CCNA Implement and manage Microsoft Entra identity and access Questions

16 of 166 questions · Page 3/3 · Implement and manage Microsoft Entra identity and access · Answers revealed

151
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their Google Workspace credentials without creating external identities. What should you configure?

A.Enable Microsoft Entra Verified ID for Google Workspace users
B.Configure Google as a social identity provider in Microsoft Entra External ID
C.Configure Microsoft Entra B2B collaboration with Google Workspace
D.Configure SAML/WS-Fed identity provider federation with Google Workspace
AnswerD

Microsoft Entra ID supports direct federation with Google Workspace as a SAML/WS-Fed identity provider.

Why this answer

Option D is correct because configuring SAML/WS-Fed identity provider federation with Google Workspace allows users to sign in using their Google Workspace credentials directly, without creating external identities. This federation establishes a trust relationship between Microsoft Entra ID and Google Workspace as an identity provider, enabling seamless authentication for users who already have Google accounts.

Exam trap

The trap here is that candidates often confuse social identity provider configuration (Option B) with enterprise federation, but social IdPs are designed for consumer scenarios and create external identities, whereas SAML/WS-Fed federation preserves the user's existing identity without creating new objects in the directory.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Verified ID is a decentralized identity solution using verifiable credentials, not designed for federating with Google Workspace for sign-in. Option B is wrong because configuring Google as a social identity provider in Microsoft Entra External ID is intended for consumer-facing applications and creates external identities, not for enterprise users with existing Google Workspace accounts. Option C is wrong because Microsoft Entra B2B collaboration creates external guest user objects in the directory, which contradicts the requirement to avoid creating external identities.

152
MCQmedium

An administrator runs the Azure CLI command shown in the exhibit. What is the result of this command?

A.A new application registration is created with requested permissions to Graph
B.An existing application registration is updated
C.The application is configured with single-tenant sign-in audience
D.An admin consent is granted for the Microsoft Graph permissions
AnswerA

The command creates a new app with required resource accesses to Graph.

Why this answer

The Azure CLI command `az ad app create --display-name 'MyApp' --required-resource-accesses '[{"resourceAppId":"00000003-0000-0000-c000-000000000000","resourceAccess":[{"id":"e1fe6dd8-ba31-4d61-89e7-88639da4923c","type":"Scope"}]}]'` creates a new application registration in Microsoft Entra ID. The `--required-resource-accesses` parameter specifies the Microsoft Graph (resourceAppId `00000003-0000-0000-c000-000000000000`) and the permission with ID `e1fe6dd8-ba31-4d61-89e7-88639da4923c` (which corresponds to the `User.Read` delegated permission). This registers the app with requested permissions to Microsoft Graph, but does not grant admin consent or configure sign-in audience.

Exam trap

The trap here is that candidates confuse requesting permissions (which happens during app registration) with granting admin consent (a separate administrative action), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because the `az ad app create` command always creates a new application registration; it does not update an existing one (use `az ad app update` for updates). Option C is wrong because the command does not include any parameter to set the sign-in audience (e.g., `--sign-in-audience`); by default, the audience is set to `AzureADMyOrg` (single-tenant), but the command itself does not configure it—the default applies. Option D is wrong because the command only requests permissions; admin consent requires a separate step, such as using `az ad app permission admin-consent` or the Microsoft Entra admin center.

153
MCQhard

Your company, Alpine Ski House, uses Microsoft Entra ID P2. You have the following requirements: 1) Users in the Finance department must be required to use MFA when accessing the financial application, but only if they are not on the corporate network. 2) All users must be automatically blocked if Identity Protection detects their account as compromised (high user risk). 3) You need to ensure that the password change process after a high-risk detection does not allow users to reuse the last 5 passwords. 4) The solution must minimize false positives and allow users to self-remediate if they believe a risk detection is incorrect. Which configuration should you implement?

A.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a sign-in risk policy to block high-risk users, and configure password protection to enforce password history
B.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to block high-risk users with user feedback enabled, and configure password protection to enforce the last 5 password history
C.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to block high-risk users, and enable user feedback for risk detections
D.Create a conditional access policy for Finance requiring MFA from non-corporate networks, create a user risk policy to require password change, and configure password protection to enforce password history
AnswerB

All requirements are met: MFA for Finance, block high-risk, user feedback, password history.

