application with SAML-based sign-on
B.An Application Proxy connector group
C.A service principal for Microsoft Graph
D.An app registration with OpenID Connect
AnswerA

Enterprise applications support SAML 2.0 federation.

Why this answer

To configure SSO for a third-party SaaS application that supports SAML 2.0, you must create an enterprise application in Microsoft Entra ID and configure it with SAML-based sign-on. Enterprise applications are designed for integrating third-party applications, and SAML-based sign-on allows Entra ID to act as the identity provider, exchanging SAML assertions for authentication.

Exam trap

The trap here is that candidates often confuse app registrations (used for OIDC/OAuth apps) with enterprise applications (used for SAML-based SSO), leading them to choose Option D, even though SAML 2.0 requires the enterprise application gallery or custom enterprise app configuration.

How to eliminate wrong answers

Option B is wrong because an Application Proxy connector group is used for publishing on-premises applications to external users via reverse proxy, not for configuring SSO with a cloud-based SaaS application that supports SAML. Option C is wrong because a service principal for Microsoft Graph is used to grant permissions for programmatic access to Microsoft Graph APIs, not for configuring SAML-based SSO with a third-party SaaS app. Option D is wrong because an app registration with OpenID Connect is used for applications that use OIDC (an OAuth 2.0 extension) for authentication, not for SAML 2.0, which requires a different protocol and configuration in enterprise applications.

34
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Entra ID Provisioning for cloud HR applications like Workday? (Choose two.)

Select 2 answers
A.Automatic license assignment
B.Support for attribute-based provisioning
C.Automatic password reset for new users
D.Automated user lifecycle management based on HR events
E.Automatic creation of user mailboxes in Exchange Online
AnswersB, D

Provisioning can map attributes from HR to Entra ID.

Why this answer

Option B is correct because Microsoft Entra ID Provisioning for cloud HR applications like Workday supports attribute-based provisioning, which allows mapping of HR attributes (e.g., department, location) to Entra ID user attributes using an expression-based mapping engine. This enables dynamic filtering and transformation of user data during synchronization, ensuring that only users meeting specific criteria (e.g., employment status) are provisioned.

Exam trap

The trap here is that candidates often confuse the capabilities of Entra ID Provisioning with those of Microsoft Identity Manager (MIM) or Exchange Online hybrid management, assuming provisioning handles tasks like license assignment or mailbox creation, which are separate downstream processes.

35
MCQmedium

An organization is implementing Microsoft Entra Verified ID for verifiable credentials. They want to issue credentials to employees that can be used to prove employment status to third parties. Which component must be created first?

A.A presentation request policy
B.A distributed ledger network
C.A credential manifest in the Microsoft Entra admin center
D.A decentralized identifier (DID) for the organization
AnswerC

The credential manifest defines the claims and rules for issuance.

Why this answer

The credential manifest defines the rules for issuing a verifiable credential, including the claims schema, display information, and issuance policies. In Microsoft Entra Verified ID, you must create the credential manifest in the Entra admin center before any credentials can be issued, as it serves as the template that governs the credential's structure and validation. Without a manifest, there is no definition for what the credential contains or how it should be presented.

Exam trap

The trap here is that candidates often confuse the order of setup steps, assuming the DID must be manually created first, when in fact the DID is automatically generated during the Verified ID service initialization, and the credential manifest is the first component that requires explicit user configuration in the admin center.

How to eliminate wrong answers

Option A is wrong because a presentation request policy is used by verifiers to request proof of a credential from a holder, not to define the credential itself; it is created after the credential manifest. Option B is wrong because Microsoft Entra Verified ID uses a distributed ledger (ION) to anchor DIDs, but the organization does not create or manage a ledger network—it is an existing infrastructure that Microsoft manages. Option D is wrong because the decentralized identifier (DID) for the organization is automatically created when you set up the Verified ID service in the Entra admin center, and it is a prerequisite step that occurs before creating the credential manifest, but the question asks which component must be created first, and the DID is created as part of the initial setup, not as a separate manual creation step; the credential manifest is the first user-defined component after the DID is established.

36
MCQhard

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Microsoft Entra Connect Sync to synchronize user accounts. The security team requires that all cloud-only users must be blocked from syncing to on-premises AD. What should you do to meet this requirement?

A.Configure attribute mapping to filter out cloud-only users from writeback
B.Use the cloudFilter attribute to mark cloud-only users as false
C.Disable directory writeback in Microsoft Entra Connect Sync
D.Configure Selective Password Hash Sync to exclude cloud-only users
AnswerA

Attribute filtering can prevent cloud-only users from being written back.

Why this answer

Option D is correct because using attribute mapping to filter cloud-only users (e.g., by source anchor) prevents them from being written back. Option A is wrong because disabling directory writeback would block all writeback, not just cloud-only users. Option B is wrong because Selective Password Hash Sync only affects password sync.

Option C is wrong because the cloud filter is for filtering objects from cloud to on-premises, not the other way.

37
MCQmedium

Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You are the Global Administrator. The security team reports that several users have been compromised due to weak passwords. You need to implement a solution that enforces strong password policies and blocks common passwords. The solution must also provide users with the ability to reset their own passwords securely if they forget them, without requiring help desk intervention. Additionally, you need to configure risk-based Conditional Access policies to block sign-ins from anonymous IP addresses and require MFA for high-risk sign-ins. You have the following options: A. Configure password protection in Microsoft Entra ID to enforce a custom banned password list and enable self-service password reset (SSPR) with MFA. Then create Conditional Access policies for sign-in risk and anonymous IP. B. Enable password hash sync and configure pass-through authentication. Create a Conditional Access policy to require MFA for all users. C. Implement Microsoft Entra ID Protection and enable MFA registration policy. Configure password expiration to 90 days. D. Use security defaults in Microsoft Entra ID and enable automatic password rollback. Which option should you choose?

A.Configure password protection with custom banned list, SSPR with MFA, and risk-based Conditional Access policies
B.Enable password hash sync, pass-through authentication, and require MFA for all
C.Implement Identity Protection, enable MFA registration policy, set password expiration to 90 days
D.Use security defaults and enable automatic password rollback
AnswerA

Meets all requirements.

Why this answer

Option A is correct because it covers all requirements: custom banned password list, SSPR, and risk-based Conditional Access policies. Option B is wrong because it does not address common passwords or SSPR. Option C is wrong because password expiration is not effective and no SSPR.

Option D is wrong because security defaults do not allow custom banned password list and risk-based policies.

