CCNA Implement And Manage Identity And Access In Microsoft Entra Id Questions

75 of 82 questions · Page 1/2 · Implement And Manage Identity And Access In Microsoft Entra Id topic · Answers revealed

1
MCQmedium

A company uses Azure AD Identity Protection. The security administrator wants to block user sign-ins when the sign-in risk level is detected as 'High' for a custom SaaS application. Which Conditional Access policy configuration should the administrator use?

A.Create a Conditional Access policy with a grant control to require MFA when sign-in risk is high
B.Create a Conditional Access policy set to block access when sign-in risk is high
C.Configure a session control in Conditional Access to sign out users when risk is high
D.Enable Identity Protection risk policy to automatically block users
AnswerB

This directly blocks sign-ins with high risk, as required.

Why this answer

Option B is correct because the requirement is to block sign-ins when the sign-in risk level is 'High' for a custom SaaS application. In Microsoft Entra ID (formerly Azure AD), a Conditional Access policy can be configured with a 'Block access' grant control, which directly denies authentication when the specified condition (sign-in risk level equals High) is met. This is the most straightforward and secure approach to prevent access without relying on additional authentication factors or session controls.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies with Conditional Access policies, or mistakenly think that requiring MFA is equivalent to blocking access when the requirement explicitly states 'block user sign-ins.'

How to eliminate wrong answers

Option A is wrong because requiring MFA when sign-in risk is high does not block access; it allows access after successful MFA, which does not meet the requirement to block sign-ins. Option C is wrong because session controls, such as 'Sign out users when risk is high,' apply after authentication has already occurred and do not prevent the initial sign-in; they manage active sessions but do not block the authentication request itself. Option D is wrong because Identity Protection risk policies (user risk or sign-in risk policies) are separate from Conditional Access and can automatically block users, but the question specifically asks for a Conditional Access policy configuration, making this option incorrect in context.

2
MCQhard

An organization uses Microsoft Entra ID with Pass-through Authentication (PTA) and Seamless Single Sign-On (SSO). They notice that password changes in on-premises Active Directory are not reflecting immediately in Microsoft Entra ID for some users. What is the most likely cause?

A.The PTA agents are overloaded
B.The user's password change has not replicated to all domain controllers
C.The Seamless SSO feature is disabled
D.Microsoft Entra ID has a password hash sync delay
AnswerB

Replication latency between on-premises domain controllers can cause the PTA agent to query a DC that hasn't received the updated password yet.

Why this answer

In a Pass-through Authentication environment, password changes are processed by on-premises Active Directory. The password change must replicate to all domain controllers before Microsoft Entra ID can authenticate the new password via the PTA agent. If replication is incomplete, the PTA agent may contact a domain controller that still has the old password, causing the delay.

Exam trap

The trap here is that candidates often assume PTA agents instantly reflect on-premises changes, overlooking the critical dependency on Active Directory replication latency across domain controllers.

How to eliminate wrong answers

Option A is wrong because PTA agents are stateless and forward authentication requests to on-premises AD; overloaded agents would cause authentication failures or timeouts, not a delay in reflecting password changes. Option C is wrong because Seamless SSO is a Kerberos-based feature that provides silent sign-on for domain-joined devices; disabling it does not affect how password changes are propagated to Microsoft Entra ID. Option D is wrong because password hash sync is not used in a PTA-only deployment; the delay described is not due to hash sync, as PTA relies on real-time validation against on-premises AD.

3
MCQeasy

A company wants to ensure that all new users register for multi-factor authentication (MFA) within 14 days of account creation. Which Microsoft Entra ID feature should be used?

A.MFA registration campaign
B.Conditional Access policy
C.Identity Protection
D.Access Reviews
AnswerA

MFA registration campaign allows admins to require users to register for MFA within a set timeframe.

Why this answer

The MFA registration campaign in Microsoft Entra ID is specifically designed to enforce user registration for MFA within a defined time frame, such as 14 days. It targets new users and sends them reminders to register, blocking access until registration is completed, which directly meets the company's requirement.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which enforce MFA at sign-in) with the registration campaign (which enforces the initial setup), leading them to select Conditional Access as the solution for a time-bound registration requirement.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce MFA during sign-in but do not natively enforce a registration deadline for new users; they require MFA to be already registered. Option C is wrong because Identity Protection detects risks and can trigger MFA, but it does not manage the initial registration process or enforce a time-bound registration campaign. Option D is wrong because Access Reviews are used to audit and recertify existing access assignments, not to enforce new user MFA registration within a specific period.

4
Multi-Selectmedium

Contoso wants to require multi-factor authentication (MFA) for all users when accessing cloud applications from any network except the corporate headquarters (trusted IP range). They plan to use Azure AD Conditional Access. Which two components must be configured to achieve this requirement? (Select all that apply.)

Select 2 answers
A.Conditional Access policy targeting all users and cloud apps, with conditions for locations
B.named location defining the corporate headquarters' trusted IP ranges
C.An Identity Protection user risk policy
D.An MFA registration policy requiring users to register for MFA
AnswersA, B

This policy enforces MFA based on location conditions, which is necessary.

Why this answer

Option A is correct because a Conditional Access policy must be created to enforce MFA based on location conditions. The policy targets all users and cloud apps, and uses the 'locations' condition to exclude the trusted IP range (corporate headquarters) while requiring MFA for all other locations. This ensures MFA is triggered only when access originates from outside the trusted network.

Exam trap

The trap here is that candidates often confuse the MFA registration policy (which only ensures users have registered MFA methods) with the Conditional Access policy that actually enforces MFA based on location conditions, leading them to incorrectly select Option D as a required component.

5
MCQmedium

A company uses Password Hash Synchronization (PHS) to synchronize identities to Microsoft Entra ID. They want to enable users to access Microsoft 365 applications from their domain-joined work devices without being prompted to re-enter their credentials. Which feature should they enable in addition to PHS?

A.Seamless Single Sign-On
B.Pass-through Authentication
C.Azure AD Connect Health
D.Conditional Access
AnswerA

Seamless SSO enables silent sign-in for domain-joined devices when combined with PHS or PTA.

Why this answer

Seamless Single Sign-On (SSO) is the correct feature to enable alongside Password Hash Synchronization (PHS) because it allows users on domain-joined devices to automatically authenticate to Microsoft 365 applications without being prompted for credentials. It works by integrating with Kerberos authentication, using a computer account in the on-premises Active Directory to issue a Kerberos ticket that Microsoft Entra ID can validate, eliminating the need for re-authentication.

Exam trap

The trap here is that candidates often confuse Pass-through Authentication (PTA) with Seamless SSO, thinking PTA alone provides the same credential-free experience, but PTA only handles password validation without the automatic ticket-based sign-on that Seamless SSO provides.

How to eliminate wrong answers

Option B (Pass-through Authentication) is wrong because it validates passwords directly against on-premises Active Directory without using password hashes, and while it can also be combined with Seamless SSO, the question specifically asks for a feature to add to PHS to avoid credential prompts, not a replacement for PHS. Option C (Azure AD Connect Health) is wrong because it is a monitoring and diagnostics tool for the synchronization infrastructure, not an authentication feature that provides single sign-on. Option D (Conditional Access) is wrong because it is a policy-based access control mechanism that enforces conditions like device compliance or location, but it does not eliminate the need for users to re-enter credentials; it only controls access after authentication.

6
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for role activation. They want to require that any activation of the Security Administrator role be approved by a designated group of approvers called 'Security Approvers'. Activations must include a ticket number and expire after 8 hours. Which PIM configuration should the administrator modify?

A.Role settings for Security Administrator
B.Role assignments for Security Administrator
C.Access reviews for Security Administrator
D.Alerts for Security Administrator
AnswerA

Role settings configure activation rules such as whether approval is required, justification, and max duration.

Why this answer

Option A is correct because Azure AD PIM role settings for a specific role, such as Security Administrator, control activation requirements including approval workflow, justification (ticket number), and maximum activation duration. By modifying the role settings, the administrator can require approval from the 'Security Approvers' group, mandate a ticket number, and set an 8-hour expiration.

Exam trap

The trap here is confusing role settings (which control activation policies) with role assignments (which control who can activate), leading candidates to mistakenly choose Option B when the question asks about activation requirements rather than eligibility.

How to eliminate wrong answers

Option B is wrong because role assignments define who is eligible or active for the role, not the activation policies like approval or duration. Option C is wrong because access reviews are periodic attestations of existing assignments, not a mechanism to configure activation requirements. Option D is wrong because alerts in PIM notify about suspicious activities or configuration changes, but do not control activation settings.

7
MCQmedium

A company uses Microsoft Entra ID P2 licenses. The security team wants to require multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'BreakGlass' must be excluded from MFA requirements. Additionally, the company wants to block legacy authentication protocols. Which approach should the administrator use?

A.Create one Conditional Access policy for MFA (targeting all users, excluding BreakGlass, with location condition) and another policy to block legacy authentication (targeting all users, with client apps condition)
B.Create a single Conditional Access policy that grants access only if MFA is performed and block legacy client apps in the same policy
C.Enable Security defaults in Entra ID
D.Use baseline Conditional Access policies
AnswerA

Correct. Separate policies allow independent management and clear condition targeting.

Why this answer

Option A is correct because it separates the MFA requirement and legacy authentication block into two distinct Conditional Access policies, which is the recommended approach for granular control. The MFA policy targets all users except the BreakGlass group and uses the location condition to require MFA only from untrusted networks. The second policy blocks legacy authentication by targeting all users with the client apps condition set to 'Exchange ActiveSync clients' and 'Other clients', effectively preventing protocols like POP3, IMAP, and SMTP from bypassing modern authentication.

Exam trap

The trap here is that candidates often think a single Conditional Access policy can logically combine a block and a grant control, but Microsoft's policy engine evaluates all conditions and controls together, so a block control overrides any grant control, making it impossible to require MFA while also blocking legacy clients in the same policy without unintended consequences.

How to eliminate wrong answers

Option B is wrong because combining the MFA grant control and the block legacy client apps control in a single policy would cause the policy to evaluate both conditions simultaneously; if a user accesses from a trusted location but uses a legacy client, the policy would still block access, but the MFA requirement would not apply as expected, leading to inconsistent behavior. Option C is wrong because Security defaults enforces MFA for all users, including the BreakGlass group, and does not allow exclusion of specific groups or granular location-based conditions; it also blocks legacy authentication but lacks the flexibility to exclude break-glass accounts. Option D is wrong because baseline Conditional Access policies are deprecated and do not support the exclusion of a BreakGlass group or the precise location-based MFA requirement; they are rigid and cannot be customized to meet the specified requirements.

8
MCQhard

The security team at Contoso wants to require that any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM) must be approved by members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to achieve this?

A.The role settings for Global Administrator, on the Activation tab
B.The role settings for Global Administrator, on the Assignment tab
C.The role settings for Global Administrator, on the Notification tab
D.The role settings for Global Administrator, on the Alert tab
AnswerA

Activation settings control approval, justification, and duration for role activations.

Why this answer

Option A is correct because the Activation tab in the role settings for Global Administrator allows you to configure approval requirements, justification, and maximum activation duration. By setting 'Require approval to activate' to 'Enabled' and specifying the 'GA-Approvers' group as the approver, requiring a business justification, and setting the activation maximum duration to 4 hours, you meet all the stated requirements.

Exam trap

The trap here is that candidates often confuse the Assignment tab (which deals with role eligibility duration and permanent assignment) with the Activation tab (which controls the activation process including approval, justification, and maximum activation time).

How to eliminate wrong answers

Option B is wrong because the Assignment tab controls settings for eligible and active assignments (such as assignment duration and whether permanent assignment is allowed), not the activation process. Option C is wrong because the Notification tab configures email alerts for role activations, assignments, or alerts, but does not control approval, justification, or duration settings. Option D is wrong because the Alert tab manages security alerts and risk-based policies, not the activation approval workflow or duration.

9
MCQmedium

A company wants to implement just-in-time (JIT) privileged access for the Global Administrator role in Microsoft Entra ID. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should the administrator configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access Reviews
AnswerA

Correct. PIM enables just-in-time activation with approval and time-bound assignments.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access by allowing users to activate roles like Global Administrator with a business justification, requiring approval from a designated group of approvers, and setting a configurable activation duration (e.g., 4 hours). This directly matches the company's requirements for time-bound, approved role activation.

Exam trap

The trap here is that candidates confuse PIM's JIT activation with Conditional Access policies, thinking that Conditional Access can enforce time-based access, but Conditional Access cannot manage role activation, approval workflows, or expiration of privileged roles.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity risks (e.g., compromised credentials, anomalous sign-ins) and does not provide JIT role activation or approval workflows. Option C (Conditional Access) is wrong because it enforces access policies based on conditions like location or device state, but it cannot manage role activation, approval, or expiration. Option D (Access Reviews) is wrong because it automates periodic recertification of group memberships or role assignments, not on-demand activation with approval and expiration.

10
MCQhard

A company uses Microsoft Entra ID P2 licenses. They want to create a Conditional Access policy that requires MFA for all users, but the policy should only be enforced when the sign-in risk is medium or higher. Additionally, they need to exclude a group named 'Emergency Access' from this policy. Which configuration is correct?

A.Assign policy to 'All users', exclude 'Emergency Access' group, set 'Sign-in risk' condition to 'High and Medium'
B.Assign policy to 'All users', exclude 'Emergency Access' group, set 'User risk' condition to 'High and Medium'
C.Assign policy to 'Emergency Access' group, set 'Device state' condition to 'All device states'
D.Assign policy to 'All users', exclude 'Emergency Access' group, set 'Locations' condition to 'All trusted locations'
AnswerA

Correct. This configuration targets all users except emergency accounts and only applies when sign-in risk is medium or higher.