Why this answer

Option D is correct because it combines a conditional access policy for Finance MFA, a user risk policy with block and user feedback, and custom password protection to enforce history. Option A is wrong because sign-in risk policy is for sign-in risk, not user risk. Option B is wrong because it lacks password history enforcement.

Option C is wrong because it does not include user feedback for false positives.

154
MCQeasy

You need to configure self-service password reset (SSPR) for users in Microsoft Entra ID. Which license is required?

A.Microsoft 365 F3
B.Microsoft 365 E3
C.Microsoft Entra ID P1
D.Microsoft Entra ID Free
AnswerC

P1 includes SSPR.

Why this answer

Option B is correct because SSPR for cloud users requires Microsoft Entra ID P1 or P2. Option A is wrong because Free does not include SSPR. Option C is wrong because E3 includes P1.

Option D is wrong because F3 includes P1.

155
MCQmedium

Refer to the exhibit. You manage an application registration in Microsoft Entra ID. The JSON shows the current state of the app's password credentials. The application is used by a daemon to acquire tokens. The certificate used for authentication expires on 2025-12-31. The application is currently using a client secret. The security policy requires rotating secrets every 6 months. What is the best course of action?

A.Switch the daemon to use certificate-based authentication and remove the secret
B.Do nothing; the secret does not expire until 2025-12-31
C.Create a new client secret, update the daemon to use the new secret, then delete the old secret
D.Extend the endDateTime of the existing secret to 2026-12-31
AnswerC

This rotates the secret properly.

Why this answer

Option C is correct because the security policy requires rotating secrets every 6 months, and the current secret's endDateTime is set to 2025-12-31, which exceeds that interval. Creating a new client secret, updating the daemon to use it, and then deleting the old secret ensures compliance with the rotation policy while maintaining uninterrupted token acquisition. This approach follows the least-privilege and secret rotation best practices for application credentials in Microsoft Entra ID.

Exam trap

Microsoft often tests the distinction between secret expiration and rotation policy, where candidates mistakenly think that a long expiration date satisfies security requirements, but rotation policies mandate periodic replacement regardless of the original expiration date.

How to eliminate wrong answers

Option A is wrong because the daemon is currently using a client secret, and switching to certificate-based authentication is not required by the policy; the policy only mandates rotating secrets every 6 months, not changing authentication methods. Option B is wrong because doing nothing violates the security policy that requires rotating secrets every 6 months, even though the current secret does not expire until 2025-12-31. Option D is wrong because extending the endDateTime of the existing secret does not rotate it; it merely prolongs the life of the same secret, which fails to meet the rotation requirement and increases security risk.

156
Multi-Selectmedium

Which TWO of the following are required to configure Microsoft Entra ID self-service password reset (SSPR) for cloud-only users? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P1 or P2 license.
B.Azure AD Connect synchronization.
C.Users must be assigned a license.
D.A paid Microsoft 365 license.
E.Users must register for MFA.
AnswersC, D

Users need a license to use SSPR.

Why this answer

Option C is correct because each user must be assigned a Microsoft Entra ID license (such as P1 or P2) to be eligible for SSPR. Without a license assignment, the user cannot use the SSPR feature, even if the tenant has the required licenses available. Option D is correct because a paid Microsoft 365 license (e.g., Microsoft 365 Business Premium, E3, or E5) includes the necessary Microsoft Entra ID P1 or P2 functionality, which is required for SSPR.

Cloud-only users do not require Azure AD Connect or MFA registration for basic SSPR, though MFA is recommended for stronger security.

Exam trap

The trap here is that candidates often confuse 'having a license in the tenant' (Option A) with 'assigning the license to each user' (Option C), and they may incorrectly think MFA registration (Option E) is mandatory for SSPR, when it is only required if the administrator enforces it via policy.

157
Multi-Selecteasy

Your company uses Microsoft Entra ID for identity management. You are planning to implement Conditional Access policies. Which TWO components are required to create a Conditional Access policy?

