Implement and manage identity and access in Microsoft Entra ID

An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)

An organization with Microsoft Entra ID P2 licenses wants to require multi-factor authentication (MFA) for all users but allow them to register their authentication methods before being forced to use MFA. Which configuration should they implement?

An organization wants to enforce that all administrators use a phishing-resistant authentication method (e.g., FIDO2 security keys or Windows Hello for Business) when accessing Microsoft 365 admin portals. Which Microsoft Entra ID feature should be used?

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

An organization wants to enable users to reset their own passwords using the Microsoft Authenticator app and to prevent reuse of the last five passwords. Which Microsoft Entra ID features should be configured?

A company wants to ensure that all new users register for multi-factor authentication (MFA) within 14 days of account creation. Which Microsoft Entra ID feature should be used?

An organization has multiple Microsoft Entra ID tenants and wants to allow partner users to access internal applications using their own corporate credentials. Which feature should be used to enable this?

An organization uses Microsoft Entra ID. They want to ensure that users cannot install browser extensions from the Microsoft Edge Add-ons store on managed devices. Which Microsoft Entra ID feature should they use to enforce this policy?

An organization uses Microsoft Entra ID P2 licenses. They want to implement a policy that forces users to perform multi-factor authentication (MFA) only when they sign in from an untrusted location. The trusted locations include the corporate office IP range. Which type of policy should they create?

An organization uses Microsoft Entra ID with Pass-through Authentication (PTA) and Seamless Single Sign-On (SSO). They notice that password changes in on-premises Active Directory are not reflecting immediately in Microsoft Entra ID for some users. What is the most likely cause?

A company uses Microsoft Entra ID with conditional access policies. They need to ensure that all external users who are invited via B2B collaboration must perform multi-factor authentication (MFA) when accessing the corporate SharePoint Online site. Which two configurations are required? (Choose two.)

An organization wants to allow users to sign in to Microsoft 365 using their on-premises Active Directory credentials but does not want to synchronize password hashes to the cloud. They also want to eliminate the need for users to re-enter their credentials when accessing cloud resources from domain-joined devices. Which combination of authentication methods should they implement?

Contoso uses Microsoft Entra ID P1 licenses and has a dedicated corporate office with static public IP addresses. The company wants to require MFA for all users, but exempt users when they connect from the corporate office. Which configuration should the administrator implement?

A company invites external partners as B2B guest users in Microsoft Entra ID. The partners' home tenants do not support MFA. The company wants to require MFA when guests access an internal application. What should the company configure?

A company uses Microsoft Entra ID with password hash synchronization. The security team wants to prevent users from setting passwords that include their username or common terms from a custom dictionary (e.g., company name, product names). Which feature should be configured?

A company uses Microsoft Entra ID P2 licenses. They want to ensure that all users are forced to use MFA when accessing a SaaS application from non-corporate networks. Corporate networks are identified by a set of IP ranges. Service accounts must be excluded from this requirement. Which policy should be created?

A company uses Microsoft Entra ID with Pass-through Authentication. The security team wants to block all sign-ins from countries that are not approved (e.g., high-risk regions). Which feature should they use?

A company has a hybrid identity with password hash synchronization. They want to ensure that any user whose account is disabled in on-premises Active Directory is automatically prevented from signing in to Microsoft 365. How can this be achieved?

An organization uses Microsoft Entra ID P2 licenses. They need to require multi-factor authentication (MFA) for all users accessing a critical financial application, but they must exclude a set of service accounts that are members of the 'Service Accounts' group. Which policy should they create?

A company uses Password Hash Synchronization (PHS) to synchronize identities to Microsoft Entra ID. They want to enable users to access Microsoft 365 applications from their domain-joined work devices without being prompted to re-enter their credentials. Which feature should they enable in addition to PHS?

A company uses Microsoft Entra ID P2 licenses. A security administrator needs to grant a user temporary elevation to the Global Administrator role for a specific task. The elevation should require approval from a designated group and be time-limited. Which Microsoft Entra feature should be configured?

A company (Contoso) frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso wants to require Fabrikam's guest users to perform MFA using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. However, Fabrikam's users already have MFA enabled in their home tenant. What should Contoso configure in their cross-tenant access settings?

A company wants to reduce help desk calls by allowing users to reset their own passwords securely. Users should be able to reset their passwords using a mobile phone number or email as verification. Which Microsoft Entra ID feature should be enabled?

A company uses Microsoft Entra ID P2 licenses. They want to create a Conditional Access policy that requires MFA for all users, but the policy should only be enforced when the sign-in risk is medium or higher. Additionally, they need to exclude a group named 'Emergency Access' from this policy. Which configuration is correct?

A company wants to allow users to reset their own forgotten passwords using a mobile app notification as the verification method. Which Microsoft Entra feature should be enabled and configured?