38
MCQeasy

You are configuring Microsoft Entra ID to allow external users from a partner organization to access a specific SharePoint Online site. You need to ensure that the external users authenticate using their own corporate credentials and are automatically invited when they first access the resource. What should you configure?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra B2B direct connect
C.Microsoft Entra entitlement management access packages
D.Microsoft Entra B2B collaboration with manual invitation
AnswerC

Access packages can automate invitations and enforce policies.

Why this answer

Option C is correct because Microsoft Entra entitlement management access packages allow you to create a policy that automatically sends an invitation to external users when they request access to a resource, such as a SharePoint Online site. This policy can be configured to require that external users authenticate using their own corporate credentials (via their home tenant) and be automatically added to the resource upon first access, without manual invitation. Entitlement management integrates with B2B collaboration under the hood, but adds the automation and approval workflows needed for this scenario.

Exam trap

The trap here is that candidates confuse Microsoft Entra B2B collaboration (which requires manual invitation) with entitlement management access packages (which automate the invitation and access lifecycle), or they incorrectly assume B2B direct connect can be used for SharePoint Online site access when it is actually limited to Teams Connect shared channels.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra External ID (B2C) is designed for consumer-facing identity management (social or local accounts), not for enabling partner organizations to use their own corporate credentials for resource access. Option B is wrong because Microsoft Entra B2B direct connect is used for establishing mutual trust between two tenants for real-time collaboration (e.g., Teams Connect shared channels), but it does not support automatic invitation or access package-based provisioning for SharePoint Online sites. Option D is wrong because Microsoft Entra B2B collaboration with manual invitation requires an admin to manually send an invitation email or CSV upload, which does not meet the requirement for automatic invitation when users first access the resource.

39
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You want to set up a policy that automatically suspends a user if they download more than 100 files from SharePoint Online within 10 minutes. Which type of policy should you create?

A.Session policy
B.Activity policy
C.File policy
D.App discovery policy
AnswerB

Activity policies can detect anomalies and trigger governance actions like user suspension.

Why this answer

An Activity policy in Microsoft Defender for Cloud Apps monitors user activities across connected apps and can trigger automated actions, such as suspending a user, when a specific threshold of downloads from SharePoint Online is exceeded within a defined time window. This policy type is designed to detect anomalous behavior patterns like mass file downloads, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse Activity policies with Session policies, mistakenly thinking session-level controls can enforce download limits, but session policies only act on real-time actions within a single session and cannot trigger user suspension based on aggregated activity history.

How to eliminate wrong answers

Option A is wrong because a Session policy controls real-time user actions during a session (e.g., blocking uploads or requiring authentication) but does not evaluate historical activity counts or trigger user suspension based on past downloads. Option C is wrong because a File policy focuses on scanning files for content, metadata, or sharing permissions, not on monitoring the volume of download activities by a user. Option D is wrong because an App discovery policy analyzes cloud app usage and shadow IT, not user-specific download thresholds within a single app like SharePoint Online.

40
MCQmedium

Your organization uses Microsoft Entra ID and has a Conditional Access policy that requires MFA for all external users. However, guest users from a partner organization are being blocked when they try to access a SharePoint Online site. You need to ensure that guest users can access the site without being prompted for MFA if they have already satisfied MFA in their home tenant. What should you configure?

A.Disable MFA requirement for guest users in Conditional Access
B.Configure authentication methods policy to accept MFA from external identities
C.Enable the trust MFA for external users setting in cross-tenant access settings
D.Use B2B direct connect instead of B2B collaboration
AnswerC

This allows guest users to use MFA from their home tenant.

Why this answer

Option C is correct because the cross-tenant access settings in Microsoft Entra ID include a 'Trust MFA from external tenants' option. When enabled, this setting allows guest users who have already satisfied MFA in their home tenant to access resources in your tenant without being prompted for MFA again. This respects the partner's MFA claims and avoids redundant authentication, which directly resolves the blocking issue caused by the Conditional Access policy requiring MFA for all external users.

Exam trap

The trap here is that candidates often confuse the 'authentication methods policy' (which governs allowed MFA methods in your tenant) with the cross-tenant trust setting, leading them to choose Option B, when in fact the correct solution is to enable the trust setting in cross-tenant access settings.

How to eliminate wrong answers

Option A is wrong because disabling MFA for guest users in Conditional Access would remove the security requirement entirely, which violates the organization's policy and exposes resources to unauthenticated access. Option B is wrong because the authentication methods policy controls which methods are allowed for MFA in your tenant, not whether MFA claims from external identities are trusted; it does not accept or reject MFA from other tenants. Option D is wrong because B2B direct connect is designed for real-time, unmanaged collaboration (e.g., Teams shared channels) and does not support SharePoint Online site access via invitations; B2B collaboration is the correct model for granting guest users access to SharePoint sites.

41
Multi-Selecthard

Which THREE of the following are valid permissions in Microsoft Entra ID custom roles? (Choose three.)

Select 2 answers
A.microsoft.directory/applications/delete
B.microsoft.directory/applications/credentials/update
C.microsoft.directory/users/update
D.microsoft.directory/roles/assign
E.microsoft.directory/groups/members/update
AnswersA, C

Valid permission to delete applications.

Why this answer

Option A is correct because 'microsoft.directory/applications/delete' is a valid permission in Microsoft Entra ID custom roles. Custom roles allow granular permissions defined by the 'microsoft.directory' namespace, and deleting applications is a supported action under the 'applications' resource type.

Exam trap

The trap here is that candidates often confuse valid permission strings with invalid ones, such as assuming 'microsoft.directory/roles/assign' is valid when role assignment permissions actually fall under 'microsoft.directory/roleAssignments'.

42
MCQmedium

Your organization uses Microsoft Entra ID P2 licenses. You need to configure a Conditional Access policy that requires phishing-resistant multifactor authentication (MFA) for all users accessing sensitive applications. Which authentication strength should you select in the policy?

A.Phishing-resistant MFA
B.Passwordless MFA
C.Multifactor authentication
D.No authentication strength
AnswerA

Phishing-resistant MFA requires FIDO2 or certificate-based authentication.

Why this answer

Option B is correct because phishing-resistant MFA requires a certificate-based or FIDO2 security key. Option A is wrong because passwordless MFA with Microsoft Authenticator is not considered phishing-resistant. Option C is wrong because it is a weaker strength.

Option D is wrong because it does not enforce phishing resistance.

43
Multi-Selectmedium

Your organization is implementing a zero-trust security model. Which TWO Microsoft Entra ID features should you enable to enforce least-privilege access and continuous verification?

Select 2 answers
A.Conditional Access
B.Self-service password reset (SSPR)
C.Privileged Identity Management (PIM)
D.Application Proxy
E.Microsoft Entra Join
AnswersA, C

Conditional Access enforces policies based on signals for continuous verification.