Why this answer

Option A is correct because it assigns the Conditional Access policy to 'All users' (ensuring universal coverage), excludes the 'Emergency Access' group (to prevent lockout of break-glass accounts), and sets the 'Sign-in risk' condition to 'High and Medium' — which matches the requirement to enforce MFA only when sign-in risk is medium or higher. Sign-in risk is the correct condition for real-time risk during authentication, while user risk tracks historical compromise likelihood.

Exam trap

The trap here is confusing 'Sign-in risk' with 'User risk' — candidates often pick Option B because both terms sound similar, but only sign-in risk applies to the current authentication session and matches the requirement for risk-based MFA enforcement during sign-in.

How to eliminate wrong answers

Option B is wrong because it uses 'User risk' instead of 'Sign-in risk'; user risk reflects the likelihood that an account is compromised based on past activity, not the risk of the current sign-in session, so it does not meet the requirement to enforce MFA based on sign-in risk. Option C is wrong because it assigns the policy to the 'Emergency Access' group rather than excluding them, which would force MFA on emergency accounts and defeat their purpose; it also uses 'Device state' condition which is irrelevant to risk-based MFA enforcement. Option D is wrong because it uses 'Locations' condition with 'All trusted locations', which would enforce MFA only from trusted locations (or the opposite depending on configuration), not based on sign-in risk level, and thus does not address the risk-based requirement.

11
Multi-Selectmedium

Your organization uses Microsoft Entra ID and wants to implement least-privilege administrative access for managing Microsoft 365 services. Which three of the following should you configure? (Choose three.)

Select 3 answers
.Create custom administrative units (AUs) to delegate scoped administrative permissions
.Assign Microsoft 365 built-in roles via Microsoft Entra ID role-based access control (RBAC)
.Enable Microsoft Entra ID Privileged Identity Management (PIM) for eligible role activations
.Implement Microsoft 365 Defender for Cloud Apps session policies for admins
.Use Microsoft Entra ID Conditional Access to block all external access for admins
.Configure Microsoft Intune to enforce mobile device management (MDM) for all admin devices

Why this answer

Null is correct because creating custom administrative units (AUs) allows you to delegate scoped administrative permissions to specific subsets of users, devices, or groups within a single Microsoft Entra ID tenant. Assigning Microsoft 365 built-in roles via Microsoft Entra ID role-based access control (RBAC) provides granular, least-privilege permissions without granting full global admin access. Enabling Microsoft Entra ID Privileged Identity Management (PIM) for eligible role activations ensures that administrative roles are activated only when needed, with time-bound approvals and just-in-time access, reducing standing privileges.

Exam trap

The trap here is that candidates often confuse security controls (like Conditional Access or MDM) with identity and access management (IAM) role delegation, mistakenly thinking any security feature contributes to least-privilege administrative access, when only role-based scoping and just-in-time activation directly address it.

12
MCQmedium

An organization with Microsoft Entra ID P2 licenses wants to require multi-factor authentication (MFA) for all users but allow them to register their authentication methods before being forced to use MFA. Which configuration should they implement?

A.Conditional Access policy with MFA grant and a registration campaign
B.Security defaults
C.Per-user MFA
D.Identity Protection user risk policy
AnswerA

The registration campaign prompts users to register MFA methods before the MFA requirement is enforced, meeting the scenario.

Why this answer

Conditional Access policies can include a registration campaign for combined security info registration, allowing users to preregister MFA methods before the policy requiring MFA is enforced. This provides a smooth user experience. Security defaults enforce MFA immediately without a pre-registration period.

Per-user MFA requires enabling MFA per user and does not include a registration campaign. Identity Protection user risk policy triggers MFA based on risk, not a blanket requirement.

13
MCQmedium

A company uses Azure AD Connect with password hash synchronization. They want to enable Azure AD Seamless Single Sign-On (SSO) for users accessing Microsoft 365 from domain-joined devices on the corporate network. Which configuration is required on the on-premises Active Directory?

A.Create a computer account named AZUREADSSOACC in each AD forest
B.Install Azure AD Connect on a separate server
C.Enable Passthrough Authentication
D.Set the service connection point in Active Directory
AnswerA

This account is used by Azure AD Connect to sign users in silently.

Why this answer

Azure AD Seamless SSO requires a computer account named AZUREADSSOACC to be created in each on-premises AD forest. This account is used by Azure AD to sign Kerberos tickets for users accessing Microsoft 365 resources, enabling automatic sign-in without password prompts. The account must be created in the root domain of each forest and its password is managed automatically by Azure AD Connect.

Exam trap

The trap here is that candidates often confuse Seamless SSO with Passthrough Authentication or think a separate server is required, but the key requirement is the specific computer account AZUREADSSOACC in each forest, which is a unique Kerberos-based mechanism.

How to eliminate wrong answers

Option B is wrong because installing Azure AD Connect on a separate server is not a specific requirement for Seamless SSO; Azure AD Connect can be installed on any server, but the Seamless SSO feature itself does not mandate a separate server. Option C is wrong because Passthrough Authentication is an alternative authentication method that does not use password hash synchronization; enabling it would conflict with the stated requirement of using password hash synchronization. Option D is wrong because setting a service connection point in Active Directory is used for discovering Azure AD Connect or other services, not for enabling Seamless SSO; Seamless SSO relies on the AZUREADSSOACC computer account and Kerberos delegation, not an SCP.

14
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to allow access to a sensitive cloud application only from the company's trusted office IP ranges (10.0.0.0/24). However, the executive team (group "Execs") must be able to access the app from any location. Which Conditional Access policy configuration should the administrator use?

A.A: Include all users, exclude Execs group, and grant access with condition 'Location not in trusted locations'.
B.B: Include all users, exclude Execs group, and block access with condition 'Location not in trusted locations'.
C.C: Include Execs group, exclude all others, and grant access with condition 'Location in trusted locations'.
D.D: Include all users, include Execs group as an additional condition, and grant access with condition 'Location in trusted locations'.
AnswerB

This blocks non-Execs from accessing the app when they are not from trusted locations, while Execs are excluded and thus allowed from anywhere.

Why this answer

Option B is correct because the requirement is to block access from untrusted locations for all users except the Execs group. By including all users, excluding the Execs group, and setting a block control with the condition 'Location not in trusted locations', the policy ensures that only non-Exec users are blocked when accessing from outside the trusted IP range, while Execs remain unrestricted. This aligns with the principle of explicitly blocking unwanted access rather than granting access with conditions that could be bypassed.

Exam trap

The trap here is that candidates often confuse 'grant access with a condition' with 'block access with a condition', mistakenly thinking that granting access from trusted locations will automatically block access from untrusted locations, but in Conditional Access, grant controls only allow access when conditions are met—they do not implicitly deny access when conditions are not met unless a block control is explicitly configured.

How to eliminate wrong answers

Option A is wrong because granting access with a condition 'Location not in trusted locations' would allow access from untrusted locations, which is the opposite of the requirement to block such access. Option C is wrong because including only the Execs group and granting access from trusted locations would allow Execs to access the app only from trusted locations, contradicting the requirement that Execs must be able to access from any location. Option D is wrong because including Execs as an additional condition (not as an exclusion) and granting access from trusted locations would force Execs to also be restricted to trusted locations, again failing the requirement for Execs to have unrestricted access.

15
MCQhard

A development team builds a background service that needs to read all users' calendars via Microsoft Graph without a signed-in user. The service will run on a server with a client secret. Which OAuth 2.0 grant flow should the application use?

A.Authorization code grant
B.Device authorization grant
C.Client credentials grant
D.Implicit grant
AnswerC

This flow authenticates the application itself and is ideal for daemon services without user interaction.

Why this answer

The client credentials grant is designed for server-to-server, non-interactive scenarios where an application authenticates as itself (not on behalf of a user) to access resources. Since the background service runs with a client secret and needs to read all users' calendars without a signed-in user, this flow is the correct choice because it uses the application's own identity to obtain an access token from Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse delegated permissions with application permissions and incorrectly choose the authorization code grant, thinking a user context is always required for accessing user data, but the client credentials grant bypasses the user entirely by using app-only permissions.

How to eliminate wrong answers

Option A is wrong because the authorization code grant requires a signed-in user to authenticate and consent, which contradicts the requirement of no signed-in user. Option B is wrong because the device authorization grant is intended for devices with limited input capabilities (e.g., smart TVs, IoT) and still requires user interaction via a separate browser to sign in. Option D is wrong because the implicit grant is deprecated and was designed for single-page applications (SPAs) using browser-based flows; it also requires a signed-in user and does not support client secrets.

16
MCQmedium

A company uses Azure AD Identity Protection. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. Which policy should be configured?

A.User risk policy
B.Sign-in risk policy
C.MFA registration policy
D.Identity Protection vulnerabilities policy
AnswerB

Sign-in risk policy evaluates the risk of each sign-in and can block access from known malicious IP addresses or high-risk sign-ins.

Why this answer

The Sign-in risk policy in Azure AD Identity Protection is specifically designed to respond to risks detected during the authentication attempt, such as sign-ins from known malicious IP addresses. When a sign-in is flagged as having a high risk level (e.g., from a known malicious IP), the policy can be configured to automatically block the sign-in. This directly addresses the security team's requirement to block sign-ins from malicious IPs.

Exam trap

The trap here is that candidates often confuse the User risk policy (which deals with account compromise) with the Sign-in risk policy (which deals with session-level threats like IP reputation), leading them to select the User risk policy instead of the correct Sign-in risk policy.

How to eliminate wrong answers

Option A is wrong because the User risk policy responds to risks associated with a user's account (e.g., leaked credentials or anomalous behavior), not to risks detected during a specific sign-in attempt like IP reputation. Option C is wrong because the MFA registration policy enforces that users register for multifactor authentication, but it does not evaluate or block sign-ins based on IP address risk. Option D is wrong because there is no 'Identity Protection vulnerabilities policy' in Azure AD Identity Protection; vulnerabilities are managed via other tools like Microsoft Secure Score, not a policy that blocks sign-ins.

17
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users when accessing any cloud application from networks that are not trusted corporate locations. A group named 'Emergency' must be excluded from MFA requirements. Which Conditional Access policy configuration should the administrator use?

A.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant access (not MFA), and set location condition to trusted networks only.
B.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to any network or location.
C.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to any network or location except trusted networks.
D.Assign the policy to all users, exclude the Emergency group, include all cloud apps, grant MFA, and set location condition to trusted networks only.
AnswerC

This correctly requires MFA only from untrusted networks and excludes the Emergency group.

Why this answer

Option C is correct because the requirement is to enforce MFA for all users from untrusted networks, while excluding the Emergency group. The Conditional Access policy must be assigned to all users, exclude the Emergency group, include all cloud apps, require MFA as a grant control, and use a location condition set to 'any network or location except trusted networks' to target only untrusted locations. This configuration ensures MFA is triggered only when access originates from networks not defined as trusted corporate locations.

Exam trap

The trap here is that candidates often confuse the location condition logic, mistakenly selecting 'trusted networks only' (Option D) thinking it applies MFA to trusted networks, when in fact it applies the policy only when the user is on a trusted network, which is the opposite of the requirement.

How to eliminate wrong answers

Option A is wrong because it grants access without MFA and sets the location condition to trusted networks only, which would allow access from trusted networks without MFA but would not enforce MFA from untrusted networks, completely missing the requirement. Option B is wrong because it sets the location condition to 'any network or location', which would require MFA even from trusted corporate locations, violating the requirement to enforce MFA only from untrusted networks. Option D is wrong because it sets the location condition to trusted networks only, which would require MFA only when users access from trusted networks, the opposite of the requirement to enforce MFA from untrusted networks.

18
MCQmedium

A company has an on-premises Active Directory environment and wants to sync user identities to Microsoft Entra ID while avoiding storing password hashes in the cloud. The company wants to provide seamless single sign-on (SSO) for domain-joined devices. Which authentication method should be chosen?

A.Password Hash Synchronization (PHS)
B.Pass-Through Authentication (PTA) with Seamless SSO
C.Federation with Active Directory Federation Services (AD FS)
D.Cloud-only authentication
AnswerB

PTA authenticates users on-premises and does not store password hashes in the cloud. Seamless SSO provides automatic sign-in for domain-joined devices.

Why this answer

Pass-Through Authentication (PTA) with Seamless SSO is the correct choice because it validates user passwords directly against on-premises Active Directory without storing any password hashes in the cloud. Seamless SSO provides automatic sign-in for domain-joined devices using Kerberos delegation, meeting the requirement for a seamless SSO experience without password hash storage.

Exam trap

The trap here is that candidates often choose Password Hash Synchronization (PHS) because it is simpler and supports Seamless SSO, but they overlook the explicit requirement to avoid storing password hashes in the cloud, which PHS inherently does.

How to eliminate wrong answers

Option A is wrong because Password Hash Synchronization (PHS) stores password hashes in Microsoft Entra ID, which directly violates the requirement to avoid storing password hashes in the cloud. Option C is wrong because Federation with AD FS requires storing a federation trust and typically involves password hash synchronization or a separate identity store, and it introduces unnecessary complexity and infrastructure overhead compared to PTA with Seamless SSO for this specific requirement. Option D is wrong because cloud-only authentication does not integrate with on-premises Active Directory, so it cannot sync user identities or provide SSO for domain-joined devices.

19
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to ensure that all users are forced to use MFA when accessing a SaaS application from non-corporate networks. Corporate networks are identified by a set of IP ranges. Service accounts must be excluded from this requirement. Which policy should be created?

A.Conditional Access policy with grant controls for MFA, targeting all users, with location condition to exclude trusted IPs, and exclude service accounts
B.An Identity Protection user risk policy requiring MFA for medium and above risk users
C.An Identity Protection sign-in risk policy requiring MFA for medium and above risk sign-ins
D.Per-user MFA settings enabled for all users with trusted IPs configured in MFA service settings
AnswerA

Correct. This configuration enforces MFA for all users from non-corporate networks while excluding trusted locations and service accounts.