Select 2 answers
A.MFA registration status
B.Identity Protection risk policies
C.Azure AD roles
D.Assignments (users, groups, cloud apps, conditions)
E.Access controls (grant or block, session controls)
AnswersD, E

Defines who and what the policy applies to.

Why this answer

A Conditional Access policy requires assignments (users/groups, cloud apps, conditions) and access controls (grant or block, session controls). Option B (assignments) and Option C (access controls) are the two main components. Option A (identity protection) is a separate service, not a required component.

Option D (Azure AD roles) are not part of policy creation. Option E (MFA registration) is a prerequisite but not a component of the policy.

158
MCQmedium

Your organization uses Microsoft Entra Conditional Access. You need to block access from countries where your company does not operate. The list of blocked countries changes frequently. What is the most efficient way to manage this?

A.Enable Microsoft Entra multifactor authentication for all users from blocked countries
B.Create a Conditional Access policy that blocks all locations except the allowed countries
C.Use IP ranges in Conditional Access to block specific country IPs
D.Create Named Locations for blocked countries and use them in Conditional Access
AnswerD

Named Locations can be easily updated with new countries.

Why this answer

Named Locations in Microsoft Entra Conditional Access allow you to define countries by IP ranges and then use those locations in a policy to block access. This is the most efficient approach because you can update the list of blocked countries in the Named Locations configuration without modifying the Conditional Access policy itself, which is ideal when the list changes frequently.

Exam trap

The trap here is that candidates often think using IP ranges directly in the policy (Option C) is more precise, but they overlook the administrative overhead of maintaining those ranges manually, whereas Named Locations with country selection provide a simpler and more scalable solution for frequently changing country lists.

How to eliminate wrong answers

Option A is wrong because enabling MFA for users from blocked countries does not block access; it only adds an authentication challenge, which is not a block action and does not meet the requirement to prevent access. Option B is wrong because creating a policy that blocks all locations except allowed countries is inefficient when the list of blocked countries changes frequently, as you would need to constantly update the allowed list, and it is easier to manage a list of blocked countries directly. Option C is wrong because using IP ranges in Conditional Access to block specific country IPs is impractical and inefficient; you would need to manually gather and maintain a list of all IP ranges for each blocked country, which is error-prone and does not leverage the built-in country-based location detection that Named Locations provide.

159
MCQhard

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You are implementing Privileged Identity Management (PIM) to manage access to Azure AD roles. You need to ensure that when a user activates a privileged role, the activation request must be approved by their manager and must include a ticket number. What should you configure?

A.Create an access review for the role
B.Modify the role settings in PIM to require approval and justification with ticket number
C.Configure an access package in Entitlement Management
D.Use Conditional Access policy with session controls
AnswerB

PIM role settings allow approval requirement and ticket info.

Why this answer

Option B is correct because PIM role settings allow you to configure activation requirements, including requiring approval and mandating a justification field. By enabling 'Require approval to activate' and configuring the approver as the user's manager, and by setting 'Require ticket information on activation', you enforce that every activation request includes a ticket number and is routed to the manager for approval.

Exam trap

The trap here is that candidates confuse Entitlement Management access packages (which also support approval workflows) with PIM role settings, but only PIM role settings allow you to require a ticket number and specify the manager as the approver for Azure AD role activation.

How to eliminate wrong answers

Option A is wrong because access reviews are used for periodic recertification of role assignments, not for controlling the activation process itself. Option C is wrong because Entitlement Management access packages manage resource access through catalogs and policies, but they do not enforce manager approval and ticket number requirements for Azure AD role activation—that is a PIM role settings feature. Option D is wrong because Conditional Access policies control authentication and session behavior, not the approval workflow or justification requirements for PIM role activation.

160
MCQhard

Your company has a Microsoft 365 E5 subscription and uses Microsoft Entra ID. You have configured Microsoft Entra Identity Governance. You need to create an access review for all guest users in the tenant to ensure their access is still required. The review should be recurring every 90 days and should auto-remove guests if they are not approved. What should you configure?

A.Configure a Conditional Access policy to block guests after 90 days
B.Create an access review for all guest users with a recurrence of 90 days and auto-apply results
C.Configure PIM settings for guest users
D.Create an access package in entitlement management for guest users
AnswerB

Access reviews support recurring reviews and auto-removal.