Why this answer

Conditional Access enables continuous verification, and Privileged Identity Management enforces just-in-time access. Option B is wrong because SSPR is for password reset. Option D is wrong because Microsoft Entra Join is a device identity method.

Option E is wrong because Application Proxy is for remote access.

44
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement Identity Protection to detect risky users. Which THREE risk types can be detected by Identity Protection? (Choose three.)

Select 3 answers
A.Impossible travel
B.Password spray
C.Leaked credentials
D.Anonymous IP address
E.Malware
AnswersA, C, D

Detects sign-ins from distant locations in short time.

Why this answer

Impossible travel is a risk detection in Microsoft Entra ID Identity Protection that identifies sign-ins originating from geographically distant locations within a time frame that makes physical travel between them impossible. This detection uses the user's previous sign-in locations and the time between sign-ins to calculate the probability of a compromised account being used from a different region.

Exam trap

The trap here is that candidates confuse attack types (like password spray or malware) with the specific risk detection types that Identity Protection actually reports, leading them to select options that describe attack methods rather than the built-in risk detections.

45
Multi-Selectmedium

Which TWO of the following are valid authentication methods in Microsoft Entra ID that can be used as part of a Conditional Access policy? (Select two.)

Select 2 answers
A.SMS sign-in
B.Password
C.Certificate-based authentication
D.Hardware OATH token
E.FIDO2 security key
AnswersB, C

Password is a valid authentication method in Conditional Access policies via authentication strength.

Why this answer

The correct answers are A and C. Password can be used as authentication method in Conditional Access policies (e.g., require MFA). Certificate-based authentication is also a valid method.

SMS sign-in is not a method; it's for MFA. FIDO2 security key is a method, but the question says 'used as part of a Conditional Access policy' – actually, Conditional Access can grant access based on authentication strength that includes FIDO2. But the official list of authentication methods in Conditional Access includes password, certificate, and others.

Option E (Hardware OATH token) is also valid. The question says 'Select two', so the most common are A and C. However, I need to be precise: In Conditional Access, you can require 'Password' as an authentication method? Actually, you can require 'Multi-factor authentication' or 'Passwordless authentication'.

But the grant controls include 'Require multi-factor authentication', not individual methods. However, the authentication strength policy can include password. Given the exam, typical correct answers are password and certificate.

Let me go with A and C.

46
MCQeasy

You are implementing Microsoft Entra Verified ID to issue verifiable credentials to employees for proof of employment. Which component is required to issue and verify credentials?

A.Microsoft Entra ID P2 licenses for all users
B.A certificate from a public certificate authority (CA)
C.An Azure AD B2C tenant
D.A decentralized identifier (DID) and a trusted identity system
AnswerD

DIDs are fundamental to Verified ID.

Why this answer

Microsoft Entra Verified ID uses a decentralized identity model where each issuer and verifier has a unique decentralized identifier (DID) and a trusted identity system (such as a blockchain-based ION network or a web-based DID method) to publish and resolve DID documents. The DID and the trusted identity system are the core components required to cryptographically sign verifiable credentials and verify them without relying on a central authority, making option D correct.

Exam trap

The trap here is that candidates often assume a traditional PKI certificate or a premium license is required, but Microsoft Entra Verified ID relies on decentralized identifiers (DIDs) and a trusted identity system, not on CA-issued certificates or specific license tiers.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID P2 licenses provide advanced identity protection and governance features but are not a prerequisite for issuing or verifying verifiable credentials; Verified ID can work with any Azure AD tenant. Option B is wrong because a certificate from a public certificate authority (CA) is used for traditional PKI-based identity systems, but Verified ID uses DIDs and key pairs generated by the issuer, not a CA-issued certificate. Option C is wrong because Azure AD B2C is a customer identity and access management solution for external users, not a required component for Verified ID; Verified ID uses its own decentralized identity infrastructure.

47
Multi-Selecteasy

Your organization uses Microsoft Entra ID. You need to enable users to securely share documents with external partners. Which TWO features should you use?

Select 2 answers
A.Microsoft Entra B2B collaboration
B.Azure AD B2C
C.Microsoft Purview Information Protection
D.Microsoft Entra entitlement management
E.Microsoft Defender for Cloud Apps
AnswersA, D

B2B collaboration enables external sharing.

Why this answer

Microsoft Entra B2B collaboration is correct because it allows you to securely share documents and collaborate with external partners by inviting them as guest users in your Entra ID tenant. This feature leverages existing identities (e.g., Microsoft, Google, or SAML/WS-Fed providers) without requiring external users to create new accounts, enabling controlled access to resources like SharePoint or Teams.

Exam trap

The trap here is confusing Azure AD B2C (customer-facing) with Microsoft Entra B2B collaboration (partner-facing), as both involve external users but serve fundamentally different scenarios—B2C is for consumer apps, while B2B is for enterprise collaboration.

48
Multi-Selecteasy

Which TWO are prerequisites for implementing Microsoft Entra ID Identity Protection? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P2 license
B.Microsoft Entra ID P1 license
C.Identity Protection administrator role assigned
D.Audit logs enabled for sign-in events
E.Self-service password reset configured
AnswersA, C

P2 includes Identity Protection.

Why this answer

Microsoft Entra ID Identity Protection requires a Microsoft Entra ID P2 license because it uses advanced risk detection and automated remediation capabilities (e.g., risk-based Conditional Access policies, user risk and sign-in risk policies) that are only available in the P2 tier. The P1 license provides basic Conditional Access but lacks the risk detection engine and adaptive policies that Identity Protection relies on.

Exam trap

The trap here is that candidates often confuse the licensing requirement for Identity Protection (P2) with the broader Conditional Access feature (P1), or assume that audit logs or SSPR are mandatory prerequisites when they are not directly required for Identity Protection's core functionality.

49
MCQeasy

You run the Azure CLI command shown in the exhibit. What does the output represent?

A.The application ID for Microsoft Entra ID
B.The application ID for Exchange Online
C.The application ID for SharePoint Online
D.The application ID for Microsoft Graph
AnswerD

It is the standard app ID for Microsoft Graph.

Why this answer

The Azure CLI command `az ad sp show --id 00000003-0000-0000-c000-000000000000` retrieves the service principal for the Microsoft Graph API. The GUID `00000003-0000-0000-c000-000000000000` is the well-known application ID for Microsoft Graph in Microsoft Entra ID (formerly Azure AD). This ID is used to grant permissions and consent for Microsoft Graph API access.