Why this answer

A Conditional Access policy is the correct approach because it allows granular control over MFA enforcement based on network location and user exclusions. By targeting all users, excluding trusted IPs (corporate networks) via the location condition, and explicitly excluding service accounts, the policy ensures MFA is required only for non-corporate network access while bypassing service accounts. This aligns with the requirement to use Microsoft Entra ID P2 licenses, which include Conditional Access capabilities.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies (which are for risk-based conditional access) with location-based Conditional Access policies, or they mistakenly think per-user MFA settings can be scoped to exclude specific users or networks.

How to eliminate wrong answers

Option B is wrong because an Identity Protection user risk policy targets users with a specific risk level (medium and above), not network location, and cannot exclude trusted IPs or service accounts as required. Option C is wrong because an Identity Protection sign-in risk policy targets risky sign-ins based on risk level, not network location, and cannot enforce MFA based on corporate vs. non-corporate networks. Option D is wrong because per-user MFA settings are a legacy approach that does not support excluding service accounts or targeting specific applications; it applies MFA globally to all sign-ins for enabled users, regardless of network location.

20
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to require multi-factor authentication (MFA) for all users when accessing the Azure Management portal, but only from devices that are not marked as compliant. Additionally, a group named 'BreakGlass' must be excluded from this requirement. Which Conditional Access policy configuration should be applied?

A.Assign to 'All users', condition: 'Device state (preview) is not compliant', grant: 'Require MFA', exclude: 'BreakGlass group'
B.Assign to 'All users', condition: 'Sign-in risk is medium or higher', grant: 'Require MFA', exclude: 'BreakGlass group'
C.Assign to 'All users', condition: 'Client apps: Browser and Mobile apps', grant: 'Block access', exclude: 'BreakGlass group'
D.Assign to 'All users', condition: 'Device platform: Android, iOS, Windows, macOS', grant: 'Require MFA', exclude: 'BreakGlass group'
AnswerA

This configuration correctly uses the device state condition to target non-compliant devices, requires MFA, and excludes the break-glass accounts. The policy applies when a non-compliant device tries to access the Azure Management portal.

Why this answer

Option A is correct because it directly maps the requirement: assign the policy to 'All users', use the 'Device state (preview) is not compliant' condition to target only non-compliant devices, grant 'Require MFA' for the Azure Management portal (selected via the 'Cloud apps' condition), and exclude the 'BreakGlass' group. This ensures MFA is enforced only when accessing the Azure Management portal from non-compliant devices, while break-glass accounts are exempt.

Exam trap

The trap here is confusing 'Device state (preview) is not compliant' with other conditions like 'Sign-in risk' or 'Device platform', leading candidates to pick options that target risk levels or OS types instead of the specific compliance status required.

How to eliminate wrong answers

Option B is wrong because 'Sign-in risk is medium or higher' targets risky sign-ins, not device compliance; this would require Azure AD Identity Protection and does not address the device compliance condition. Option C is wrong because 'Client apps: Browser and Mobile apps' with 'Block access' would block all access from browsers and mobile apps, not just non-compliant devices, and does not enforce MFA. Option D is wrong because 'Device platform: Android, iOS, Windows, macOS' targets specific operating systems, not device compliance; this would apply MFA to all devices of those platforms regardless of compliance status.

21
Matchingmedium

Match each PowerShell command to its function in Microsoft 365.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects to Azure AD

Connects to Exchange Online

Connects to MS Online (legacy)

Lists mailboxes

Resets a user's password

Why these pairings

PowerShell is used for advanced administration.

22
MCQmedium

An organization wants to configure Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users register two authentication methods: one from the mobile app category (e.g., notification or code) and one from the phone call category (e.g., office phone or mobile phone). Which combination of methods should the administrator select in the SSPR settings?

A.Mobile app notification and Office phone
B.Mobile app code and Security questions
C.Email and Mobile phone
D.Security questions and Office phone
AnswerA

Mobile app notification is from the mobile app category; Office phone is a phone call method. This meets the requirement.

Why this answer

Option A is correct because the SSPR policy requires users to register two authentication methods from distinct categories. The mobile app notification (from the mobile app category) and office phone (from the phone call category) satisfy this requirement. This combination ensures that users have one method from the mobile app category and one from the phone call category, as specified in the question.

Exam trap

The trap here is that candidates often confuse the 'mobile app' category with 'email' or 'security questions', or assume that 'mobile phone' (which is in the phone call category) counts as a mobile app method, leading them to select combinations that do not meet the category requirement.

How to eliminate wrong answers

Option B is wrong because security questions are not in the phone call category; they belong to the security questions category, so this combination does not include a method from the phone call category. Option C is wrong because email is not in the mobile app category; it belongs to the email category, and mobile phone is in the phone call category, so this combination lacks a method from the mobile app category. Option D is wrong because security questions are not in the mobile app category, and office phone is in the phone call category, so this combination lacks a method from the mobile app category.

23
MCQmedium

A company has a hybrid identity with password hash synchronization. They want to ensure that any user whose account is disabled in on-premises Active Directory is automatically prevented from signing in to Microsoft 365. How can this be achieved?

A.Ensure Microsoft Entra Connect is configured to synchronize the disabled status; this happens automatically.
B.Create a dynamic group based on accountEnabled attribute and apply a Conditional Access policy to block access.
C.Run a PowerShell script daily to disable matching accounts in Microsoft Entra ID.
D.Enable cloud HR provisioning.
AnswerA

Correct. The sync of the accountEnabled attribute is automatic, and disabling the on-premises account will propagate to the cloud, blocking sign-in.

Why this answer

Option A is correct because Microsoft Entra Connect (formerly Azure AD Connect) by default synchronizes the `userAccountControl` attribute from on-premises Active Directory, which includes the disabled status (bit 2, ACCOUNTDISABLE). When an on-premises user account is disabled, the corresponding `accountEnabled` attribute in Microsoft Entra ID is set to `false`, preventing sign-in to Microsoft 365 without additional configuration.

Exam trap

The trap here is that candidates may overthink the solution and assume additional configuration or scripting is required, when in fact Entra Connect automatically synchronizes the disabled status as part of its default attribute mapping.

How to eliminate wrong answers

Option B is wrong because a dynamic group based on `accountEnabled` attribute cannot be used in a Conditional Access policy to block access; Conditional Access policies apply to users or groups, but the `accountEnabled` attribute is not directly evaluated by Conditional Access, and disabling the account in Entra ID already blocks sign-in. Option C is wrong because running a PowerShell script daily to disable matching accounts in Microsoft Entra ID is unnecessary and introduces latency and potential inconsistency; Entra Connect already synchronizes the disabled status in near real-time (every 30 minutes by default). Option D is wrong because cloud HR provisioning (e.g., Workday or SuccessFactors) is designed for creating and managing user identities from HR systems, not for synchronizing the disabled status from on-premises Active Directory to Microsoft Entra ID.

24
MCQhard

A company (Contoso) frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso wants to require Fabrikam's guest users to perform MFA using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. However, Fabrikam's users already have MFA enabled in their home tenant. What should Contoso configure in their cross-tenant access settings?

A.Set the inbound trust settings to accept MFA claims from Fabrikam
B.Set the inbound trust settings to accept compliant device claims
C.Set the inbound trust settings to block MFA and require Contoso's MFA
D.Disable trust for MFA from the external tenant in the cross-tenant access settings
AnswerD

By disabling trust for MFA claims from the external tenant, Contoso ensures that its own MFA policies apply to guest users.

Why this answer

Option D is correct because Contoso wants to ignore MFA claims from Fabrikam's home tenant and enforce its own MFA policies on Fabrikam's guest users. In cross-tenant access settings, disabling trust for MFA from the external tenant ensures that Contoso does not honor any MFA claims issued by Fabrikam, thereby requiring Fabrikam's users to perform MFA again according to Contoso's conditional access policies.

Exam trap

The trap here is that candidates may think they need to explicitly 'block MFA' (Option C) rather than understanding that disabling trust for MFA claims achieves the same effect by ignoring the external tenant's MFA, forcing Contoso's own MFA policies to apply.

How to eliminate wrong answers

Option A is wrong because accepting MFA claims from Fabrikam would honor Fabrikam's MFA claims, which is the opposite of what Contoso wants. Option B is wrong because accepting compliant device claims is unrelated to MFA enforcement; it controls device trust, not authentication strength. Option C is wrong because there is no setting to 'block MFA and require Contoso's MFA' in cross-tenant trust settings; the correct mechanism is to disable trust for MFA from the external tenant, which effectively forces Contoso's MFA to be evaluated.

25
MCQmedium

A company wants to implement just-in-time (JIT) privileged access for the Security Administrator role. Users must be able to activate the role with a business justification, and the activation must be approved by a designated group of approvers. The role activation should expire after 4 hours. Which Privileged Identity Management (PIM) configuration should the administrator modify?

A.Role settings for the Security Administrator role
B.Assignments (Eligible) for the Security Administrator role
C.Assignments (Active) for the Security Administrator role
D.Notifications settings under PIM
AnswerA

Role settings control activation requirements, including approval, justification, and maximum activation duration.

Why this answer

To configure just-in-time (JIT) privileged access with approval, expiration, and justification requirements, you must modify the Role settings for the Security Administrator role in Privileged Identity Management (PIM). Role settings control activation parameters such as maximum activation duration (4 hours), whether approval is required, and whether justification is mandatory. This is the only place where these activation policies are defined.

Exam trap

The trap here is that candidates confuse 'assignments' (who can use the role) with 'role settings' (how the role can be activated), leading them to choose Eligible assignments instead of Role settings when asked about activation policies like duration, approval, or justification.

How to eliminate wrong answers

Option B is wrong because Eligible assignments define which users are allowed to activate the role, not the activation policies like duration, approval, or justification. Option C is wrong because Active assignments grant permanent, always-on access without requiring activation, which defeats the purpose of JIT and approval. Option D is wrong because Notifications settings only control who receives email alerts for PIM events (e.g., activation, approval), not the activation rules themselves.

26
MCQmedium

A company uses Microsoft Entra ID with Pass-through Authentication. The security team wants to block all sign-ins from countries that are not approved (e.g., high-risk regions). Which feature should they use?

A.Conditional Access policy with country location condition
B.Identity Protection sign-in risk policy
C.Identity Protection user risk policy
D.Named locations with blocked countries
AnswerA

Correct. Conditional Access allows blocking or allowing access based on country using Named Locations.

Why this answer

Conditional Access policies in Microsoft Entra ID can include a location condition that uses IP addresses to determine the country of origin. By configuring a policy to block access from specific countries (e.g., high-risk regions), the security team can enforce this requirement. This is the correct feature because it directly evaluates the geographic location of the sign-in request and applies an access control (block) accordingly.

Exam trap

The trap here is that candidates confuse Named locations (which are just definitions) with the actual enforcement mechanism, forgetting that a Conditional Access policy is required to apply the block action based on those locations.

How to eliminate wrong answers

Option B is wrong because Identity Protection sign-in risk policy evaluates the probability that a sign-in is compromised based on signals like anonymous IP addresses or atypical travel, not the geographic country of the sign-in. Option C is wrong because Identity Protection user risk policy assesses the likelihood that a user's identity has been compromised (e.g., leaked credentials), not the location of the sign-in. Option D is wrong because Named locations define a set of IP address ranges or countries/regions for use in Conditional Access policies, but they cannot directly block sign-ins; they must be referenced within a Conditional Access policy to enforce a block action.

27
MCQmedium

A company uses Microsoft Entra ID with password hash synchronization. The security team wants to prevent users from setting passwords that include their username or common terms from a custom dictionary (e.g., company name, product names). Which feature should be configured?

A.Enable Azure AD Identity Protection with user risk policies.
B.Configure a custom banned passwords list in Microsoft Entra ID Password Protection.
C.Set a fine-grained password policy in on-premises Active Directory and sync it to Azure AD.
D.Enable MFA registration campaign to force users to register for MFA.
AnswerB

This allows adding a custom list of banned passwords that users cannot use, meeting the requirement.

Why this answer

Option B is correct because Microsoft Entra ID Password Protection allows administrators to enforce custom banned password lists that prevent users from including specific terms (e.g., company name, product names) or their username in passwords. This feature works with password hash synchronization to block weak passwords at the cloud level, directly addressing the security team's requirement.

Exam trap

The trap here is that candidates often confuse password policies (which are set in on-premises AD and cannot be synced to Azure AD) with password protection features (which are configured directly in Microsoft Entra ID), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection with user risk policies detects and responds to compromised credentials or risky sign-ins, but it does not enforce password content restrictions like banning specific terms. Option C is wrong because fine-grained password policies in on-premises Active Directory cannot be synced to Azure AD; password hash synchronization only syncs password hashes, not password policies, and Azure AD does not support on-premises password policy enforcement. Option D is wrong because the MFA registration campaign forces users to register for multifactor authentication, which adds a second layer of security but does not prevent users from setting weak passwords that include banned terms.

28
MCQhard

An organization has multiple Microsoft Entra ID tenants and wants to allow partner users to access internal applications using their own corporate credentials. Which feature should be used to enable this?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C
C.Azure AD Connect
D.Tenant-to-tenant migration
AnswerA

B2B enables external users to use their own credentials (e.g., from another Azure AD tenant) to access resources.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows partner users to access internal applications using their own corporate credentials (their home tenant identity) without requiring any external accounts or local user management. B2B collaboration uses cross-tenant trust relationships, enabling seamless single sign-on (SSO) via SAML/WS-Fed or OIDC protocols, which aligns with the requirement to use existing partner credentials.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B (for business partners) with Microsoft Entra B2C (for customers), leading them to select B2C because both involve external identities, but B2C does not support using the partner's own corporate credentials from another Entra ID tenant.

How to eliminate wrong answers

Option B (Microsoft Entra B2C) is wrong because it is designed for customer-facing applications where users sign up with social or local accounts, not for partner users who need to use their own corporate credentials from another Entra ID tenant. Option C (Azure AD Connect) is wrong because it synchronizes on-premises Active Directory objects to a single Entra ID tenant, and does not enable cross-tenant access for external partner identities. Option D (Tenant-to-tenant migration) is wrong because it is a process for moving data and users between tenants, not a feature for granting ongoing access to partner users with their existing credentials.