Why this answer

Option B is correct because creating an access review for all guest users with a recurrence of 90 days and auto-apply results directly meets the requirement: it reviews guest access every 90 days and automatically removes guests who are not approved. Access reviews in Microsoft Entra ID Governance allow you to scope reviews to guest users, set recurrence, and enable auto-apply to enforce removal without manual intervention.

Exam trap

The trap here is that candidates confuse Conditional Access policies (which block access but do not remove accounts) with access reviews (which can automatically remove guest accounts), or they mistakenly think PIM or access packages can perform tenant-wide recurring guest reviews with auto-removal.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy controls access conditions (e.g., blocking sign-ins after 90 days) but does not perform recurring reviews or automatically remove guest accounts; it only blocks authentication, leaving the guest object and its assignments intact. Option C is wrong because PIM (Privileged Identity Management) settings manage just-in-time privileged role activation and approval, not recurring access reviews for all guest users or auto-removal of unapproved guests. Option D is wrong because creating an access package in entitlement management manages resource access through requests and approvals, but it does not provide a recurring review cycle with auto-removal for all guest users; access packages are for specific resource catalogs, not tenant-wide guest review.

161
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to automate the removal of access when an employee leaves the company. The identity lifecycle should trigger access reviews and automatic deprovisioning. What should you configure?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Lifecycle Workflows
C.Microsoft Entra Access Reviews
D.Microsoft Entra Privileged Identity Management
AnswerB

Lifecycle Workflows automate the entire lifecycle, including deprovisioning.

Why this answer

Option D is correct because Lifecycle Workflows automate joiner, mover, leaver processes. Option A is wrong because Entitlement Management manages access packages. Option B is wrong because Access Reviews are manual unless automated by Lifecycle Workflows.

Option C is wrong because PIM is for privileged roles.

162
MCQmedium

Your organization uses Microsoft Entra ID P2. You want to automatically remediate high-risk users by requiring them to change their password. However, you also want to allow users to self-remediate if they believe the risk detection is false positive. What should you implement?

A.User risk policy with 'Require password change' and enable user feedback
B.Sign-in risk policy with 'Require password change'
C.User risk policy with 'Block access' and enable user feedback
D.Sign-in risk policy with 'Require multifactor authentication'
AnswerA

Password change remediates high risk, and user feedback allows dismissing false positives.

Why this answer

Option C is correct because the user risk policy with 'Require password change' can include user feedback options like 'Dismiss risk' for false positives. Option A is wrong because blocking access does not allow self-remediation. Option B is wrong because MFA does not change password.

Option D is wrong because sign-in risk policy addresses sign-in risk, not user risk.

163
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users cannot reuse their last 5 passwords when changing passwords. What should you configure?

A.Password protection policy - enforce password history.
B.Multi-factor authentication settings.
C.Account lockout threshold.
D.Smart lockout settings.
AnswerA

Password protection policy includes password history settings.

Why this answer

The password history policy in Microsoft Entra ID (formerly Azure AD) enforces the number of unique passwords a user must use before they can reuse an old password. By setting the password history value to 5, users cannot reuse any of their last 5 passwords when changing their password. This directly meets the requirement to prevent reuse of the last 5 passwords.

Exam trap

The trap here is that candidates often confuse password history (which prevents reuse) with password expiration or complexity settings, or they mistakenly think smart lockout or MFA can enforce password reuse rules.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication settings control additional verification methods (e.g., phone call, app notification) and do not manage password reuse history. Option C is wrong because account lockout threshold defines the number of failed sign-in attempts before an account is locked, not password reuse restrictions. Option D is wrong because smart lockout settings help block brute-force attacks by locking accounts after repeated failed attempts from unfamiliar locations, but they do not enforce password history or reuse rules.

164
MCQhard

Your organization uses Microsoft Entra ID P2 and has enabled Microsoft Entra ID Protection. You need to generate a weekly report of users who are at risk due to anomalous sign-in activity and send it to the security team. What is the most efficient way to achieve this?