Exam trap

The trap here is that candidates confuse the Microsoft Graph application ID with the SharePoint Online application ID because both start with `00000003`, but the middle segment differs (`-0000-0000-c000-` vs `-0000-0ff1-ce00-`), and Microsoft deliberately tests this subtle distinction.

How to eliminate wrong answers

Option A is wrong because the application ID for Microsoft Entra ID (the directory itself) is `00000001-0000-0000-c000-000000000000`, not the one shown. Option B is wrong because Exchange Online has its own application ID (`00000002-0000-0ff1-ce00-000000000000`), which is different from the GUID in the command. Option C is wrong because SharePoint Online uses application ID `00000003-0000-0ff1-ce00-000000000000`, not the Microsoft Graph ID `00000003-0000-0000-c000-000000000000`.

50
Multi-Selecthard

Which THREE are valid methods to protect against password spray attacks in Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Enable password protection to block common passwords
B.Configure smart lockout to lock accounts after failed attempts
C.Enable Identity Protection to detect and remediate password spray
D.Require multi-factor authentication for all users
E.Use conditional access to block sign-ins from untrusted locations
AnswersA, C, E

Password protection blocks weak passwords.

Why this answer

Options A, C, and D are correct. Option B is wrong because MFA does not prevent password spray; it adds another factor. Option E is wrong because smart lockout locks accounts, but it's not a prevention method per se.

51
MCQhard

You are implementing Microsoft Entra Identity Protection. You need to configure automated responses to medium and high user risk. Which policy should you create?

A.Sign-in risk policy
B.Conditional Access policy with grant controls
C.MFA registration policy
D.User risk policy
AnswerD

User risk policy responds to user risk levels.

Why this answer

User risk policy in Microsoft Entra Identity Protection is specifically designed to automatically respond to user risk levels (low, medium, high) by triggering remediation actions such as requiring a password change or blocking sign-in. Since the question asks for automated responses to medium and high user risk, the correct policy is the User risk policy, which evaluates risk based on user behavior and leaked credentials.

Exam trap

The trap here is confusing User risk policy (which responds to user-level risk like compromised accounts) with Sign-in risk policy (which responds to session-level risk like suspicious sign-in attempts), leading candidates to incorrectly choose the sign-in risk policy for user risk remediation.

How to eliminate wrong answers

Option A is wrong because Sign-in risk policy responds to real-time sign-in risks (e.g., anonymous IP, atypical travel) rather than user risk levels. Option B is wrong because Conditional Access policy with grant controls is a broader policy that can enforce MFA or block access but is not specifically designed to automate responses to user risk from Identity Protection; it can integrate with risk policies but is not the primary policy for user risk remediation. Option C is wrong because MFA registration policy is used to enforce MFA registration for all users, not to respond to user risk levels.

52
Multi-Selectmedium

Your company is implementing Microsoft Entra Conditional Access. You need to require multifactor authentication (MFA) for all users except those accessing from the corporate office. Which TWO components do you need?

Select 2 answers
A.Microsoft Intune compliance policies
B.Conditional Access policy configured with grant control requiring MFA and excluding Named Locations
C.Named Locations configuration
D.Microsoft Entra multifactor authentication registration policy
E.Microsoft Entra Identity Protection
AnswersB, C

The policy enforces MFA except from the corporate office.

Why this answer

To require MFA for all users except those accessing from the corporate office, you need a Conditional Access policy that grants access only if MFA is completed, and you must exclude the corporate office location. The 'Named Locations' configuration defines the corporate office IP ranges or trusted locations, and the Conditional Access policy uses that exclusion. Together, these two components enforce the requirement.

Exam trap

The trap here is that candidates often think a separate MFA registration policy (Option D) or Identity Protection (Option E) can handle location-based exclusions, but neither supports excluding Named Locations; only a Conditional Access policy with the 'Exclude' condition on Named Locations can achieve this.

53
MCQhard

Your organization, Contoso Ltd., has a Microsoft 365 E5 tenant with Microsoft Entra ID P2. You have 10,000 users and 500 applications. You are planning to implement a comprehensive identity security strategy. Your requirements are: 1. All users must use phishing-resistant MFA for accessing business-critical applications. 2. Users accessing sensitive HR data must be required to use a compliant device. 3. Any authentication attempt from an anonymous IP address or from a country where Contoso has no business operations must be blocked. 4. All external collaboration must be governed by access reviews that require sponsor approval. 5. You need to monitor and respond to identity risks in real time. You need to design a solution using Microsoft Entra ID features. Which combination of features should you implement?

A.Deploy Microsoft Entra ID authentication strengths for phishing-resistant MFA. Create Conditional Access policies requiring compliant device for HR apps and blocking anonymous IPs and non-business countries. Use Microsoft Entra Identity Protection for risk detection and automated response. Implement entitlement management with connected organizations and access reviews requiring sponsor approval.
B.Configure Conditional Access policies with MFA and trusted locations. Use Identity Protection for risk monitoring. Set up access reviews with group owner approval.
C.Enable security defaults for all users. Use Microsoft Defender for Cloud Apps to block anonymous IPs. Configure Azure AD access reviews for external users.
D.Use certificate-based authentication for all users. Create Conditional Access policies for device compliance. Set up identity protection. Use self-service access reviews for external users.
AnswerA

Meets all requirements.

Why this answer

Option B correctly addresses all requirements: Phishing-resistant MFA (FIDO2/WHfB) via authentication strengths, compliant device via Conditional Access device condition, location-based blocking via Conditional Access location condition, external governance via Entitlement Management and access reviews, and risk monitoring via Identity Protection. Option A uses default MFA which is not phishing-resistant. Option C lacks device compliance.

Option D uses self-service access reviews instead of sponsor approval.

54
MCQhard

Your organization uses Microsoft Entra ID and has a custom role that grants 'microsoft.directory/applications/credentials/update' permission. A security audit reveals that a user assigned this role has modified credentials for an application. You need to prevent such actions while allowing other application updates. What should you do?

A.Assign the user the built-in Application Administrator role instead.
B.Enable multi-factor authentication for the user.
C.Remove the user from the custom role and assign them another role with fewer permissions.
D.Create a custom role that excludes the 'microsoft.directory/applications/credentials/update' permission and assign it to the user.
AnswerD

A custom role can be defined to exclude specific permissions.

Why this answer

The custom role currently includes the 'microsoft.directory/applications/credentials/update' permission, which allows modifying application credentials. To prevent credential updates while still permitting other application updates, you must create a new custom role that explicitly excludes this permission and assign it to the user. This approach preserves granular control without granting unnecessary privileges, unlike built-in roles that would either over-scope or under-scope permissions.