29
MCQmedium

A company wants to require MFA for all users when they access Office 365 from any network location that is not the company's trusted IP ranges. Which Conditional Access policy configuration should be applied?

A.A: Include all users, exclude none, grant access require MFA with condition 'Location not in trusted locations'.
B.B: Include all users, exclude none, block access with condition 'Location not in trusted locations'.
C.C: Include all users, exclude trusted locations as a group, grant access require MFA.
D.D: Include all users, exclude all locations, grant access require MFA.
AnswerA

This correctly triggers MFA only when the user is not coming from a trusted location.

Why this answer

Option A correctly configures a Conditional Access policy that targets all users and applies the 'Require MFA' grant control when the location condition is set to 'Any location' except the company's trusted IP ranges. This ensures MFA is enforced for all access attempts originating from outside the trusted network, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse excluding a group (like 'All trusted users') with using the location condition to exclude trusted IP ranges, leading them to choose Option C, which incorrectly removes the location-based trigger entirely.

How to eliminate wrong answers

Option B is wrong because blocking access entirely for untrusted locations would prevent users from working remotely, which is not the requirement; the requirement is to require MFA, not block. Option C is wrong because excluding trusted locations as a group from the policy scope would mean the policy does not evaluate those locations at all, but the requirement is to apply MFA to all users when they are not in trusted locations, which is best handled by the location condition, not by excluding a group. Option D is wrong because excluding all locations would mean the policy never evaluates any location condition, effectively disabling the location-based trigger, so MFA would not be enforced based on network location.

30
MCQmedium

A company uses Azure AD Connect with password hash synchronization. They want to allow users to reset their on-premises Active Directory passwords from the cloud Self-Service Password Reset (SSPR) portal. Which additional configuration is required in Azure AD Connect?

A.Enable password writeback
B.Enable self-service password reset in Azure AD
C.Configure Federation Services (AD FS)
D.Install Azure AD Application Proxy
AnswerA

Password writeback synchronizes password changes from Azure AD to on-premises AD, allowing cloud-initiated resets to update the on-premises password.

Why this answer

Password writeback is the specific feature in Azure AD Connect that enables password changes performed in the cloud (via SSPR) to be written back to the on-premises Active Directory. Without this feature enabled and configured, the SSPR portal can only reset cloud-only passwords, not synchronized on-premises passwords. Therefore, enabling password writeback is the additional configuration required beyond the existing password hash synchronization.

Exam trap

The trap here is that candidates often confuse enabling SSPR in Azure AD (a tenant-level setting) with the specific Azure AD Connect feature (password writeback) that is required to make SSPR work for synchronized users, leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because enabling self-service password reset in Azure AD is a prerequisite for the SSPR portal itself, not the additional configuration required in Azure AD Connect to write the reset password back to on-premises AD. Option C is wrong because Federation Services (AD FS) is not required for password writeback; password writeback works with password hash synchronization and does not require federation. Option D is wrong because Azure AD Application Proxy is used for publishing on-premises web applications externally, not for password synchronization or writeback.

31
MCQmedium

A company uses Microsoft Entra ID P2 licenses and wants to block all authentication attempts from an internal legacy application that uses POP3 and SMTP protocols. The application cannot be updated and must be blocked from accessing Exchange Online. Which Conditional Access policy setting should the administrator configure?

A.Under 'Grant', select 'Block access'
B.Under 'Conditions' > 'Client apps', configure to block 'Exchange ActiveSync clients and other clients'
C.Under 'Conditions' > 'Device platforms', select 'Android' and 'iOS' and block them
D.Under 'Conditions' > 'Locations', select 'All trusted locations' and block
AnswerB

This setting explicitly targets legacy authentication clients (including POP3/SMTP). By setting the action to block, all attempts from those clients are denied.

Why this answer

Option B is correct because the legacy application uses POP3 and SMTP, which are non-modern authentication protocols. In Conditional Access, the 'Client apps' condition includes a setting to block 'Exchange ActiveSync clients and other clients', which specifically targets legacy authentication protocols like POP3, SMTP, and IMAP. This allows the administrator to block all authentication attempts from such clients without affecting modern authentication flows.

Exam trap

The trap here is that candidates often confuse 'Client apps' with device or location conditions, mistakenly thinking that blocking a device platform or location will stop legacy protocol traffic, when in fact legacy authentication bypasses those controls entirely because it does not use modern token-based authentication.

How to eliminate wrong answers

Option A is wrong because 'Block access' under 'Grant' is a coarse control that blocks all access for the targeted users or apps, but it does not specifically target legacy protocols like POP3/SMTP; it would block all authentication methods, including modern ones, which is not the requirement. Option C is wrong because 'Device platforms' controls access based on the operating system (e.g., Android, iOS), not the authentication protocol; blocking Android and iOS would not affect a legacy application running on a server or desktop using POP3/SMTP. Option D is wrong because 'Locations' controls access based on network location (e.g., trusted IP ranges), not the authentication protocol; blocking trusted locations would not block the legacy application if it originates from an untrusted location, and it does not address the protocol-specific requirement.

32
Matchingmedium

Match each Microsoft 365 Defender portal component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects email and collaboration tools

Protects devices from threats

Protects on-premises Active Directory

Protects cloud applications

Unified threat protection dashboard

Why these pairings

These are the five pillars of Microsoft 365 Defender.

33
MCQhard

A company uses Microsoft Entra ID P2 licenses and wants to implement just-in-time (JIT) privileged access for administrators. Security requirements state that Global Administrator role members must request approval and provide a business justification before their role activation expires after 4 hours. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Self-Service Password Reset (SSPR)
AnswerB

PIM allows configuring role activation with approval, justification, and duration settings, fulfilling the JIT requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, requiring approval and a business justification for role activation, with configurable maximum activation durations (e.g., 4 hours). This directly meets the security requirement for Global Administrator role members to request approval and provide justification before activation expires after 4 hours.

Exam trap

The trap here is that candidates often confuse Conditional Access with PIM because both involve 'access control,' but Conditional Access cannot enforce time-bound role activation with approval and justification workflows.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device compliance, but it does not provide time-bound role activation with approval workflows or business justification. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., compromised accounts) but does not manage privileged role activation or approval processes. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, and it has no capability to control privileged role activation with approval and expiration.

34
MCQmedium

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator must ensure that users are required to register at least two authentication methods: one from the 'mobile app' category and one from the 'phone call' category. Which combination of methods should the administrator select in the SSPR registration settings?

A.Mobile app notification and office phone
B.Mobile app notification and mobile app code
C.Office phone and mobile phone
D.Mobile phone and email
AnswerA

Mobile app notification is from the mobile app category, and office phone is from the phone call category, satisfying both requirements.

Why this answer

Option A is correct because the SSPR registration policy requires users to select at least two distinct authentication methods from the allowed list. By choosing 'Mobile app notification' (from the mobile app category) and 'Office phone' (from the phone call category), the administrator satisfies the requirement of one method from each specified category. The 'Office phone' option is classified under the 'phone call' category in Microsoft Entra ID SSPR settings.

Exam trap

The trap here is that candidates often assume 'Mobile phone' and 'Office phone' are different categories, but both are classified under the 'phone call' category in SSPR, so selecting both does not satisfy the requirement for a method from the 'mobile app' category.

How to eliminate wrong answers

Option B is wrong because both 'Mobile app notification' and 'Mobile app code' belong to the same 'mobile app' category, failing the requirement to have one method from the 'phone call' category. Option C is wrong because 'Office phone' and 'Mobile phone' are both in the 'phone call' category, not covering the 'mobile app' category. Option D is wrong because 'Mobile phone' is in the 'phone call' category and 'Email' is a separate category (not 'mobile app' or 'phone call'), so it does not include a method from the 'mobile app' category.

35
MCQhard

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically block sign-ins for users with high sign-in risk, but only when the sign-in originates from outside the corporate network. For sign-ins from the corporate network, they want to require a password change for medium sign-in risk. A group of emergency access accounts (break-glass) must be excluded from all policies. What should the administrator implement?

A.single Conditional Access policy that blocks access for high risk from external locations and requires password change for medium risk from internal locations, excluding the break-glass group.
B.Two Conditional Access policies: one for external locations that blocks high risk, and one for internal locations that requires password change for medium risk. Both exclude the break-glass group.
C.An Identity Protection user risk policy that blocks high-risk users and prompts for password change for medium-risk users, configured to exclude the break-glass group.
D.Conditional Access policy that requires multi-factor authentication for all users except break-glass, and a separate sign-in risk policy for blocking high risk from external locations.
AnswerB

This meets all requirements: separate policies for different location + risk combinations, and the break-glass group is excluded from both.

Why this answer

Option B is correct because Conditional Access policies evaluate conditions like location and sign-in risk separately, and combining both conditions (external vs. internal) with different grant controls (block vs. require password change) in a single policy is not supported. Two separate policies are required: one for external locations with high risk to block, and one for internal locations with medium risk to require password change. Both must exclude the break-glass group to ensure emergency access is never blocked.

Exam trap

The trap here is that candidates often assume a single Conditional Access policy can handle multiple condition-to-control mappings, but Microsoft Entra ID requires separate policies for each unique combination of conditions and grant controls.

How to eliminate wrong answers

Option A is wrong because a single Conditional Access policy cannot apply different grant controls (block vs. require password change) based on different location conditions within the same policy; each policy can only have one set of grant controls. Option C is wrong because an Identity Protection user risk policy applies to user risk (compromised accounts), not sign-in risk (compromised session), and does not evaluate location (corporate network vs. external). Option D is wrong because it suggests a single Conditional Access policy requiring MFA for all users, which does not address the specific sign-in risk and location requirements, and a separate sign-in risk policy cannot be combined with location-based conditions in the way described.

36
MCQmedium

A company wants to require that all users accessing a critical cloud application for the first time must accept a company terms of use before they are granted access. Which Conditional Access policy grant control should be added?

B.Require device to be marked as compliant
C.Require terms of use
D.Require approved client app
AnswerC

This grant control presents a terms-of-use document for the user to accept before access is allowed.

Why this answer

Option C is correct because the 'Require terms of use' grant control in a Conditional Access policy is specifically designed to force a user to accept a company's terms of use (TOU) before accessing a cloud application. When this control is enabled, Microsoft Entra ID presents the TOU document to the user on first access, and access is blocked until the user explicitly accepts the terms. This directly meets the requirement of requiring acceptance before granting access.

Exam trap

The trap here is that candidates often confuse 'terms of use' with a general compliance or security requirement, leading them to select 'Require device to be marked as compliant' (Option B) because they think device compliance implies policy acceptance, but Conditional Access grant controls are distinct and the terms of use control is the only one that enforces a user-facing acceptance workflow.

How to eliminate wrong answers

Option A is wrong because Require multi-factor authentication (MFA) enforces an additional authentication factor, not a legal or policy acceptance step; it does not present or require acceptance of a terms of use document. Option B is wrong because Require device to be marked as compliant checks device health and compliance status (e.g., via Intune or MDM), but does not involve any user-facing terms acceptance workflow. Option D is wrong because Require approved client app restricts access to specific client applications (e.g., Microsoft Outlook or Teams), but has no mechanism to display or enforce a terms of use acceptance.

37
MCQmedium

An organization wants to enable users to reset their own passwords using the Microsoft Authenticator app and to prevent reuse of the last five passwords. Which Microsoft Entra ID features should be configured?

A.Microsoft Entra ID Protection and SSPR
B.Self-Service Password Reset (SSPR) and Password Protection
C.Conditional Access and SSPR
D.Identity Governance and SSPR
AnswerB

SSPR enables self-service resets; Password Protection enforces password reuse restrictions and custom ban lists.

Why this answer

The requirement to enable users to reset their own passwords via the Microsoft Authenticator app is fulfilled by Self-Service Password Reset (SSPR), which supports the Authenticator app as an authentication method. The requirement to prevent reuse of the last five passwords is fulfilled by Password Protection, specifically the password reuse policy within the custom banned password list or the enforcement of password history via on-premises integration. Option B correctly pairs these two features.

Exam trap

The trap here is that candidates confuse Password Protection (which handles password complexity, banned lists, and history) with Entra ID Protection (which handles risk-based policies), leading them to select Option A instead of the correct pairing of SSPR and Password Protection.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a risk-detection and remediation service (e.g., for leaked credentials or risky sign-ins), not a feature that enforces password history or reuse policies. Option C is wrong because Conditional Access controls access based on conditions (e.g., location, device compliance) but does not enforce password reuse restrictions. Option D is wrong because Identity Governance manages access lifecycle, entitlement reviews, and provisioning, not password history enforcement.

38
MCQmedium

A company uses Microsoft Entra ID P2 licenses. They want to block all authentication attempts from an internal app that uses legacy authentication protocols (POP3, IMAP, SMTP) because these protocols cannot enforce multi-factor authentication. Which Conditional Access policy setting should be used?

A.Grant access requiring multi-factor authentication
B.Block access for apps using legacy authentication
C.Require compliant device
D.Require approved client app
AnswerB

Under 'Client apps', you can select 'Exchange ActiveSync clients' and 'Other clients' to block legacy authentication protocols.

Why this answer

Option B is correct because the scenario explicitly requires blocking authentication attempts from an internal app using legacy protocols (POP3, IMAP, SMTP) that cannot enforce multi-factor authentication. The 'Block access for apps using legacy authentication' Conditional Access setting targets client apps that use legacy authentication protocols, effectively preventing any authentication from those apps regardless of user or device compliance.