A.Use the Microsoft Entra admin center to export the risky sign-ins report every week
B.Configure a Microsoft Sentinel analytics rule to generate incidents for risky sign-ins
C.Create a custom workbook in Microsoft Entra ID and schedule it to run weekly
D.Write a PowerShell script that uses the Microsoft Graph API to retrieve risky sign-ins and send an email weekly
AnswerC

Workbooks in Microsoft Entra ID can be scheduled and shared with the security team.

Why this answer

Option C is correct because Microsoft Entra ID custom workbooks can be configured with a scheduled refresh, allowing you to automatically generate and deliver a weekly report of risky sign-ins without manual intervention or additional infrastructure. This leverages the built-in reporting and scheduling capabilities of Entra ID, making it the most efficient solution for a recurring report.

Exam trap

The trap here is that candidates often assume that any automated task requires PowerShell or external tools, overlooking the built-in scheduling capabilities of Entra ID workbooks, which are specifically designed for recurring report generation without additional scripting.

How to eliminate wrong answers

Option A is wrong because manually exporting the risky sign-ins report every week is not efficient; it requires human intervention and does not automate the delivery to the security team. Option B is wrong because Microsoft Sentinel analytics rules are designed for security incident detection and response, not for generating scheduled reports; using Sentinel for this purpose introduces unnecessary complexity and cost. Option D is wrong because writing a PowerShell script with Microsoft Graph API to retrieve risky sign-ins and send an email weekly is less efficient than using a built-in scheduled workbook, as it requires custom development, maintenance, and handling of authentication and scheduling logic.

165
MCQmedium

Refer to the exhibit. You have created a conditional access policy as shown. Users report that they can still access cloud apps from non-compliant devices. What is the most likely reason?

A.The policy does not exclude specific users
B.The policy does not include all cloud apps
C.The grant control operator is set to "OR" with only one control, which requires no controls to be satisfied
D.The policy uses session controls instead of grant controls
AnswerC

With OR and one control, the policy is satisfied even if the device is not compliant.

Why this answer

Option C is correct because the conditional access policy's grant control is set to 'OR' with only a single control selected (e.g., 'Require device to be marked as compliant'). When the operator is 'OR' and only one control is listed, the policy effectively requires that control to be satisfied. However, if the control is not enforced due to a misconfiguration or the device not being evaluated (e.g., the device platform is not specified), the 'OR' operator with a single control can be interpreted as granting access if any control is met—but since only one exists, it still must be met.

The most likely reason users can still access cloud apps from non-compliant devices is that the policy's grant control operator is set to 'OR' with only one control, which means the policy does not actually block access if the control is not satisfied; instead, it allows access because the 'OR' condition is technically satisfied by the absence of a second control to fail against. In practice, this configuration is a common misconfiguration that results in the policy being ineffective.

Exam trap

The trap here is that candidates assume a single grant control with 'OR' operator works the same as 'AND' operator, but Microsoft's logic treats 'OR' with one control as a pass-through if the control is not enforced, leading to unintended access.

How to eliminate wrong answers

Option A is wrong because excluding specific users is not required for a conditional access policy to block non-compliant devices; the policy can target all users and still enforce compliance. Option B is wrong because the policy does not need to include all cloud apps to block non-compliant devices; it can target specific apps and still enforce the grant control. Option D is wrong because session controls (e.g., 'Use app enforced restrictions') are used for session-level restrictions, not for blocking access based on device compliance; the issue here is with grant controls, not session controls.

166
MCQeasy

Your organization requires that all administrators use phishing-resistant authentication methods. Which Microsoft Entra ID authentication method meets this requirement?

A.SMS-based verification
B.Microsoft Authenticator push notification
C.Temporary Access Pass
D.FIDO2 security key
AnswerD

FIDO2 is phishing-resistant by design.

Why this answer

FIDO2 security keys are phishing-resistant because they use public key cryptography and cannot be phished. Option A is wrong because SMS is vulnerable to phishing. Option B is wrong because push notifications can be phished.

Option D is wrong because a temporary access pass is not a primary authentication method.

← PreviousPage 3 of 3 · 166 questions total

Ready to test yourself?

Try a timed practice session using only Implement and manage Microsoft Entra identity and access questions.