A company uses Microsoft Entra ID P2 licenses. They want to block all authentication attempts from an internal app that uses legacy authentication protocols (POP3, IMAP, SMTP) because these protocols cannot enforce multi-factor authentication. Which Conditional Access policy setting should be used?

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing a critical cloud application. However, they have a group of service accounts that cannot perform MFA and must be excluded. What is the recommended approach?

A company uses Microsoft Entra ID P2 licenses and wants to block all authentication attempts from an internal legacy application that uses POP3 and SMTP protocols. The application cannot be updated and must be blocked from accessing Exchange Online. Which Conditional Access policy setting should the administrator configure?

Contoso frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso uses Microsoft Entra ID P2 licenses and wants to require Fabrikam's guest users to authenticate using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. Fabrikam already has MFA enabled for its users. What configuration should Contoso make in their cross-tenant access settings?

A company uses Microsoft Entra ID P2 licenses. They want to require multi-factor authentication (MFA) for all users when accessing the Azure Management portal, but only from devices that are not marked as compliant. Additionally, a group named 'BreakGlass' must be excluded from this requirement. Which Conditional Access policy configuration should be applied?

A company uses Microsoft Entra ID P1 licenses. They want to allow access to a sensitive cloud application only from the company's trusted office IP ranges (10.0.0.0/24). However, the executive team (group "Execs") must be able to access the app from any location. Which Conditional Access policy configuration should the administrator use?

A company wants to enable self-service password reset (SSPR) for all users. Which two configurations are mandatory to allow users to reset their own passwords? (Choose two.)

A company wants to require MFA for all users when they access Office 365 from any network location that is not the company's trusted IP ranges. Which Conditional Access policy configuration should be applied?

A company uses Microsoft Entra ID P2 licenses and wants to enforce multi-factor authentication (MFA) for all users when accessing corporate applications. However, a small group of break-glass accounts must be excluded from MFA requirements to ensure emergency access. The administrator creates a Conditional Access policy targeting all users. Which configuration should be applied to achieve the exclusion?

A company uses Microsoft Entra ID P2 licenses and wants to implement just-in-time (JIT) privileged access for administrators. Security requirements state that Global Administrator role members must request approval and provide a business justification before their role activation expires after 4 hours. Which Microsoft Entra feature should be configured?

A company has an on-premises Active Directory environment and wants to sync user identities to Microsoft Entra ID while avoiding storing password hashes in the cloud. The company wants to provide seamless single sign-on (SSO) for domain-joined devices. Which authentication method should be chosen?

A junior administrator needs permission to view sign-in logs, audit logs, and security recommendations in the Microsoft Entra admin center, but must not be able to reset passwords, modify settings, or manage roles. Which built-in Microsoft Entra role should the administrator assign?

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically block sign-ins for users with high sign-in risk, but only when the sign-in originates from outside the corporate network. For sign-ins from the corporate network, they want to require a password change for medium sign-in risk. A group of emergency access accounts (break-glass) must be excluded from all policies. What should the administrator implement?

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'Emergency' must be excluded from MFA requirements. Which Conditional Access policy configuration should the administrator use?

A security administrator needs to implement a just-in-time (JIT) privileged access solution for the Global Administrator role. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should be configured?

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically require a password change for users with medium sign-in risk, but only when the sign-in originates from outside the corporate network. Users with high sign-in risk should be blocked entirely. A group of break-glass accounts must be excluded from all policies. Which feature should the administrator implement?

A company uses password hash synchronization with Microsoft Entra Connect. The security team wants to enable self-service password reset (SSPR) so that users can reset their own passwords, and the password changes must be written back to the on-premises Active Directory. Which additional configuration is required to achieve password writeback?

A company uses Microsoft Entra ID P2 licenses. The security team wants to require multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'BreakGlass' must be excluded from MFA requirements. Additionally, the company wants to block legacy authentication protocols. Which approach should the administrator use?

A company wants to implement just-in-time (JIT) privileged access for the Global Administrator role in Microsoft Entra ID. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should the administrator configure?

A company wants to block access to Exchange Online from devices that are not compliant with Intune compliance policies. Which Conditional Access grant control should be used?

An administrator who is not a Global Administrator needs to manage just-in-time privileged access to Azure resources using Microsoft Entra Privileged Identity Management (PIM). Which built-in role must be assigned to the administrator to allow PIM management for Azure resources?

A company wants to require that all users accessing a critical cloud application for the first time must accept a company terms of use before they are granted access. Which Conditional Access policy grant control should be added?

A company uses Microsoft Entra ID Governance to automate the lifecycle of user access. They want to automatically remove a user's group membership for a critical application 30 days after the user's employment end date is captured from the HR system. Which feature should be configured to meet this requirement?

A development team builds a background service that needs to read all users' calendars via Microsoft Graph without a signed-in user. The service will run on a server with a client secret. Which OAuth 2.0 grant flow should the application use?

A company uses Azure AD Identity Protection. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. Which policy should be configured?