Exam trap

The trap here is that candidates often confuse 'Require MFA' (which still allows legacy apps to attempt authentication and fail silently) with 'Block legacy authentication' (which explicitly prevents the authentication attempt at the protocol level), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because 'Grant access requiring multi-factor authentication' would still allow the legacy app to attempt authentication; legacy protocols cannot pass MFA claims, so the policy would either fail or be bypassed, not block the attempt. Option C is wrong because 'Require compliant device' only checks device health (e.g., Intune compliance) and does not address the protocol-level vulnerability of legacy authentication; the app could still authenticate from a compliant device using POP3/SMTP without MFA. Option D is wrong because 'Require approved client app' enforces the use of specific modern authentication apps (e.g., Microsoft Authenticator) but does not block legacy protocols; an approved client app could still use legacy authentication if not explicitly restricted.

39
MCQmedium

Contoso frequently collaborates with a partner company (Fabrikam) via B2B collaboration. Contoso uses Microsoft Entra ID P2 licenses and wants to require Fabrikam's guest users to authenticate using Contoso's MFA policies, ignoring any MFA claims from the Fabrikam home tenant. Fabrikam already has MFA enabled for its users. What configuration should Contoso make in their cross-tenant access settings?

A.Configure outbound access settings to require MFA for Fabrikam users
B.Configure inbound trust settings to uncheck 'Trust multi-factor authentication from Microsoft Entra tenants' for Fabrikam
C.Create a Conditional Access policy targeting all guest users from Fabrikam that requires MFA
D.Configure B2B direct connect for Fabrikam and require MFA
AnswerB

By default, Contoso trusts MFA claims from external tenants. Unchecking this setting for Fabrikam forces Contoso to re-evaluate MFA requirements for those guest users.

Why this answer

Option B is correct because Contoso wants to ignore MFA claims from Fabrikam's home tenant and enforce its own MFA policies on Fabrikam guest users. In cross-tenant access settings, the 'Trust multi-factor authentication from Microsoft Entra tenants' checkbox controls whether inbound MFA claims from the external tenant are accepted. By unchecking this for Fabrikam, Contoso ensures that Fabrikam's MFA claims are ignored, and Contoso's Conditional Access policies (including MFA requirements) apply to those guest users.

Exam trap

The trap here is that candidates often confuse inbound trust settings with outbound settings or Conditional Access policies, assuming that a Conditional Access policy alone can override MFA claims from the home tenant, when in fact the trust setting must be explicitly disabled to ignore those claims.

How to eliminate wrong answers

Option A is wrong because outbound access settings control how Contoso's users access Fabrikam resources, not how Fabrikam's guest users authenticate into Contoso. Option C is wrong because while a Conditional Access policy can require MFA for guest users, it does not override or ignore MFA claims from the home tenant; if the inbound trust setting trusts Fabrikam's MFA, the Conditional Access policy may not re-prompt for MFA. Option D is wrong because B2B direct connect is used for Teams Connect shared channels, not for standard B2B collaboration guest user access, and it does not provide the granular control over MFA trust needed here.

40
MCQeasy

An administrator needs to allow external users from a partner company to sign up for access to a SharePoint Online site using their own Azure AD accounts. Which configuration should the administrator enable?

A.Enable 'Email one-time passcode authentication' for guests
B.Enable 'External identities' > 'Self-service sign-up' in Azure AD
C.Configure a cross-tenant access policy for the partner tenant
D.Create guest user accounts manually in Azure AD
AnswerB

This setting allows external users to sign up for access to resources using their own Azure AD or Microsoft account identities.

Why this answer

Option B is correct because enabling 'Self-service sign-up' in Azure AD External Identities allows external users to sign up for access to applications (including SharePoint Online sites) using their own Azure AD accounts without manual admin intervention. This feature creates guest user objects automatically when the external user completes the sign-up flow, which satisfies the requirement for partner users to sign up using their existing Azure AD credentials.

Exam trap

The trap here is that candidates often confuse 'self-service sign-up' with 'cross-tenant access policies' or 'email OTP,' thinking that any guest authentication method enables self-service sign-up, but only the explicit self-service sign-up feature creates the automated user provisioning flow.

How to eliminate wrong answers

Option A is wrong because 'Email one-time passcode authentication' is an authentication method for guests who do not have an Azure AD or Microsoft account, not a mechanism for external users to sign up using their own Azure AD accounts. Option C is wrong because a cross-tenant access policy controls inbound and outbound access settings between tenants (e.g., B2B collaboration or B2B direct connect), but it does not enable self-service sign-up; it governs how existing guest users authenticate or access resources. Option D is wrong because manually creating guest user accounts in Azure AD requires administrative effort and does not allow external users to sign up on their own, which contradicts the requirement for self-service sign-up.

41
Multi-Selectmedium

You are a Microsoft 365 Administrator for a large enterprise that uses Microsoft Entra ID. The company's security team requires you to implement identity and access management solutions. Which four of the following statements accurately describe features or capabilities of Microsoft Entra ID? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Microsoft Entra ID Conditional Access policies can enforce multi-factor authentication (MFA) based on user, device, location, and application signals.
.Microsoft Entra ID Identity Protection can automatically remediate risky sign-ins by enforcing password change or blocking access based on risk levels.
.Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by activating roles for a limited time with approval workflows.
.Microsoft Entra ID Application Proxy enables secure access to on-premises web applications without needing a VPN, using pre-authentication in Entra ID.
.Microsoft Entra ID External Identities supports B2B collaboration but does not support B2C scenarios such as customer-facing sign-up and sign-in.
.Microsoft Entra ID Permissions Management (CIEM) can only be used to manage permissions in Microsoft Azure, not in other cloud providers like AWS or GCP.

Why this answer

Microsoft Entra ID Conditional Access policies evaluate signals such as user identity, device compliance, location, and application to enforce MFA, providing granular access control. This is a core capability for identity-driven security.

Exam trap

The trap here is that candidates may think External Identities only covers B2B, but it also includes Azure AD B2C for customer-facing scenarios, and that Permissions Management is Azure-only, whereas it supports AWS and GCP as well.

42
MCQmedium

An organization wants to enforce that all administrators use a phishing-resistant authentication method (e.g., FIDO2 security keys or Windows Hello for Business) when accessing Microsoft 365 admin portals. Which Microsoft Entra ID feature should be used?

A.Conditional Access authentication strength
B.Security defaults
C.Per-user MFA
D.Identity Protection
AnswerA

Authentication strength policies let you require specific MFA methods; configuring a policy for admins with a phishing-resistant strength ensures compliance.

Why this answer

Option A is correct because Conditional Access authentication strength allows administrators to define and enforce specific authentication methods, such as FIDO2 security keys or Windows Hello for Business, which are phishing-resistant. By creating a policy that targets admin roles and requires an authentication strength policy that mandates these methods, the organization can ensure that only phishing-resistant credentials are accepted when accessing Microsoft 365 admin portals. This granular control goes beyond simple MFA enforcement by specifying the exact authentication method required.

Exam trap

The trap here is that candidates often confuse the generic MFA enforcement of Security defaults or Per-user MFA with the ability to specify a particular authentication method, not realizing that only Conditional Access authentication strength provides the granularity to mandate phishing-resistant methods like FIDO2.

How to eliminate wrong answers

Option B is wrong because Security defaults enforces a baseline set of security policies, including requiring MFA for all users, but it does not allow customization to mandate a specific phishing-resistant method like FIDO2; it uses a generic MFA requirement that could be satisfied by less secure methods such as SMS or OTP. Option C is wrong because Per-user MFA enables or disables MFA on a per-user basis but cannot enforce a specific authentication method; it only requires the user to complete MFA using any method they have registered, including non-phishing-resistant ones. Option D is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-ins and user risks, but it does not enforce specific authentication methods; it can trigger MFA via Conditional Access but cannot mandate a particular method like FIDO2.

43
MCQhard

A company wants to require approval for any activation of the Global Administrator role in Privileged Identity Management (PIM). The approvers are predefined as members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify to meet these requirements?

A.Edit the role settings of the Global Administrator role in PIM.
B.Create an access review for the Global Administrator role.
C.Configure Azure AD Identity Protection to require MFA for Global Administrator.
D.Assign the Global Administrator role directly to the users temporarily.
AnswerA

Role settings control activation approval, approvers, duration, and justification. Changing these settings meets all requirements.

Why this answer

Option A is correct because the requirement to require approval, enforce a business justification, and set a 4-hour expiration for Global Administrator activations is configured in the role settings of the Global Administrator role within Privileged Identity Management (PIM). These settings control activation parameters such as approval requirements, justification, and maximum activation duration, which directly map to the stated needs.

Exam trap

The trap here is that candidates confuse PIM role settings (which control activation policies) with access reviews (which audit existing assignments) or Azure AD Identity Protection (which handles sign-in risk), leading them to select options that address different aspects of identity governance.

How to eliminate wrong answers

Option B is wrong because an access review is used to periodically review and confirm role assignments, not to configure activation approval, justification, or expiration settings. Option C is wrong because Azure AD Identity Protection's MFA requirement for Global Administrator enforces authentication at sign-in, not activation approval or duration within PIM. Option D is wrong because directly assigning the Global Administrator role bypasses PIM activation workflows entirely, removing the ability to require approval, justification, or expiration.

44
MCQmedium

A company uses Azure AD and SharePoint Online. They want to allow users from a partner organization (which also uses Azure AD) to access a specific SharePoint Online site using their existing partner credentials. The partner users should not require new accounts to be created. Which Azure AD feature should be configured?

A.Azure AD B2B collaboration
B.Azure AD B2C
C.Azure AD Domain Services
D.Organizational Relationships
AnswerA

B2B collaboration allows external users to use their own identities, including Azure AD accounts.

Why this answer

Azure AD B2B collaboration allows you to invite external users from a partner organization to access your Azure AD-integrated applications, such as SharePoint Online, using their own existing Azure AD credentials. This feature leverages cross-tenant trust and does not require creating new user accounts in your tenant, fulfilling the requirement exactly.

Exam trap

The trap here is that candidates often confuse Azure AD B2B collaboration with Azure AD B2C, mistakenly thinking both are for external users, but B2C is designed for consumer-facing apps with local identities, not for partner organizations using their existing Azure AD credentials.

How to eliminate wrong answers

Option B (Azure AD B2C) is wrong because it is a customer-facing identity management service for external consumers (e.g., app users) and does not support using existing partner Azure AD credentials for access; it requires users to sign up with social or local accounts. Option C (Azure AD Domain Services) is wrong because it provides managed domain services (e.g., LDAP, Kerberos) for legacy applications and has nothing to do with inviting external users or cross-tenant access. Option D (Organizational Relationships) is wrong because while it is a related concept in SharePoint on-premises for federated trust, it is not an Azure AD feature and does not enable partner users to authenticate with their existing Azure AD credentials in a cloud-only SharePoint Online scenario.

45
MCQmedium

A company uses Azure AD Conditional Access. The security team wants to require multi-factor authentication (MFA) for all users when accessing the Azure portal, except when they are connecting from the corporate network (which is defined as a trusted location). How should the Conditional Access policy be configured?

A.Create a Conditional Access policy with all users, cloud apps = Microsoft Azure Management, Conditions > Locations = all locations, exclude the corporate network, Grant = Require multi-factor authentication.
B.Create a Conditional Access policy with all users, cloud apps = All cloud apps, Conditions > Locations = all locations, exclude the corporate network, Grant = Require multi-factor authentication.
C.Create a Conditional Access policy with all users, cloud apps = Microsoft Azure Management, Conditions > Locations = Corporate network, Grant = Block.
D.Create a Conditional Access policy with all users, cloud apps = Microsoft Azure Management, Conditions > Locations = Corporate network, Grant = Require multi-factor authentication.
AnswerA

This correctly applies MFA for all locations except the trusted corporate network.

Why this answer

Option A is correct because it targets only the Azure Portal (Microsoft Azure Management cloud app), applies MFA to all locations except the trusted corporate network, and excludes the corporate network from the policy. This ensures MFA is required for all access attempts from untrusted locations while allowing direct access from the corporate network without MFA.

Exam trap

The trap here is that candidates often select 'All cloud apps' (Option B) thinking it covers the Azure portal, but this over-scopes the policy and forces MFA on all applications, which is not the requirement.

How to eliminate wrong answers

Option B is wrong because it applies to 'All cloud apps' instead of only 'Microsoft Azure Management', which would force MFA for every cloud app (e.g., Exchange Online, SharePoint) even when the requirement is only for the Azure portal. Option C is wrong because it blocks access from the corporate network, which is the opposite of the requirement (the corporate network should be trusted and allowed without MFA). Option D is wrong because it requires MFA from the corporate network, which contradicts the requirement to exempt the corporate network from MFA.

46
MCQmedium

An organization uses Microsoft Entra ID P2 licenses. They need to require multi-factor authentication (MFA) for all users accessing a critical financial application, but they must exclude a set of service accounts that are members of the 'Service Accounts' group. Which policy should they create?

A.Conditional Access policy with a grant block requiring MFA and an exclude assignment for the 'Service Accounts' group.
B.An Identity Protection user risk policy configured to require MFA for high-risk users.
C.Per-user MFA enforced on all users, then disabled for the service accounts individually.
D.Conditional Access sign-in risk policy requiring MFA for risky sign-ins.
AnswerA

Conditional Access can target the application and exclude specific groups, ensuring service accounts are not prompted for MFA.

Why this answer

Option A is correct because a Conditional Access policy allows you to grant access only when MFA is completed, and you can exclude specific groups like 'Service Accounts' from the policy. This ensures all users except the excluded service accounts are prompted for MFA when accessing the critical financial application. The grant block requiring MFA is the appropriate control for this scenario.

Exam trap

The trap here is that candidates may confuse Conditional Access policies with Identity Protection risk policies, thinking a risk-based policy can enforce MFA for all users accessing a specific app, but risk policies only apply to risky sign-ins or users, not to all access attempts.

How to eliminate wrong answers

Option B is wrong because an Identity Protection user risk policy targets users with high risk of compromise, not all users accessing a specific application, and it cannot exclude a group like 'Service Accounts'. Option C is wrong because per-user MFA is a legacy approach that does not support group-based exclusions; disabling MFA for individual service accounts is cumbersome and not scalable. Option D is wrong because a sign-in risk policy requires MFA based on the risk level of the sign-in, not for all access to a specific application, and it cannot exclude a group.