Exam trap

The trap here is that candidates may think removing the user from the custom role and assigning a different role (Option C) is the simplest fix, but that would likely revoke all application update permissions, failing the requirement to allow other updates.

How to eliminate wrong answers

Option A is wrong because assigning the built-in Application Administrator role grants broader permissions, including the ability to update credentials, which does not solve the problem. Option B is wrong because enabling multi-factor authentication enhances security but does not restrict the user's existing permissions to modify credentials. Option C is wrong because removing the user from the custom role and assigning another role with fewer permissions would likely remove all application update capabilities, which is too restrictive and does not allow other application updates.

55
Multi-Selectmedium

Your organization uses Microsoft Entra ID. You need to implement a solution that allows users to sign in without a password using their smartphone. Which TWO authentication methods can be used?

Select 2 answers
A.Temporary Access Pass
B.Windows Hello for Business
C.Text message (SMS) verification code
D.Microsoft Authenticator app (phone sign-in)
E.FIDO2 security keys
AnswersD, E

Authenticator app supports passwordless sign-in.

Why this answer

The Microsoft Authenticator app supports phone sign-in, which allows users to authenticate by approving a notification or entering a number displayed on the screen, eliminating the need for a password. FIDO2 security keys enable passwordless authentication using hardware-based public/private key cryptography, meeting the requirement for smartphone-based sign-in when the key is connected via USB or NFC. Both methods are supported by Microsoft Entra ID for passwordless authentication.

Exam trap

The trap here is that candidates often confuse SMS verification codes (a multi-factor authentication method) with a primary passwordless authentication method, but SMS codes require a password first and are not passwordless.

56
MCQmedium

Your company uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email in Microsoft 365. Which Microsoft Entra ID feature should you combine with Intune compliance policies?

A.Conditional Access
B.Microsoft Entra Application Proxy
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access policies can check device compliance from Intune.

Why this answer

Conditional Access is the correct answer because it is the Microsoft Entra ID feature that enforces access controls based on signals such as device compliance. When combined with Intune compliance policies, Conditional Access can block or allow access to corporate email in Microsoft 365 based on whether the device is marked as compliant by Intune. This integration ensures that only devices meeting your organization's security requirements can access corporate resources.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based access) with Conditional Access (which enforces policies like device compliance), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Application Proxy provides secure remote access to on-premises web applications, not device compliance enforcement for cloud services. Option C is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), but it does not evaluate device compliance status. Option D is wrong because Microsoft Entra Privileged Identity Management manages, controls, and monitors access to privileged roles in Microsoft Entra ID, not device compliance or access policies for corporate email.

57
MCQhard

You are reviewing the following Conditional Access policy JSON in Microsoft Entra ID. What does this policy do?

A.Requires MFA for all users accessing all apps from any client type
B.Blocks access for all users except Admin@contoso.com when accessing from mobile apps
C.Requires MFA for all users except Admin@contoso.com when accessing any app from mobile apps or desktop clients
D.Requires MFA for all users accessing all apps from any device
AnswerC

Matches the policy conditions and grant controls.

Why this answer

Option C is correct because the Conditional Access policy JSON targets all users except a specific group containing Admin@contoso.com, applies to all cloud apps, and requires MFA for the 'Browser' and 'Mobile apps and desktop clients' client app types. This effectively enforces MFA for all users except the excluded admin when accessing any app from either web browsers or native/mobile clients, as defined by the 'clientAppTypes' condition.

Exam trap

The trap here is that candidates often overlook the 'ExcludeUsers' array and assume the policy applies to all users, or they misinterpret 'clientAppTypes' as applying to all devices rather than specific client application types like browser and mobile/desktop apps.

How to eliminate wrong answers

Option A is wrong because the policy explicitly excludes a user (Admin@contoso.com) via the 'users' condition with an 'ExcludeUsers' array, so it does not require MFA for all users. Option B is wrong because the policy does not block access; it grants access with MFA, and it applies to both 'Mobile apps and desktop clients' and 'Browser' client types, not exclusively mobile apps. Option D is wrong because the policy does not apply to all devices; it applies to specific client app types (Browser and Mobile apps/desktop clients), and it excludes a specific user, so it is not universal for all users or all devices.

58
MCQhard

Your organization uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. You need to protect a custom SaaS application that uses SAML-based SSO. The application does not support Conditional Access. You want to enforce session controls such as blocking downloads of sensitive files. What should you implement?

A.Deploy Microsoft Defender for Cloud Apps Conditional Access App Control and route the application through Defender for Cloud Apps.
B.Implement a reverse proxy from a third-party vendor.
C.Create a custom application registration and set app roles.
D.Configure the application to use Microsoft Entra ID as the identity provider and enable Conditional Access policies.
AnswerA

App Control provides session-level controls.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps Conditional Access App Control acts as a reverse proxy that can enforce session policies—such as blocking downloads of sensitive files—on any SAML-based SaaS application, even if the application itself does not support Conditional Access. By routing the application's traffic through Defender for Cloud Apps, you can apply granular session controls at the proxy layer without modifying the application.

Exam trap

The trap here is that candidates often assume that enabling Entra ID as the identity provider and applying Conditional Access policies is sufficient, but they overlook that the application must support Conditional Access (i.e., be capable of enforcing the resulting controls) for those policies to work; when the app does not, a proxy-based solution like Defender for Cloud Apps App Control is required.

How to eliminate wrong answers

Option B is wrong because while a third-party reverse proxy could theoretically provide similar controls, the question specifically asks for a solution within the Microsoft ecosystem (Entra ID P2 and Defender for Cloud Apps), and Microsoft's own solution is the recommended and integrated approach. Option C is wrong because creating a custom application registration and setting app roles only manages authentication and authorization within Entra ID, but does not provide session-level controls like blocking file downloads. Option D is wrong because the application does not support Conditional Access, so configuring it to use Entra ID as the identity provider and enabling Conditional Access policies would have no effect—Conditional Access requires the application to be capable of interpreting and enforcing the resulting claims or tokens.

59
MCQhard

You are troubleshooting why a user cannot access a SharePoint Online site. The user is assigned a Conditional Access policy that requires compliant device, and the device is enrolled in Microsoft Intune but shows as non-compliant. What is the most likely cause?

A.The device is non-compliant due to missing security updates
B.The device is not enrolled in Microsoft Intune
C.The Conditional Access policy is not applied to SharePoint Online
D.The user does not have an Intune license
AnswerA

Non-compliance blocks access via Conditional Access.

Why this answer

Option C is correct because the device is enrolled but non-compliant, which triggers the Conditional Access block. Option A is wrong because the device is enrolled. Option B is wrong because the user is licensed.

