CCNA Implement And Manage Identity And Access In Microsoft Entra Id Questions

7 of 82 questions · Page 2/2 · Implement And Manage Identity And Access In Microsoft Entra Id topic · Answers revealed

76
MCQmedium

The security team wants to require approval for any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM). The approvers must be members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify?

A.Role settings for Global Administrator: require approval, set maximum activation duration to 4 hours, and require justification
B.Role settings for Global Administrator: require MFA, set maximum activation duration to 4 hours, and require justification
C.In the eligible assignments for Global Administrator, add 'GA-Approvers' as approvers
D.Both A and C
AnswerD

Option A enables approval, duration, and justification; option C adds the approver group. Both are required.

Why this answer

Option D is correct because configuring PIM role settings for Global Administrator requires both enabling approval (with the 'GA-Approvers' group as designated approvers) and setting the activation parameters (maximum duration of 4 hours and justification requirement). Option A alone only sets the role settings but does not specify which group serves as approvers; Option C alone adds the approvers group but does not configure the activation duration or justification. Both A and C together fulfill the full requirement.

Exam trap

The trap here is that candidates often confuse role settings (which control activation policies like duration and approval) with eligible assignments (which define who can activate), leading them to select only Option A or only Option C, missing that both must be configured together to meet the full requirement.

How to eliminate wrong answers

Option A is wrong because while it correctly sets require approval, maximum activation duration to 4 hours, and require justification, it does not specify the 'GA-Approvers' group as the approvers—the approvers must be defined separately in the role settings. Option B is wrong because it requires MFA instead of approval, which does not meet the requirement for approval-based activation. Option C is wrong because adding 'GA-Approvers' as approvers in eligible assignments does not configure the activation duration or justification; those parameters are set in the role settings, not in assignments.

77
Multi-Selectmedium

Administrators want to enforce multi-factor authentication (MFA) for all users when accessing cloud applications from untrusted networks. They plan to use Azure AD Conditional Access with named locations. Which two components must be configured to meet this requirement? (Select two.)

Select 2 answers
A.location policy
B.named location for the corporate network
C.Conditional Access policy targeting all cloud apps
D.Conditional Access policy targeting MFA registration
AnswersB, C

Named locations define trusted IP ranges that the Conditional Access policy can use to distinguish trusted from untrusted networks.

Why this answer

Option B is correct because named locations in Azure AD Conditional Access allow administrators to define trusted network boundaries, such as the corporate network's public IP range. By marking this named location as a trusted location, the Conditional Access policy can then require MFA when users access cloud applications from any network that is not the corporate network, effectively enforcing MFA from untrusted networks.

Exam trap

The trap here is that candidates often confuse 'named location' with 'location policy' (Option A) or mistakenly think that targeting MFA registration (Option D) is sufficient to enforce MFA during access, when in fact registration policies only handle the enrollment flow, not the authentication challenge at sign-in.

78
MCQeasy

A company wants to reduce help desk calls by allowing users to reset their own passwords securely. Users should be able to reset their passwords using a mobile phone number or email as verification. Which Microsoft Entra ID feature should be enabled?

A.Conditional Access
B.Self-Service Password Reset (SSPR)
C.Password Protection
D.Identity Protection
AnswerB

SSPR enables users to reset their own passwords using configured authentication methods.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature specifically designed to allow users to reset their own passwords without help desk intervention. It supports verification methods such as mobile phone number (via SMS or phone call) and email, meeting the company's requirement for secure, user-driven password resets.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with SSPR (which handles the authentication recovery process), leading them to select Conditional Access when the question explicitly asks about password reset functionality.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals like user, device, or location; it does not provide password reset functionality. Option C is wrong because Password Protection is a feature that blocks weak or compromised passwords by enforcing custom banned password lists and global banned lists, but it does not enable users to reset their own passwords. Option D is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-in behaviors and user risks (e.g., leaked credentials), but it does not offer self-service password reset capabilities.

79
MCQeasy

A company wants to allow users to reset their own passwords without administrator intervention. They need to configure Self-Service Password Reset (SSPR) for all cloud-only users. Which Azure AD license is required for all users to enable SSPR?

A.Azure AD Free
B.Azure AD Premium P1
C.Microsoft 365 Business Basic
D.Azure AD Premium P2
AnswerB

Azure AD Premium P1 is the minimum license required to enable SSPR for cloud-only users.

Why this answer

Azure AD Premium P1 includes the Self-Service Password Reset (SSPR) capability for cloud-only users. Azure AD Free only supports SSPR for cloud users if the tenant has at least one Azure AD Premium P1 license assigned, but the feature itself is a Premium P1 benefit. Microsoft 365 Business Basic does not include SSPR; it provides basic identity features without password reset self-service.