47
Drag & Dropmedium

Drag and drop the steps to configure Microsoft Intune device enrollment restrictions in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enrollment restrictions are created per platform, configured with device requirements, and assigned to groups.

48
MCQhard

A company invites external partners as B2B guest users in Microsoft Entra ID. The partners' home tenants do not support MFA. The company wants to require MFA when guests access an internal application. What should the company configure?

A.Configure a Conditional Access policy that targets all guest users, require MFA, and enable MFA registration for guests in the resource tenant.
B.Ask the partners to configure MFA in their home tenant, then trust their MFA claims.
C.Use a Per-User MFA policy for guest users, but guests cannot register for MFA in the resource tenant.
D.Create a Conditional Access policy requiring MFA for all external users, but exclude guests from known networks.
AnswerA

This is correct: the resource tenant can enforce MFA for guests and provide MFA registration, independent of the home tenant.

Why this answer

Option A is correct because when guest users' home tenants do not support MFA, the resource tenant must enforce MFA directly. A Conditional Access policy targeting all guest users with 'Require MFA' grant control, combined with enabling MFA registration for guests in the resource tenant, allows guests to register and use MFA methods (e.g., Microsoft Authenticator) within the resource tenant. This ensures MFA is enforced regardless of the home tenant's capabilities.

Exam trap

The trap here is that candidates often assume MFA must be handled by the home tenant (Option B) or that legacy Per-User MFA (Option C) works for guests, but Microsoft Entra ID requires Conditional Access policies and resource-tenant MFA registration for guest users when the home tenant cannot provide MFA claims.

How to eliminate wrong answers

Option B is wrong because the partners' home tenants do not support MFA, so asking them to configure MFA is not feasible, and trusting their MFA claims would require the home tenant to issue MFA claims, which it cannot. Option C is wrong because Per-User MFA is a legacy policy that does not support guest user registration in the resource tenant; guests cannot register for MFA via Per-User MFA, making it ineffective. Option D is wrong because excluding guests from known networks does not address the requirement to require MFA; it would actually bypass MFA for guests on known networks, weakening security.

49
MCQmedium

Contoso uses Microsoft Entra ID P1 licenses and has a dedicated corporate office with static public IP addresses. The company wants to require MFA for all users, but exempt users when they connect from the corporate office. Which configuration should the administrator implement?

A.Create a Conditional Access policy that targets all users, grant access requiring MFA, and include the corporate office location as a condition.
B.Create a Conditional Access policy that targets all users, grant access requiring MFA, and exclude the corporate office location from the policy.
C.Configure a Per-User MFA policy and add the corporate office IPs to a list of trusted IPs in the MFA settings.
D.Create a Conditional Access policy that targets the corporate office location and grant access with MFA for all other locations.
AnswerB

Excluding the corporate office location ensures users connecting from those trusted IPs bypass MFA, while everyone else must satisfy the MFA requirement.

Why this answer

Option B is correct because a Conditional Access policy can target all users, require MFA as a grant control, and exclude the corporate office location (defined by static public IP addresses as a named location). This ensures MFA is enforced for all connections except those originating from the trusted corporate network, aligning with the requirement to exempt users at the office.

Exam trap

The trap here is that candidates often confuse 'include' and 'exclude' in Conditional Access conditions, mistakenly thinking that including the office location will exempt it, when in fact excluding the location is required to bypass MFA for that trusted network.

How to eliminate wrong answers

Option A is wrong because including the corporate office location as a condition would require MFA even when users connect from the office, which contradicts the exemption requirement. Option C is wrong because Per-User MFA is a legacy, less flexible approach that does not support location-based exemptions via Conditional Access; trusted IPs in MFA settings only bypass MFA for the MFA prompt itself but do not integrate with the granular policy controls of Conditional Access. Option D is wrong because targeting the corporate office location and granting access with MFA for all other locations is syntactically incorrect—Conditional Access policies grant access based on conditions, not by targeting a location to grant MFA elsewhere; the correct approach is to exclude the trusted location from the policy that requires MFA.

50
Drag & Dropmedium

Drag and drop the steps to configure Microsoft Entra ID (Azure AD) Connect for hybrid identity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Azure AD Connect is installed, configured with sync options, OUs selected, and then enabled for continuous sync.

51
MCQmedium

A company wants to require that all users accessing a critical internal application must be on a compliant device (managed by Intune) and must have authenticated with multi-factor authentication in the last 30 minutes. Which Conditional Access configurations are needed?

A.Grant control 'Require multi-factor authentication' and 'Require device to be marked as compliant' with session control 'Sign-in frequency' set to 30 minutes
B.Grant control 'Require multi-factor authentication' and 'Require device to be marked as compliant' and 'Require all the selected controls'
C.Grant control 'Require multi-factor authentication' and 'Require hybrid Azure AD joined device' with session control 'App enforced restrictions'
D.Grant control 'Block access' for non-compliant devices and separate policy for MFA
AnswerA

This combination ensures both MFA and device compliance are required, and the sign-in frequency session control forces MFA reauthentication every 30 minutes.

Why this answer

Option A is correct because it combines the required grant controls ('Require multi-factor authentication' and 'Require device to be marked as compliant') with the session control 'Sign-in frequency' set to 30 minutes. The sign-in frequency session control enforces reauthentication after the specified time window, ensuring MFA was performed within the last 30 minutes. The grant controls ensure both MFA and device compliance are satisfied simultaneously.

Exam trap

The trap here is that candidates often confuse 'Require all the selected controls' (which is a logical AND operator for grant controls) with session controls, and fail to realize that time-based MFA reauthentication requires a separate session control setting, not just a grant control.

How to eliminate wrong answers

Option B is wrong because it includes 'Require all the selected controls' but omits the session control 'Sign-in frequency', which is necessary to enforce the 30-minute MFA reauthentication window; without it, MFA is only required at initial sign-in. Option C is wrong because it requires a 'hybrid Azure AD joined device' instead of a device 'marked as compliant', and uses 'App enforced restrictions' which does not enforce a 30-minute MFA reauthentication interval. Option D is wrong because using a separate policy for MFA and a 'Block access' policy for non-compliant devices cannot enforce the 30-minute MFA reauthentication requirement; session controls like 'Sign-in frequency' are needed for time-based reauthentication, and blocking non-compliant devices alone does not ensure MFA freshness.

52
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage role activations. They have an Azure AD Premium P2 license. The security team wants to require that any activation of the Exchange Administrator role must be approved by a specific group named 'Exchange Approvers'. Additionally, activations must require a ticket number and expire after 6 hours. Which PIM configuration should the administrator modify?

A.Configure the 'Role settings' for the Exchange Administrator role to require approval and set the approvers group
B.Add the Exchange Administrator role to the 'Exchange Approvers' group's eligible assignments
C.Create a PIM alert for activations without a ticket number and set a 6-hour alert threshold
D.Define an access review for the Exchange Administrator role with a 6-hour review duration
AnswerA

Correct. The activation settings include toggle for approval, approver selection, justification requirements (ticket number), and maximum activation duration.

Why this answer

Option A is correct because in Azure AD PIM, the 'Role settings' for a specific role (like Exchange Administrator) allow you to configure activation requirements, including requiring approval, specifying approvers (such as the 'Exchange Approvers' group), requiring a ticket number, and setting a maximum activation duration (e.g., 6 hours). This directly meets all the security team's requirements.

Exam trap

The trap here is confusing 'eligible assignments' (who can activate a role) with 'approvers' (who must approve activations), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option B is wrong because adding the Exchange Administrator role to the 'Exchange Approvers' group's eligible assignments would make members of that group eligible to activate the role, not approve activations of the role. Option C is wrong because PIM alerts can notify about suspicious activities but cannot enforce a ticket number requirement or set a 6-hour activation duration; those are configured in role settings. Option D is wrong because access reviews are for periodic recertification of role assignments, not for controlling activation duration or requiring approval during activation.

53
MCQmedium

A company wants to block access to Exchange Online from devices that are not compliant with Intune compliance policies. Which Conditional Access grant control should be used?

A.Require device to be marked as compliant
B.Require MFA
C.Require approved client app
D.Require all conditions
AnswerA

This grant control checks device compliance status and blocks non-compliant devices.

Why this answer

To block access to Exchange Online from non-compliant devices, you need to enforce a Conditional Access policy that evaluates device compliance status. The 'Require device to be marked as compliant' grant control checks the device's compliance state reported by Microsoft Intune before granting access. If the device is not compliant, access to Exchange Online is blocked, ensuring only managed and compliant devices can connect.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'Require approved client app' or 'Require MFA', thinking any of these can block non-compliant devices, but only the device compliance grant directly evaluates Intune compliance policies.

How to eliminate wrong answers

Option B is wrong because Require MFA only enforces multi-factor authentication, not device compliance; a non-compliant device could still access Exchange Online after MFA. Option C is wrong because Require approved client app restricts access to specific apps (e.g., Outlook mobile) but does not check device compliance; a non-compliant device could use an approved app. Option D is wrong because Require all conditions is not a valid grant control; it is a conceptual option that would require all other controls simultaneously, which is not a specific setting in Conditional Access.

54
MCQeasy

A company uses hybrid identity with Azure AD Connect and password hash synchronization. They want to enable Self-Service Password Reset (SSPR) with password writeback so that users can reset their on-premises Active Directory passwords. Which Azure AD license is required?

A.Azure AD Free
B.Azure AD Premium P1
C.Azure AD Premium P2
D.Microsoft 365 E3
AnswerB

Premium P1 includes password writeback and SSPR with on-premises integration.

Why this answer

Azure AD Premium P1 is required for Self-Service Password Reset (SSPR) with password writeback. Password writeback is a premium feature that enables password changes in Azure AD to be written back to on-premises Active Directory via Azure AD Connect. Azure AD Free does not include SSPR with writeback, and Azure AD Premium P2 includes additional features like Identity Protection but is not necessary for this scenario.

Exam trap

The trap here is that candidates often assume Microsoft 365 E3 includes Azure AD Premium P1 features, but it only includes Azure AD Free; password writeback specifically requires a Premium P1 or higher license.

How to eliminate wrong answers

Option A is wrong because Azure AD Free does not include Self-Service Password Reset (SSPR) with password writeback; it only supports basic SSPR for cloud-only users without writeback. Option C is wrong because Azure AD Premium P2 includes all P1 features plus Identity Protection and Privileged Identity Management, but the extra capabilities are not required for password writeback; P1 is sufficient. Option D is wrong because Microsoft 365 E3 includes Azure AD Free, not Premium P1, and therefore does not support password writeback; a separate Azure AD Premium P1 license or an equivalent E5 plan is needed.

55
MCQmedium

An organization wants to allow users to sign in to Microsoft 365 using their on-premises Active Directory credentials but does not want to synchronize password hashes to the cloud. They also want to eliminate the need for users to re-enter their credentials when accessing cloud resources from domain-joined devices. Which combination of authentication methods should they implement?

A.Pass-through Authentication (PTA) with Seamless Single Sign-On (SSO)
B.Federation with Active Directory Federation Services (AD FS)
C.Password Hash Sync (PHS) with Seamless SSO
D.Cloud-only authentication with MFA
AnswerA

PTA validates passwords on-premises without storing hashes, and Seamless SSO provides automatic sign-in for domain-joined devices.

Why this answer

Pass-through Authentication (PTA) validates user passwords directly against on-premises Active Directory without storing password hashes in the cloud, satisfying the requirement to avoid hash synchronization. Seamless SSO eliminates the need for users to re-enter credentials on domain-joined devices by using Kerberos delegation to silently authenticate against Microsoft Entra ID, meeting both stated needs.

Exam trap

The trap here is that candidates often confuse Seamless SSO as being exclusive to Password Hash Sync, but it is also fully supported with Pass-through Authentication, and the key differentiator is the requirement to avoid password hash synchronization.

How to eliminate wrong answers

Option B (Federation with AD FS) is wrong because it requires deploying and maintaining additional federation infrastructure and does not inherently avoid password hash synchronization; AD FS still relies on password validation against on-premises AD but introduces complexity and potential single points of failure. Option C (PHS with Seamless SSO) is wrong because Password Hash Sync explicitly synchronizes password hashes to the cloud, which the organization wants to avoid. Option D (Cloud-only authentication with MFA) is wrong because it does not use on-premises Active Directory credentials at all, requiring users to have separate cloud identities and failing the requirement to authenticate against on-premises AD.

56
MCQmedium

A company uses Azure AD Conditional Access to enforce MFA for all cloud apps. They have some users who are physically located in countries that are considered high-risk by the security team. The team wants to require device compliance (as defined by Intune) for sign-ins from those specific countries, while still requiring MFA from all other locations. How should the administrator configure the Conditional Access policy?

A.Create two Conditional Access policies: one for the high-risk countries requiring MFA and device compliance, and another for all other locations requiring only MFA
B.Create a single Conditional Access policy that includes both conditions (locations) and grant controls (MFA and device compliance) with an 'OR' operator
C.Use Azure AD Identity Protection to automatically evaluate location risk, and let Conditional Access apply the same policy to all users
D.Configure a single Conditional Access policy with multiple location conditions and multiple grant controls using an 'AND' operator
AnswerA

Correct. Separate policies allow different grant controls for different location conditions.

Why this answer

Option A is correct because Conditional Access policies are evaluated independently, and each policy can target specific conditions with distinct grant controls. By creating two separate policies—one for high-risk countries requiring both MFA and device compliance, and another for all other locations requiring only MFA—the administrator can enforce the exact requirements per location group. This approach avoids conflicts and ensures that users in high-risk countries are subject to stricter controls while others are not.

Exam trap

The trap here is that candidates often think a single policy can combine multiple location conditions with an 'AND' operator, but Conditional Access treats multiple locations within one policy as an 'OR' condition, making it impossible to enforce different grant controls for different location groups in one policy.