Option D is wrong because the policy is correctly targeting SharePoint Online.

60
MCQeasy

You need to grant a vendor access to a specific SharePoint Online site for a limited time. The vendor does not have an account in your Microsoft Entra ID. What should you use?

A.Create a user account via Microsoft Entra Connect
B.Configure self-service sign-up user flow
C.Assign the vendor a guest user account with no expiration
D.Use Microsoft Entra B2B collaboration and set an expiration for the guest user
AnswerD

B2B collaboration invites external users and can set access expiration.

Why this answer

Microsoft Entra B2B collaboration allows you to invite external users (vendors) as guest users to access your organization's resources, including SharePoint Online sites, without requiring them to have an existing account in your tenant. You can configure an expiration policy for the guest user account to automatically remove access after a specified period, meeting the requirement for limited-time access.

Exam trap

The trap here is that candidates often confuse B2B collaboration with creating a new user account (Option A) or assume that self-service sign-up (Option B) is appropriate for a single vendor, when in fact B2B collaboration is the correct method for granting external users time-limited access without managing their identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used to synchronize on-premises Active Directory identities to Microsoft Entra ID, not to create accounts for external vendors who do not have an existing identity in your organization. Option B is wrong because self-service sign-up user flow is designed for customers or partners to create their own accounts in your tenant for app registration or B2C scenarios, not for granting a specific vendor access to a SharePoint site with controlled expiration. Option C is wrong because assigning a guest user account with no expiration does not meet the requirement for limited-time access; it would grant permanent access unless manually removed, which is not automated or policy-driven.

61
MCQmedium

Your organization uses Microsoft Entra ID and plans to deploy Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the conditional access policies you have configured for data access. What should you do?

A.Use Microsoft Defender for Cloud Apps session controls
B.Configure Privileged Identity Management (PIM) for Copilot roles
C.Enable Identity Protection for Copilot users
D.Apply sensitivity labels to data and configure conditional access policies to require labels
AnswerD

Copilot respects sensitivity labels for data access.

Why this answer

Option D is correct because Microsoft Copilot for Microsoft 365 respects conditional access policies only when those policies are configured to require sensitivity labels. Copilot uses Microsoft Purview Information Protection to enforce data access controls based on labels, ensuring that policies like location, device compliance, or sign-in risk are applied to Copilot interactions. Without label-based policies, Copilot may bypass standard conditional access conditions.

Exam trap

The trap here is that candidates assume standard conditional access policies (e.g., MFA, device compliance) automatically apply to Copilot, but Microsoft specifically requires sensitivity labels to be configured as a condition for Copilot to honor those policies.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps session controls are designed for monitoring and controlling user sessions in third-party SaaS apps, not for enforcing conditional access policies on Copilot for Microsoft 365. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time role activation and approval workflows for privileged roles, not the enforcement of conditional access policies on Copilot data access. Option C is wrong because Identity Protection detects and responds to sign-in risks and user risks, but it does not directly enforce conditional access policies on Copilot; it provides risk signals that conditional access policies can use, but the policies themselves must be configured to require sensitivity labels for Copilot to respect them.

62
MCQhard

Your company uses Microsoft Entra ID and has enabled Microsoft Entra ID Protection. You notice that a user's sign-in was blocked due to a medium user risk. However, the user claims the sign-in was legitimate. What should you do to allow future sign-ins without lowering security?

A.Create a conditional access policy to bypass MFA for this user
B.Suppress the alert in Microsoft Defender XDR
C.Use the Microsoft Entra ID Protection reports to confirm the user as safe
D.Dismiss the risk in the Risky users report
AnswerC

Confirming safe resets the user's risk and allows sign-ins.

Why this answer

Option C is correct because when a user claims a blocked sign-in was legitimate, the proper action is to confirm the user as safe in the Microsoft Entra ID Protection reports. This action updates the risk state to 'confirmed safe', which resets the user's risk level and allows future sign-ins without lowering security. It also provides feedback to the risk detection algorithm to improve accuracy.

Exam trap

The trap here is confusing 'dismissing the risk' (which only closes the alert) with 'confirming the user as safe' (which actively resets the risk state and provides feedback), leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because creating a conditional access policy to bypass MFA for this user would lower security by removing a critical authentication requirement, and it does not address the underlying risk detection. Option B is wrong because suppressing the alert in Microsoft Defender XDR only hides the notification; it does not resolve the risk state or prevent future blocks. Option D is wrong because dismissing the risk in the Risky users report simply closes the alert without confirming the sign-in as legitimate, which could allow the same risk to trigger again and does not provide feedback to the risk engine.

63
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to identify and remediate users who are at risk due to leaked credentials or anomalous sign-in activity. You want to automate the response to high-risk users by requiring a password change. Which feature should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra Identity Governance
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Identity Protection detects risks and can enforce password change via conditional access.

Why this answer

Option B is correct because Identity Protection provides risk-based conditional access policies to automatically remediate high-risk users. Option A is wrong because Privileged Identity Management (PIM) manages privileged roles, not user risk. Option C is wrong because Identity Governance handles access reviews and entitlement management.

Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not identity risk.

64
Multi-Selecthard

Which THREE of the following are required to implement Microsoft Entra ID Identity Governance for access reviews? (Choose three.)

Select 3 answers
A.Microsoft Entra ID P1 license
B.The access review must be configured to apply results automatically
C.Microsoft Entra ID P2 license
D.Global Administrator or Identity Governance Administrator role
E.All users being reviewed must be guest users
AnswersB, C, D

Required for automatic remediation.

Why this answer

Option B is correct because for an access review to enforce its decisions (e.g., removing a user's access), the review must be configured to 'Apply results automatically'. Without this setting, the review only generates recommendations, and an administrator must manually apply the results. This automatic application is a required step to complete the identity governance lifecycle.

Exam trap

The trap here is that candidates often assume a P1 license is sufficient for access reviews, but Microsoft specifically requires P2 for the reviewer and the users under review, making P1 an incorrect choice.

65
MCQmedium

Your organization uses Microsoft Entra Connect Sync. You need to ensure that specific on-premises Active Directory groups are synchronized to Microsoft Entra ID. What should you configure?

A.Set the sync scope to 'Synchronize selected groups'
B.Configure attribute-based filtering in Microsoft Entra Connect
C.Create a security group in Microsoft Entra ID and add members
D.Use the Synchronization Service Manager to select groups
AnswerA

Microsoft Entra Connect supports filtering by groups.