Azure AD Premium P2 includes all P1 features plus Identity Protection and Privileged Identity Management, but SSPR does not require P2.

Exam trap

The trap here is that candidates often assume Azure AD Free includes SSPR because Microsoft offers a 'free' tier, but SSPR is a Premium P1 feature, and the free tier only allows basic directory services without self-service password reset capabilities.

How to eliminate wrong answers

Option A is wrong because Azure AD Free does not include SSPR for users; it only allows basic directory features and requires at least one Premium P1 license to enable SSPR. Option C is wrong because Microsoft 365 Business Basic does not include Azure AD Premium features; it provides only basic identity management without self-service password reset. Option D is wrong because Azure AD Premium P2 includes SSPR but is not required; Premium P1 is the minimum license needed for SSPR, making P2 an unnecessary over-licensing for this scenario.

80
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing a critical cloud application. However, they have a group of service accounts that cannot perform MFA and must be excluded. What is the recommended approach?

A.Create a Conditional Access policy that targets the application, requires MFA, and excludes the service account group
B.Enable per-user MFA for all users, then disable it for each service account
C.Enable Security Defaults
D.Use Identity Protection risk policies
AnswerA

This provides granular control and allows exclusion of service accounts.

Why this answer

Conditional Access policies allow granular control by targeting specific cloud applications and requiring MFA, while excluding groups like service accounts that cannot perform MFA. This approach is the recommended method because it avoids the limitations of per-user MFA (which is deprecated) and Security Defaults (which cannot exclude specific accounts).

Exam trap

The trap here is that candidates may confuse per-user MFA (legacy) with Conditional Access MFA, or assume Security Defaults can be customized with exclusions, when in fact it is a fixed baseline policy.

How to eliminate wrong answers

Option B is wrong because per-user MFA is a legacy, less flexible method that Microsoft recommends against; it cannot be scoped to specific applications and requires manual disabling for each service account, which is error-prone. Option C is wrong because Security Defaults enforces MFA for all users and cannot exclude any accounts, including service accounts, making it unsuitable when exclusions are required. Option D is wrong because Identity Protection risk policies focus on user risk and sign-in risk, not on enforcing MFA for a specific application; they are designed for adaptive access based on risk, not for blanket MFA requirements with exclusions.

81
Multi-Selecthard

An organization has Microsoft Entra ID P2 licenses and wants to configure a Conditional Access policy to restrict access to Microsoft 365 services. Which of the following can be used as conditions in the policy? (Choose two that apply)

Select 2 answers
A.Device platform
B.User risk
C.Authentication strength
D.Application ID
AnswersA, B

Device platform is a standard condition in Conditional Access that allows policies to be scoped based on the user's device operating system.

Why this answer

Device platform is a valid condition in Microsoft Entra Conditional Access policies, allowing administrators to target specific operating systems such as Windows, macOS, iOS, or Android. This enables granular control over access based on the device type, which is essential for enforcing security requirements like requiring compliant devices on certain platforms.

Exam trap

The trap here is that candidates confuse 'conditions' (which evaluate the request context) with 'grant controls' (which enforce actions like requiring MFA or authentication strength), leading them to select Authentication strength as a condition instead of a control.

82
MCQmedium

A company wants to allow users to reset their own forgotten passwords using a mobile app notification as the verification method. Which Microsoft Entra feature should be enabled and configured?

A.Azure AD Password Protection
B.Self-service password reset
C.Privileged Identity Management
D.Identity Protection
AnswerB

Correct. SSPR can be configured to allow mobile app notification as a verification method for password resets.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature that allows users to reset their own forgotten passwords. To use a mobile app notification as the verification method, the administrator must enable SSPR and configure the 'Mobile app notification' authentication method under the 'Authentication methods' policy. This satisfies the requirement for a password reset triggered by a mobile app notification.

Exam trap

The trap here is that candidates often confuse Identity Protection (which can trigger a password reset based on risk) with the actual self-service password reset feature, forgetting that Identity Protection only initiates the reset process but does not provide the user-facing portal or verification methods for forgotten passwords.

How to eliminate wrong answers

Option A is wrong because Azure AD Password Protection is a feature that detects and blocks weak passwords and password spray attacks, not a mechanism for users to reset their own passwords. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation, not self-service password reset for end users. Option D is wrong because Identity Protection uses risk-based policies to detect and respond to identity threats, such as risky sign-ins or leaked credentials, but does not enable users to reset their own passwords.

← PreviousPage 2 of 2 · 82 questions total

Ready to test yourself?

Try a timed practice session using only Implement And Manage Identity And Access In Microsoft Entra Id questions.