How to eliminate wrong answers

Option B is wrong because using an 'OR' operator between grant controls (MFA OR device compliance) would allow sign-ins that meet either requirement, not both; the requirement is to enforce both MFA and device compliance for high-risk countries. Option C is wrong because Azure AD Identity Protection evaluates sign-in risk (e.g., anonymous IP, leaked credentials) not geographic location risk; it cannot be used to enforce device compliance based on country. Option D is wrong because a single policy with multiple location conditions using an 'AND' operator would require a user to be in all specified locations simultaneously, which is impossible; Conditional Access evaluates location conditions with an 'OR' logic within a single policy, not 'AND'.

57
MCQhard

A company uses Microsoft Entra ID Governance to automate the lifecycle of user access. They want to automatically remove a user's group membership for a critical application 30 days after the user's employment end date is captured from the HR system. Which feature should be configured to meet this requirement?

A.Access Reviews
B.Entitlement management
C.Lifecycle Workflows
D.Privileged Identity Management
AnswerC

Lifecycle Workflows can be triggered by HR events (e.g., termination) and execute tasks like removing group memberships automatically.

Why this answer

Lifecycle Workflows (LCW) in Microsoft Entra ID Governance are specifically designed to automate joiner, mover, and leaver processes triggered by HR data. A 'leaver' workflow can be configured to remove group memberships a defined number of days after the employee's employment end date is captured from the HR system, meeting the 30-day requirement precisely.

Exam trap

The trap here is confusing Lifecycle Workflows (which handle HR-triggered automated actions with delays) with Entitlement management (which manages access packages and requests but lacks native HR event-driven scheduling).

How to eliminate wrong answers

Option A is wrong because Access Reviews are periodic attestation processes that require manual or scheduled approval to confirm access, not automated time-based removal triggered by an HR event. Option B is wrong because Entitlement management manages access packages and requests but does not natively support a delay-based removal triggered by an HR employment end date; it relies on access reviews or expiration policies that are not tied to HR lifecycle events. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval for privileged roles, not automated removal of standard group memberships based on an HR-driven schedule.

58
MCQmedium

An administrator who is not a Global Administrator needs to manage just-in-time privileged access to Azure resources using Microsoft Entra Privileged Identity Management (PIM). Which built-in role must be assigned to the administrator to allow PIM management for Azure resources?

A.Privileged Role Administrator
B.User Administrator
C.Security Administrator
D.Application Administrator
AnswerA

Privileged Role Administrators can configure PIM settings, approve activations, and manage assignments for Azure resources.

Why this answer

The Privileged Role Administrator role is the only built-in role that grants permissions to manage all aspects of Privileged Identity Management (PIM) for Azure resources, including configuring just-in-time access, managing role assignments, and approving activation requests. This role is specifically designed for administrators who need to oversee PIM without requiring Global Administrator privileges, as it provides full control over PIM policies and role settings across Azure AD and Azure resources.

Exam trap

The trap here is that candidates often confuse the Privileged Role Administrator role with the Global Administrator role, assuming only Global Admins can manage PIM, but Microsoft specifically designed the Privileged Role Administrator to delegate PIM management without granting full tenant-wide administrative control.

How to eliminate wrong answers

Option B (User Administrator) is wrong because it can manage user accounts and groups but lacks permissions to configure PIM role settings, activation policies, or approve requests for Azure resource roles. Option C (Security Administrator) is wrong because it focuses on security features like conditional access and identity protection, not on managing PIM role assignments or just-in-time access policies. Option D (Application Administrator) is wrong because it is limited to managing enterprise applications and app registrations, with no ability to manage PIM role configurations or privileged access workflows.

59
MCQmedium

A company uses Microsoft Entra ID P2 licenses. The security team wants to automatically require a password change for users with medium sign-in risk, but only when the sign-in originates from outside the corporate network. Users with high sign-in risk should be blocked entirely. A group of break-glass accounts must be excluded from all policies. Which feature should the administrator implement?

A.Conditional Access policies with sign-in risk and location conditions
B.Identity Protection risk policies
C.Privileged Identity Management (PIM)
D.Azure AD Identity Governance
AnswerA

Conditional Access can use sign-in risk as a condition and apply actions like require password change or block access, combined with location conditions.

Why this answer

Option A is correct because Conditional Access policies in Microsoft Entra ID allow combining sign-in risk conditions with location conditions (e.g., 'Not trusted IPs' or 'All trusted locations' set to false) to target only sign-ins from outside the corporate network. The policy can be configured to require a password change for medium risk and block access for high risk, while excluding break-glass accounts via the 'Exclude' tab using a dedicated group.

Exam trap

The trap here is that candidates confuse Identity Protection risk policies (which lack location scoping) with Conditional Access policies (which support both risk and location conditions), leading them to select Option B despite its inability to meet the location requirement.

How to eliminate wrong answers

Option B is wrong because Identity Protection risk policies (user risk and sign-in risk policies) operate at the tenant level and cannot be scoped to location conditions like 'outside corporate network'; they apply globally to all sign-ins. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time role activation and approval workflows, not sign-in risk-based access controls or password change requirements. Option D is wrong because Azure AD Identity Governance focuses on access reviews, entitlement management, and lifecycle workflows, not real-time sign-in risk enforcement or location-based conditional access.

60
MCQmedium

An organization uses Microsoft Entra ID P2 licenses. They want to implement a policy that forces users to perform multi-factor authentication (MFA) only when they sign in from an untrusted location. The trusted locations include the corporate office IP range. Which type of policy should they create?

A.Identity Protection user risk policy
B.Conditional Access policy
C.MFA registration policy
D.Authentication methods policy
AnswerB

Conditional Access policies can include location conditions to require MFA only from untrusted locations.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to enforce MFA based on conditions like location. By configuring a policy that targets all users and cloud apps, with a condition excluding trusted IP ranges (corporate office), MFA is only triggered when sign-ins originate from untrusted locations. This is the precise mechanism for location-based MFA enforcement.

Exam trap

The trap here is confusing the purpose of Identity Protection policies (risk-based) with Conditional Access policies (condition-based), leading candidates to select A when the question explicitly requires location-based enforcement.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy evaluates user risk level (e.g., leaked credentials) and can force MFA or password change, but it does not filter by location or trusted IP ranges. Option C is wrong because MFA registration policy only enforces that users register for MFA, not when MFA is prompted based on location. Option D is wrong because Authentication methods policy defines which MFA methods are available (e.g., phone, app) but does not control the conditions under which MFA is required.

61
Multi-Selecthard

A company uses Microsoft Entra ID with conditional access policies. They need to ensure that all external users who are invited via B2B collaboration must perform multi-factor authentication (MFA) when accessing the corporate SharePoint Online site. Which two configurations are required? (Choose two.)

Select 2 answers
A.Create a conditional access policy targeting all guest users, requiring MFA, and scope to SharePoint Online.
B.Enable cross-tenant access settings for the partner tenant to trust MFA claims.
C.Configure the SharePoint Online external sharing settings to require MFA for guest users.
D.Set the guest user access level in the SharePoint admin center to require MFA.
AnswersA, B

This is the primary policy to enforce MFA for guests on the SharePoint app.

Why this answer

Option A is correct because a conditional access policy in Microsoft Entra ID can be configured to target 'Guest or external users' (the 'All guest users' scope) and require multi-factor authentication (MFA) when accessing SharePoint Online. This directly enforces MFA for B2B collaboration users accessing the corporate SharePoint site, as the policy is evaluated at the resource tenant (the tenant hosting SharePoint).

Exam trap

The trap here is that candidates often confuse SharePoint's external sharing settings (which control sharing permissions) with Entra ID conditional access policies (which control authentication requirements), leading them to select Option C or D instead of recognizing that MFA enforcement must be configured at the identity layer via conditional access.

62
MCQeasy

A company wants to use Azure AD Identity Protection features such as user risk policies and sign-in risk policies to automatically respond to risky behavior. Which Azure AD license is required to enable these capabilities?

A.Azure AD Free
B.Azure AD Premium P1
C.Azure AD Premium P2
D.Microsoft 365 E3
AnswerC

Azure AD Premium P2 is the correct license. It includes all P1 features plus Identity Protection, Privileged Identity Management, and risk-based access policies.

Why this answer

Azure AD Identity Protection features like user risk policies and sign-in risk policies require Azure AD Premium P2. This is because P2 includes Identity Protection, which provides risk-based conditional access policies that automatically respond to detected risks. Azure AD Premium P1 supports Conditional Access but lacks the risk detection and automated remediation capabilities of Identity Protection.

Exam trap

The trap here is that candidates often confuse Azure AD Premium P1 with P2, assuming Conditional Access alone enables risk policies, but P1 lacks the risk detection engine (Identity Protection) required for automated risk-based responses.

How to eliminate wrong answers

Option A is wrong because Azure AD Free provides no Conditional Access or Identity Protection capabilities, only basic directory services. Option B is wrong because Azure AD Premium P1 includes Conditional Access but not Identity Protection; it cannot evaluate user or sign-in risk levels or enforce risk-based policies. Option D is wrong because Microsoft 365 E3 includes Azure AD Premium P1, not P2, and therefore lacks Identity Protection features such as risk policies.

63
Multi-Selectmedium

You are implementing Microsoft Entra ID governance for a large enterprise. Which three of the following can be used to enforce access recertification and lifecycle management for users and groups? (Choose three.)

Select 3 answers
.Microsoft Entra ID Governance access reviews
.Microsoft Entra ID Identity Governance entitlement management
.Microsoft Entra ID Identity Governance lifecycle workflows
.Microsoft Entra ID Privileged Identity Management (PIM) activation settings
.Microsoft Entra ID Conditional Access policies
.Microsoft Entra ID multi-factor authentication (MFA) registration campaign

Why this answer

Microsoft Entra ID Governance access reviews are correct because they enable administrators to create recurring reviews for group memberships, application access, and role assignments, ensuring that only authorized users retain access. Entitlement management is correct as it automates the lifecycle of access packages, including expiration and recertification policies for groups and applications. Lifecycle workflows are correct because they automate user lifecycle events (e.g., onboarding, offboarding, group membership changes) based on triggers like time-based conditions, enforcing recertification and lifecycle management.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with general identity governance, but PIM focuses on privileged role activation, not broad user/group lifecycle management or recertification.

64
MCQmedium

A company uses Azure AD Identity Protection. The security team wants to automatically block users from signing in when the user risk level is 'High'. Which policy should they configure?

A.Conditional Access policy with user risk condition
B.Sign-in risk policy
C.User risk policy
D.MFA registration policy
AnswerC

The User risk policy in Identity Protection can block sign-in when user risk is high.

Why this answer

The User risk policy in Azure AD Identity Protection is specifically designed to automatically block sign-ins when the user risk level is 'High'. This policy evaluates the probability that a user's identity has been compromised based on signals like leaked credentials or anomalous behavior, and can enforce actions such as blocking access or requiring password change. Option C is correct because it directly targets user risk, not sign-in risk or other conditions.

Exam trap

The trap here is that candidates often confuse the User risk policy with the Sign-in risk policy, or think a Conditional Access policy with user risk condition is the only way to block based on user risk, but the exam expects the dedicated Identity Protection policy as the direct answer.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy with a user risk condition can also block sign-ins based on user risk, but the question asks for the specific policy to configure in Identity Protection, and the User risk policy is the dedicated, simpler policy for this purpose without requiring additional Conditional Access configuration. Option B is wrong because the Sign-in risk policy targets the risk level of individual sign-in sessions (e.g., anonymous IP, atypical travel), not the overall user risk level. Option D is wrong because the MFA registration policy enforces registration for Azure AD Multi-Factor Authentication, not blocking sign-ins based on user risk.

65
MCQmedium

A company wants to automatically assign Microsoft 365 E5 licenses to all users in the Sales department. The department is identified by the department attribute in Microsoft Entra ID. The administrator needs to configure a method where licenses are assigned based on group membership, and the group membership is automatically updated based on user attributes. Which licensing approach should the administrator use?

A.Per-user licensing with a PowerShell script.
B.Group-based licensing with a dynamic group that uses the department attribute.
C.Subscription-based licensing via the Microsoft 365 admin center.
D.Group-based licensing with an assigned group that must be manually updated.
AnswerB

Group-based licensing assigns licenses to all members of a group. A dynamic group automatically updates membership based on user attributes like department, fulfilling the automated requirement.

Why this answer

Option B is correct because group-based licensing in Microsoft Entra ID allows automatic license assignment based on group membership, and a dynamic group can automatically update its membership using the department attribute rule (e.g., `user.department -eq "Sales"`). This meets the requirement for both automated license assignment and attribute-driven membership updates without manual intervention.

Exam trap

The trap here is that candidates may confuse group-based licensing with assigned groups (Option D) and overlook the dynamic group requirement, assuming any group-based licensing approach automatically updates membership, when in fact only dynamic groups provide attribute-driven automatic membership updates.

How to eliminate wrong answers

Option A is wrong because per-user licensing with a PowerShell script requires manual execution or scheduled automation, and does not provide real-time, attribute-driven automatic membership updates; it also lacks the native integration of group-based licensing. Option C is wrong because subscription-based licensing via the Microsoft 365 admin center refers to managing subscription quantities, not assigning licenses to individual users based on attributes or group membership. Option D is wrong because group-based licensing with an assigned group requires manual updates to group membership, which contradicts the requirement for automatic membership updates based on the department attribute.

66
MCQhard

An organization with Microsoft Entra ID P2 licenses needs to enforce that all users accessing the Azure portal must use FIDO2 security keys for multi-factor authentication. Which configuration should be implemented?

A.Create a Conditional Access policy that requires MFA and select FIDO2 as the authentication strength in the grant controls
B.Create a Conditional Access policy that requires MFA and set the grant control to require a specific device platform
C.Configure an authentication strength policy that requires FIDO2 and assign it to a Conditional Access policy
D.Configure an authentication methods policy that allows only FIDO2 security keys
AnswerC

Authentication strengths define acceptable methods; they are then referenced in Conditional Access grant controls to enforce the required method.