Why this answer

Option A is correct because Microsoft Entra Connect Sync allows you to scope synchronization to specific groups by selecting 'Synchronize selected groups' in the Azure AD Connect configuration. This setting, available during installation or via the 'Customize synchronization options' task, restricts synchronization to only the on-premises Active Directory groups you explicitly choose, ensuring that only those groups are synced to Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse attribute-based filtering (Option B) with group-specific scoping, not realizing that attribute-based filtering applies to all object types and cannot be used to select individual groups for synchronization.

How to eliminate wrong answers

Option B is wrong because attribute-based filtering in Microsoft Entra Connect filters objects based on their attributes (e.g., department or country), not specifically for selecting which groups to synchronize; it is a broader filtering mechanism that can exclude objects but does not provide a group-specific selection. Option C is wrong because creating a security group in Microsoft Entra ID and adding members does not control which on-premises groups are synchronized; it creates a cloud-only group that is not linked to the on-premises synchronization process. Option D is wrong because the Synchronization Service Manager is used to manage synchronization operations (e.g., run profiles, connectors, and metaverse objects) but does not provide a configuration option to select specific groups for synchronization; group selection is done during the Azure AD Connect configuration wizard.

66
MCQhard

You need to implement a solution that allows external partners to access specific SharePoint Online sites without creating guest user objects in Microsoft Entra ID. The partners will authenticate using their own identity provider. What should you use?

A.Microsoft Entra B2B collaboration with the partner's identity provider
B.Microsoft Entra B2B direct connect for SharePoint Online
C.Microsoft Entra External ID for the partner organization
D.SharePoint Online external sharing with one-time passcode authentication
AnswerD

One-time passcode authentication does not require guest user objects.

Why this answer

Option D is correct because SharePoint Online external sharing with one-time passcode authentication allows external partners to access SharePoint sites without creating guest user objects in Microsoft Entra ID. When the partner's identity provider is not federated with Entra ID, the one-time passcode feature sends a code to their email for authentication, bypassing the need for a guest account. This meets the requirement of no guest user objects while enabling access from an external identity provider.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which always creates guest objects) with SharePoint external sharing features that can bypass guest object creation, leading them to select A or B instead of D.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration requires creating guest user objects in Microsoft Entra ID for each external partner, which directly contradicts the requirement to avoid guest objects. Option B is wrong because Microsoft Entra B2B direct connect for SharePoint Online is designed for cross-tenant access with mutual trust and still creates a B2B direct connect user object in the resource tenant, not meeting the 'no guest objects' condition. Option C is wrong because Microsoft Entra External ID is a customer-facing identity solution for external apps, not for granting access to SharePoint Online sites without guest objects; it also typically involves creating user objects in the external tenant.

67
MCQmedium

Your company uses Microsoft Entra ID. You need to restrict access to a critical application to only users who are in a specific security group and are signing in from a trusted location. You configure a conditional access policy with the following conditions: users (the security group), cloud apps (the critical application), conditions (locations: trusted IP ranges). However, users in the security group are still able to access the app from untrusted locations. What is the most likely reason?

A.The policy is configured as a block policy but is overridden by another policy
B.The cloud app is not correctly assigned to the policy
C.The policy uses session controls instead of grant controls
D.The policy is in report-only mode
AnswerD

Report-only mode does not enforce; it only logs.

Why this answer

When a Conditional Access policy is in report-only mode, it evaluates the conditions and logs the result but does not enforce any access controls (grant or block). This explains why users in the security group can still access the app from untrusted locations—the policy is not actively blocking or requiring MFA/location compliance. Report-only mode is commonly used for testing before enabling enforcement.

Exam trap

The trap here is that candidates often assume a Conditional Access policy automatically enforces its conditions once configured, overlooking the critical distinction between report-only mode (evaluation only) and on/enforce mode (evaluation + enforcement).

How to eliminate wrong answers

Option A is wrong because if the policy were a block policy, it would actively block access when conditions match; the issue here is that no enforcement occurs at all, not that another policy overrides it. Option B is wrong because the cloud app assignment is correctly configured per the scenario; if it were incorrect, the policy wouldn't apply to the app at all, but users are still accessing it, indicating the policy is not enforcing. Option C is wrong because session controls (e.g., sign-in frequency) do not prevent access from untrusted locations; only grant controls (e.g., require trusted location) can block or allow access based on location.

The core problem is that the policy is not enforcing any controls, which points to report-only mode.

68
MCQeasy

You are implementing Microsoft Entra Verified ID. Which identity verification method uses a decentralized identity standard?

A.Decentralized identifiers (DIDs)
B.SAML 2.0
C.OAuth 2.0
D.Federation with Azure AD
AnswerA

DIDs are the core of Verified ID.

Why this answer

Microsoft Entra Verified ID is built on open standards for decentralized identity, specifically using Decentralized Identifiers (DIDs) as defined by the W3C. DIDs enable verifiable, self-sovereign identity without relying on a central authority, which is the core requirement for a decentralized identity verification method. This allows users to control their own identifiers and present verifiable credentials that can be cryptographically verified.

Exam trap

The trap here is that candidates confuse decentralized identity with federation or token-based protocols (SAML, OAuth), which are centralized by design, and fail to recognize that DIDs are the specific W3C standard enabling self-sovereign identity in Verified ID.

How to eliminate wrong answers

Option B is wrong because SAML 2.0 is a centralized federation protocol that relies on a single identity provider (IdP) to assert identity, not a decentralized standard. Option C is wrong because OAuth 2.0 is an authorization framework for token-based access delegation, not an identity verification method or decentralized identity standard. Option D is wrong because federation with Azure AD is a centralized identity management approach that depends on a trusted authority (Azure AD) to manage identities, which contradicts the decentralized, user-controlled model of Verified ID.

69
Multi-Selecthard

Which THREE of the following are required to configure Microsoft Entra ID Governance for automated user provisioning to a third-party SaaS application? (Select three.)

Select 3 answers
A.Assign the access package to a catalog
B.Create an access package in entitlement management
C.Set up Microsoft Entra Connect Sync for the application
D.Migrate from Azure AD Connect to Azure AD Connect cloud sync
E.Install and configure a provisioning agent in your on-premises environment
AnswersA, B, E

Catalogs organize access packages.

Why this answer

Option A is correct because access packages must be assigned to a catalog in Microsoft Entra ID Governance to define which resources (like the third-party SaaS application) are available for automated provisioning. The catalog acts as a container that groups related resources and access policies, enabling entitlement management to govern provisioning requests.

Exam trap

The trap here is that candidates confuse directory synchronization tools (like Entra Connect Sync or cloud sync) with the provisioning service used for SaaS applications, mistakenly thinking that syncing on-premises users is required for cloud app provisioning, when in fact the provisioning service works independently of the sync method.