A company wants to require that all users accessing a critical internal application must be on a compliant device (managed by Intune) and must have authenticated with multi-factor authentication in the last 30 minutes. Which Conditional Access configurations are needed?

An administrator needs to allow external users from a partner company to sign up for access to a SharePoint Online site using their own Azure AD accounts. Which configuration should the administrator enable?

A company uses Azure AD Identity Protection. The security administrator wants to block user sign-ins when the sign-in risk level is detected as 'High' for a custom SaaS application. Which Conditional Access policy configuration should the administrator use?

A company wants to implement just-in-time (JIT) privileged access for the Security Administrator role. Users must be able to activate the role with a business justification, and the activation must be approved by a designated group of approvers. The role activation should expire after 4 hours. Which Privileged Identity Management (PIM) configuration should the administrator modify?

A company uses Azure AD and SharePoint Online. They want to allow users from a partner organization (which also uses Azure AD) to access a specific SharePoint Online site using their existing partner credentials. The partner users should not require new accounts to be created. Which Azure AD feature should be configured?

A company uses Azure AD Identity Protection. The security team wants to automatically block users from signing in when the user risk level is 'High'. Which policy should they configure?

A company wants to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The department is identified by the department attribute in Microsoft Entra ID. The administrator needs to configure a method where licenses are assigned based on group membership, and the group membership is automatically updated based on user attributes. Which licensing approach should the administrator use?

A company wants to require approval for any activation of the Global Administrator role in Privileged Identity Management (PIM). The approvers are predefined as members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to meet these requirements?

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator needs to ensure that users are required to register at least two authentication methods before they can use SSPR. Which configuration setting should the administrator modify?

A company uses Azure AD Conditional Access. The security team wants to require multi-factor authentication (MFA) for all users when accessing the Azure portal, except when they are connecting from the corporate network (which is defined as a trusted location). How should the Conditional Access policy be configured?

An organization wants to configure Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users register two authentication methods: one from the mobile app category (e.g., notification or code) and one from the phone call category (e.g., office phone or mobile phone). Which combination of methods should the administrator select in the SSPR settings?

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users are required to register at least two authentication methods: one from the 'mobile app' category and one from the 'phone call' category. Which combination of methods should the administrator select in the SSPR registration settings?

A company wants to allow users to reset their own passwords without administrator intervention. They need to configure Self-Service Password Reset (SSPR) for all cloud-only users. Which Azure AD license is required for all users to enable SSPR?

Administrators want to enforce multi-factor authentication (MFA) for all users when accessing cloud applications from untrusted networks. They plan to use Azure AD Conditional Access with named locations. Which two components must be configured to meet this requirement? (Select two.)

The security team wants to require approval for any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM). The approvers must be members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify?

Contoso wants to require multi-factor authentication (MFA) for all users when accessing cloud applications from any network except the corporate headquarters (trusted IP range). They plan to use Azure AD Conditional Access. Which two components must be configured to achieve this requirement? (Select all that apply.)

The security team at Contoso wants to require that any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM) must be approved by members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to achieve this?

A company with Azure AD Premium P2 licenses wants to enforce that all activations of the Global Administrator role require approval from a designated security group. The activation must also require a business justification and expire after 4 hours. Which Azure AD feature should the administrator configure?

A company uses Azure AD Connect with password hash synchronization. They want to enable Azure AD Seamless Single Sign-On (SSO) for users accessing Microsoft 365 from domain-joined devices on the corporate network. Which configuration is required on the on-premises Active Directory?

A company uses hybrid identity with Azure AD Connect and password hash synchronization. They want to enable Self-Service Password Reset (SSPR) with password writeback so that users can reset their on-premises Active Directory passwords. Which Azure AD license is required?

A company uses Azure AD Privileged Identity Management (PIM) for role activation. They want to require that any activation of the Security Administrator role be approved by a designated group of approvers called 'Security Approvers'. Activations must include a ticket number and expire after 8 hours. Which PIM configuration should the administrator modify?

A company uses Azure AD Connect with password hash synchronization. They want to allow users to reset their on-premises Active Directory passwords from the cloud Self-Service Password Reset (SSPR) portal. Which additional configuration is required in Azure AD Connect?

A company uses Azure AD Privileged Identity Management (PIM) to manage role activations. They have an Azure AD Premium P2 license. The security team wants to require that any activation of the Exchange Administrator role must be approved by a specific group named 'Exchange Approvers'. Additionally, activations must require a ticket number and expire after 6 hours. Which PIM configuration should the administrator modify?

A company uses Azure AD Conditional Access to enforce MFA for all cloud apps. They have some users who are physically located in countries that are considered high-risk by the security team. The team wants to require device compliance (as defined by Intune) for sign-ins from those specific countries, while still requiring MFA from all other locations. How should the administrator configure the Conditional Access policy?

A company wants to use Azure AD Identity Protection features such as user risk policies and sign-in risk policies to automatically respond to risky behavior. Which Azure AD license is required to enable these capabilities?