Why this answer

Option C is correct because in Microsoft Entra ID, authentication strengths allow you to define a specific set of authentication methods (e.g., FIDO2 security keys) and then assign that strength to a Conditional Access policy. This ensures that only FIDO2 security keys are accepted for MFA when accessing the Azure portal, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse the direct selection of an authentication method in Conditional Access grant controls with the correct two-step process of first defining an authentication strength policy and then assigning it to a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because selecting FIDO2 as the authentication strength in the grant controls of a Conditional Access policy is not a valid configuration; authentication strengths are defined separately and then referenced by the policy, not selected directly in grant controls. Option B is wrong because requiring a specific device platform (e.g., Windows) does not enforce the use of FIDO2 security keys; it only restricts the device type, not the authentication method. Option D is wrong because configuring an authentication methods policy to allow only FIDO2 security keys would block all other methods globally, but it does not integrate with Conditional Access to target specific apps like the Azure portal; it applies to all sign-ins, which is too broad and not the intended enforcement mechanism.

67
MCQmedium

A junior administrator needs permission to view sign-in logs, audit logs, and security recommendations in the Microsoft Entra admin center, but must not be able to reset passwords, modify settings, or manage roles. Which built-in Microsoft Entra role should the administrator assign?

A.Global Reader
B.Security Reader
C.Reports Reader
D.Security Administrator
AnswerB

Security Reader provides read-only access to security features, including sign-in logs, audit logs, and security recommendations. It does not allow any modification, meeting the requirement.

Why this answer

The Security Reader role grants read-only access to security-related data, including sign-in logs, audit logs, and security recommendations, without permitting any write operations such as password resets, setting modifications, or role management. This aligns precisely with the junior administrator's required permissions.

Exam trap

The trap here is that candidates often confuse the Security Reader role with the Security Administrator role, mistakenly assuming that viewing security recommendations requires write permissions, or they overlook the legacy Reports Reader role which does not cover all required log types.

How to eliminate wrong answers

Option A is wrong because the Global Reader role provides read-only access to all aspects of Microsoft Entra ID, including settings and configurations, which is broader than the required scope and could inadvertently expose sensitive configuration data. Option C is wrong because the Reports Reader role is a legacy role that only allows viewing reports in the Azure portal, not the full set of sign-in logs, audit logs, and security recommendations in the Microsoft Entra admin center. Option D is wrong because the Security Administrator role has write permissions that include the ability to modify security policies, reset passwords, and manage roles, which exceeds the junior administrator's required restrictions.

68
MCQmedium

A company uses password hash synchronization with Microsoft Entra Connect. The security team wants to enable self-service password reset (SSPR) so that users can reset their own passwords, and the password changes must be written back to the on-premises Active Directory. Which additional configuration is required to achieve password writeback?

A.Configure SSPR to use federation with on-premises AD FS
B.Enable password hash synchronization in Microsoft Entra Connect
C.Install Microsoft Entra Connect with password writeback enabled
D.Set the SSPR property 'Password writeback' to 'Yes' in the Microsoft Entra admin center
AnswerC

Password writeback requires the password writeback feature to be enabled in Microsoft Entra Connect (re-run wizard or reconfigure).

Why this answer

Password writeback requires the installation of Microsoft Entra Connect with the password writeback feature explicitly enabled during setup. This allows password changes initiated via SSPR to be written back to on-premises Active Directory. Option C is correct because it directly addresses the necessary infrastructure component.

Exam trap

The trap here is that candidates often confuse configuring the SSPR policy setting (Option D) with the actual installation requirement, assuming the admin center toggle alone enables writeback without realizing the Entra Connect component must be installed first.

How to eliminate wrong answers

Option A is wrong because federation with AD FS is not required for password writeback; SSPR with password hash synchronization works independently of federation. Option B is wrong because password hash synchronization is already in place per the scenario, but enabling it again does not enable writeback; writeback is a separate feature. Option D is wrong because setting the SSPR property 'Password writeback' to 'Yes' in the admin center only configures the SSPR policy; it does not install or enable the writeback service in Entra Connect, which is a prerequisite.

69
MCQmedium

A company with Azure AD Premium P2 licenses wants to enforce that all activations of the Global Administrator role require approval from a designated security group. The activation must also require a business justification and expire after 4 hours. Which Azure AD feature should the administrator configure?

A.Azure AD Identity Protection
B.Azure AD Privileged Identity Management (PIM)
C.Azure AD Conditional Access
AnswerB

PIM provides just-in-time privileged access with approval, justification, and expiration settings.

Why this answer

Azure AD Privileged Identity Management (PIM) provides time-bound and approval-based role activation. It allows you to require approval from a designated security group, mandate a business justification, and set a maximum activation duration (e.g., 4 hours) for privileged roles like Global Administrator. This directly matches all the requirements in the question.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls sign-in conditions) with PIM (which controls role activation), leading them to select Option C because they think 'approval' is a conditional access policy, but PIM is the only feature that manages role activation workflows and expiration.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection is a risk-based tool that detects and responds to identity threats (e.g., leaked credentials, sign-in risks) but does not manage role activation, approval workflows, or activation duration. Option C is wrong because Azure AD Conditional Access enforces access policies based on conditions like location or device state, but it cannot control role activation approval or expiration; it applies to sign-in events, not role elevation. Option D is wrong because Azure AD Multi-Factor Authentication adds an extra verification step during authentication but does not provide approval workflows, business justification prompts, or time-bound role activation.

70
MCQmedium

A company uses Microsoft Entra ID P2 licenses. A security administrator needs to grant a user temporary elevation to the Global Administrator role for a specific task. The elevation should require approval from a designated group and be time-limited. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management
C.Identity Protection
D.Access Reviews
AnswerB

PIM enables just-in-time privileged access with approval and time limits.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time (JIT) privileged access with time-bound activation, approval workflows, and audit logging. This directly meets the requirement for temporary elevation to Global Administrator with approval from a designated group and a time limit.

Exam trap

The trap here is that candidates confuse Privileged Identity Management with Conditional Access, thinking Conditional Access can enforce time-limited role elevation, but Conditional Access only controls authentication conditions, not role activation or approval workflows.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like user location or device state at sign-in, but it does not provide time-limited role elevation with approval workflows. Option C is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, impossible travel), not on managing privileged role assignments or approvals. Option D is wrong because Access Reviews are used to periodically review and certify existing group memberships or role assignments, not to grant temporary, on-demand elevation with approval.

71
MCQmedium

A company uses Microsoft Entra ID P2 licenses and wants to enforce multi-factor authentication (MFA) for all users when accessing corporate applications. However, a small group of break-glass accounts must be excluded from MFA requirements to ensure emergency access. The administrator creates a Conditional Access policy targeting all users. Which configuration should be applied to achieve the exclusion?

A.Set 'Grant' control to 'Require multi-factor authentication' and include all users including break-glass accounts.
B.Under 'Assignments' > 'Users and groups', select 'Exclude' and choose the security group containing break-glass accounts.
C.Under 'Session' controls, configure 'Sign-in frequency' with a value of 0 to disable MFA for break-glass accounts.
D.Create a separate policy for break-glass accounts that does not impose MFA and assign it a lower priority.
AnswerB

Excluding the break-glass group from the policy ensures they are not subject to MFA, preserving emergency access.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID allow administrators to exclude specific users or groups from policy enforcement. By excluding the security group containing break-glass accounts under 'Assignments' > 'Users and groups', the MFA requirement is applied to all other users while ensuring emergency access accounts remain unblocked. This is the standard and recommended approach for handling break-glass accounts in a Conditional Access policy targeting all users.

Exam trap

The trap here is that candidates may confuse session controls (like sign-in frequency) with grant controls (like MFA requirement), or incorrectly assume that a lower-priority policy can override a higher-priority policy that includes the same users, when in fact exclusion is the only reliable method to bypass a policy targeting all users.

How to eliminate wrong answers

Option A is wrong because including break-glass accounts in the policy would force them to satisfy MFA, defeating their purpose as emergency access accounts that must bypass all authentication requirements. Option C is wrong because the 'Sign-in frequency' session control manages how often users must re-authenticate, not whether MFA is required; setting it to 0 disables the session control but does not exclude break-glass accounts from MFA enforcement. Option D is wrong because creating a separate policy with lower priority does not override the existing policy that targets all users; Conditional Access policies are evaluated cumulatively, and the break-glass accounts would still be subject to the MFA requirement unless explicitly excluded.

72
MCQmedium

A company plans to enable Self-Service Password Reset (SSPR) for all users. The administrator needs to ensure that users are required to register at least two authentication methods before they can use SSPR. Which configuration setting should the administrator modify?

A.Set the 'Number of methods required to reset' to 2 in the SSPR authentication methods settings.
B.Enable combined registration for SSPR and Microsoft Entra ID Multi-Factor Authentication.
C.Configure a Conditional Access policy requiring MFA registration for SSPR.
D.Set the 'Number of questions required to register' to 2 in the security questions settings.
AnswerA

This setting directly enforces that users must register at least two methods to use SSPR.

Why this answer

Option A is correct because the 'Number of methods required to reset' setting directly controls how many authentication methods a user must provide during the SSPR reset process. By setting this value to 2, the administrator ensures that users must register at least two methods (e.g., phone and email) before they can reset their password, as SSPR requires the registered methods to match the reset requirement.

Exam trap

The trap here is confusing the 'Number of methods required to reset' (which controls the reset process) with the 'Number of methods required to register' (which controls initial registration), leading candidates to mistakenly choose options that affect registration but not the reset requirement.

How to eliminate wrong answers

Option B is wrong because enabling combined registration for SSPR and Microsoft Entra ID Multi-Factor Authentication simplifies the registration process but does not enforce a minimum number of methods for SSPR usage. Option C is wrong because a Conditional Access policy requiring MFA registration for SSPR can mandate MFA registration but does not control the number of authentication methods needed for SSPR reset. Option D is wrong because the 'Number of questions required to register' setting applies only to security questions, which are a specific authentication method, and does not enforce the overall number of methods required for reset; also, security questions are not a recommended method for SSPR.

73
MCQmedium

A security administrator needs to implement a just-in-time (JIT) privileged access solution for the Global Administrator role. Users must request activation and provide a business justification. The request must be approved by a separate group of approvers, and the role activation should expire after 4 hours. Which Microsoft Entra feature should be configured?

A.Conditional Access
B.Privileged Identity Management (PIM)
C.Azure AD Roles (default role settings)
D.Identity Protection
AnswerB

PIM enables time-bound role activation with approval, justification, and automatic deactivation.

Why this answer

Privileged Identity Management (PIM) is the Microsoft Entra feature specifically designed for just-in-time (JIT) privileged access. It allows you to configure role activation with approval workflows, require a business justification, set a maximum activation duration (e.g., 4 hours), and designate specific approvers. This directly matches all requirements in the question.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps) with PIM (which controls privileged role activation), or they assume default role settings can enforce JIT activation without realizing that PIM is the only feature that provides time-bound, approval-based role elevation.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like user location or device state, but it does not provide JIT role activation, approval workflows, or time-bound role elevation. Option C is wrong because Azure AD Roles (default role settings) only define static role assignments and permissions; they lack the ability to require activation requests, business justification, or approval from a separate group. Option D is wrong because Identity Protection focuses on detecting and remediating identity risks (e.g., leaked credentials, anomalous sign-ins) and does not manage privileged role activation or approval processes.

74
Multi-Selecthard

A company wants to enable self-service password reset (SSPR) for all users. Which two configurations are mandatory to allow users to reset their own passwords? (Choose two.)

Select 2 answers
A.A: Enable SSPR for 'All' users.
B.B: Select at least one authentication method (e.g., mobile phone or email).
C.C: Configure a custom helpdesk URL.
D.D: Enforce registration after 30 days.
AnswersA, B

SSPR must be enabled; without this, no users can reset passwords.

Why this answer

Option A is correct because enabling SSPR for 'All' users is a mandatory configuration that ensures every user in the tenant is licensed and permitted to use self-service password reset. Without this setting, SSPR would not be activated for the intended user population, even if authentication methods are configured.

Exam trap

The trap here is that candidates often confuse optional configurations (like custom helpdesk URL or registration enforcement) with mandatory prerequisites, leading them to select those instead of the required scope and authentication method settings.

75
MCQeasy

An organization uses Microsoft Entra ID. They want to ensure that users cannot install browser extensions from the Microsoft Edge Add-ons store on managed devices. Which Microsoft Entra ID feature should they use to enforce this policy?

A.Conditional Access policy
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID device management with MDM/MAM policies
D.Privileged Identity Management
AnswerC

Device management policies via MDM (e.g., Intune) can enforce settings such as blocking browser extensions on managed devices.

Why this answer

Microsoft Entra ID device management with MDM/MAM policies (Option C) is correct because browser extension restrictions for Microsoft Edge on managed devices are enforced through device compliance or app protection policies configured in Microsoft Intune, which is the core MDM/MAM service integrated with Entra ID. These policies can block installation from the Edge Add-ons store by using the 'Allow extensions from other stores' setting or by creating a custom OMA-URI policy to restrict extension installation. Conditional Access policies (Option A) control access based on signals like device compliance but cannot directly enforce device-level settings like browser extension installation.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with device management policies, assuming that access controls can enforce device settings, when in fact Conditional Access only gates access based on existing device state and cannot push configuration changes.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies evaluate access conditions (e.g., user, location, device state) and apply access controls (e.g., block, require MFA), but they do not enforce device configuration settings like blocking browser extensions; that requires MDM/MAM policies. Option B is wrong because Microsoft Entra ID Identity Protection focuses on detecting and responding to identity risks (e.g., leaked credentials, anomalous sign-ins) and automating risk-based remediation, not managing device-level software installation policies. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews in Entra ID, not device configuration or application control policies.

Page 1 of 2 · 82 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implement And Manage Identity And Access In Microsoft Entra Id questions.