70
MCQmedium

Your organization uses Microsoft Entra ID P2 licensing. You need to ensure that when a user's risk level is detected as 'high' by Identity Protection, the user is automatically required to perform a password change during their next sign-in. Which conditional access policy configuration should you use?

A.Assign 'Sign-in risk policy' with session control 'Sign-in frequency'
B.Assign 'User risk policy' with grant 'Require password change'
C.Assign 'User risk policy' with grant 'Require multifactor authentication'
D.Assign 'User risk policy' with grant 'Block access'
AnswerB

The 'Require password change' control forces the user to change their password.

Why this answer

Option B is correct because the 'Require password change' grant control is the specific control for high-risk users to change their password. Option A is wrong because 'Require multifactor authentication' does not force a password change. Option C is wrong because 'Require password change' is not a session control.

Option D is wrong because blocking sign-in does not allow a password change.

71
MCQeasy

Your organization uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook. Which identity solution should you configure?

A.External identities
B.Microsoft Entra B2B collaboration
C.Managed identities
D.Microsoft Entra Identity Protection
AnswerA

External identities support social identity providers like Google and Facebook.

Why this answer

External identities in Microsoft Entra ID allow you to configure identity providers such as Google and Facebook, enabling users to sign in with their existing social media accounts. This is achieved by setting up federation with OAuth 2.0 and OpenID Connect protocols, which is the correct solution for the scenario described.

Exam trap

The trap here is that candidates often confuse 'External identities' (which includes social identity providers) with 'B2B collaboration' (which is for guest users from other organizations), leading them to select B2B collaboration incorrectly.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is specifically for inviting external business partners (guests) from other Azure AD tenants or email domains, not for federating with social identity providers like Google or Facebook. Option C is wrong because managed identities are used to provide Azure resources with an automatically managed identity in Azure AD for authenticating to other Azure services, not for external user sign-in. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats, not a federation solution for social identity providers.

72
Multi-Selecthard

Your organization uses Microsoft Entra ID and has a hybrid identity configuration with Active Directory Federation Services (AD FS). You are migrating to cloud authentication using Pass-through Authentication (PTA). Which TWO components are required for a PTA deployment?

Select 2 answers
A.Service Bus endpoints in Azure
B.Password Hash Synchronization agent
C.Azure AD Connect Health agent
D.Seamless Single Sign-On
E.Pass-through Authentication Agent
AnswersA, E

The PTA Agent uses Service Bus to communicate with Azure AD.

Why this answer

Pass-through Authentication (PTA) requires the PTA Agent to be installed on-premises to validate user passwords against Active Directory. It also uses Azure Service Bus endpoints to establish a secure, persistent connection between the on-premises agent and Microsoft Entra ID, enabling authentication requests to flow without storing passwords in the cloud.

Exam trap

The trap here is that candidates often confuse the required components for PTA with those for PHS or Seamless SSO, mistakenly including the Password Hash Synchronization agent or Seamless SSO as mandatory for PTA.

73
Multi-Selecthard

You are designing a Microsoft Entra ID governance strategy. Which THREE features should you use to implement the principle of least privilege for administrative roles?

Select 3 answers
A.Microsoft Entra Lifecycle Workflows
B.Privileged Access Groups
C.Microsoft Entra Entitlement Management
D.Microsoft Entra Privileged Identity Management (PIM)
E.Microsoft Entra Access Reviews
AnswersB, D, E

Privileged Access Groups allow dynamic membership and PIM activation.

Why this answer

Privileged Access Groups (B) enable you to grant just-in-time or time-bound access to Azure AD roles and other resources by assigning users to a group that is eligible for role activation, directly supporting the principle of least privilege by limiting standing administrative access.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages for end users) with Privileged Access Groups (which specifically control administrative role activation), leading them to select Option C instead of B.

74
MCQmedium

Refer to the exhibit. You have a Conditional Access policy as shown. A Global Administrator reports that they are not prompted for MFA when accessing the Azure portal. Which is the most likely reason?

A.The Global Administrator role is not included in the policy.
B.The user is accessing from a trusted IP address.
C.The policy does not include the Azure portal as a target cloud app.
D.The policy is in Report-only mode.
AnswerC

The exhibit shows only 'Office 365 Exchange Online' and 'Microsoft Azure Management' but the Azure portal is accessed via 'Microsoft Azure Management'. However, if the policy does not include the correct app ID for Azure portal, it may not apply. In practice, 'Microsoft Azure Management' covers the Azure portal.

Why this answer

The policy includes only Exchange Online and Azure Management applications. Azure portal is accessed via Azure Management application, but the user role is included. However, the most common issue is that the policy excludes the Azure portal app because it is listed as 'Microsoft Azure Management' but the actual app ID for Azure portal might be different or not included.

In this exhibit, the Azure portal is accessed via the Azure Management application, so it should be covered. A more likely reason is that the policy does not include all necessary cloud apps or there is a break-glass account excluded. But the best answer is that the policy applies only to Exchange Online and Azure Management; if the admin accesses the Azure portal via a different app (e.g., Azure CLI), they might not be prompted.

However, the typical mistake is that the policy does not include the correct app for Azure portal. Given the options, the most plausible is that the Azure portal is not listed as a target cloud app.

75
MCQmedium

Your organization, Contoso, has a Microsoft Entra ID tenant with 50,000 users. You are implementing a zero-trust security model. The following requirements must be met: 1) All access to SaaS applications must be restricted based on user, device, and location. 2) Users accessing from unmanaged devices must only be allowed browser-based access and must accept terms of use. 3) The IT team must be able to grant temporary access to the Global Administrator role for up to 8 hours. 4) All external users must have their access reviewed every 6 months. Which combination of Microsoft Entra features should you use?

A.Conditional access policies, entitlement management, Privileged Identity Management (PIM), and access reviews
B.Conditional access policies, Privileged Identity Management (PIM), access reviews, and terms of use
C.Conditional access policies, Microsoft Entra B2B, Privileged Identity Management (PIM), and access reviews
D.Conditional access policies, Identity Protection user risk policy, Privileged Identity Management (PIM), and access reviews
AnswerB

Conditional access enforces device/location/browser, terms of use for unmanaged devices, PIM for temporary admin, and access reviews for external users.

Why this answer

Option C is correct because it uses conditional access for granular controls, PIM for temporary admin, and access reviews for external users. Option A is wrong because Identity Protection is for risk, not access control. Option B is wrong because entitlement management is not for direct role assignments.

Option D is wrong because B2B is for inviting guests, not access control.

Page 1 of 3 · 166 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implement and manage Microsoft Entra identity and access questions.