CCNA Describe the capabilities of Microsoft Entra Questions

75 of 373 questions · Page 1/5 · Describe the capabilities of Microsoft Entra · Answers revealed

1
Multi-Selecteasy

Which TWO scenarios are addressed by Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Detecting leaked credentials on the dark web
B.Reviewing group membership assignments
C.Enforcing device compliance policies
D.Resetting forgotten passwords
E.Blocking sign-ins from anonymous IP addresses
AnswersA, E

ID Protection monitors for credential leaks.

Why this answer

Microsoft Entra ID Protection uses machine learning and heuristic algorithms to detect leaked credentials by monitoring known credential dumps on the dark web. When a user's credentials appear in a breach, ID Protection can automatically force a password reset or block sign-ins to mitigate risk. This is a core risk detection capability within the Identity Protection service.

Exam trap

The trap here is confusing Identity Protection's risk detection and remediation capabilities with other Microsoft Entra features like SSPR, access reviews, or device compliance, leading candidates to select options that are not part of the Identity Protection service.

2
Multi-Selecteasy

Which TWO capabilities are provided by Microsoft Entra External ID? (Choose two.)

Select 2 answers
A.Support for social identity providers like Google
B.Mobile device management
C.Collaboration with external users from partner organizations
D.On-premises server monitoring
E.Identity risk detection
AnswersA, C

Supports Google, Facebook, etc.

Why this answer

Options A and D are correct. External ID allows collaboration with users from other organizations and supports various identity providers. Option B is wrong because device management is Intune.

Option C is wrong because risk detection is Identity Protection.

3
MCQmedium

A company uses Microsoft Entra ID. The security team wants to configure automated actions when user sign-ins are detected as high risk due to anonymized IP addresses or leaked credentials. They need to automatically block the sign-in or force a password change based on risk level. Which Microsoft Entra ID feature should they use?

A.Privileged Identity Management
B.Identity Protection
C.Azure AD Connect
D.Self-service password reset
AnswerB

Identity Protection detects risks like leaked credentials and anonymized IP addresses, and can automatically block sign-ins or require password reset through risk-based policies.

Why this answer

Microsoft Entra ID Protection is the correct feature because it automates the detection and remediation of identity-based risks, including sign-ins from anonymized IP addresses and leaked credentials. It allows administrators to configure conditional access policies that automatically block high-risk sign-ins or force a password change based on the risk level (e.g., low, medium, high). This directly matches the security team's requirement for automated actions tied to risk detection.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based automation with Privileged Identity Management's role-based controls, mistakenly thinking PIM handles all security automation for identities.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged role activation, access reviews, and approval workflows—not on detecting or responding to sign-in risks like anonymized IPs or leaked credentials. Option C is wrong because Azure AD Connect is a tool for synchronizing on-premises Active Directory identities to Microsoft Entra ID; it has no capability to evaluate sign-in risk or enforce automated remediation actions. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords but does not automatically trigger a password change based on risk detection; it requires manual initiation and lacks the risk-based automation described.

4
MCQmedium

Your company is implementing a new application that requires users to authenticate using Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) for all users accessing this application, but only when they are connecting from an untrusted network. Which conditional access policy should you configure?

A.Session control: 'Use app enforced restrictions' to block access from untrusted networks.
B.Grant control: 'Require multifactor authentication' with a condition on 'Locations' set to 'All trusted locations' as exclusion.
C.Assignments: 'Users and groups' including all users, then grant control: 'Require multifactor authentication' without conditions.
D.Grant control: 'Require device to be marked as compliant' with a condition on 'Client apps'.
AnswerB

This correctly targets untrusted networks by requiring MFA for all locations except trusted ones.

Why this answer

Option B is correct because it configures a Conditional Access policy that grants access only when MFA is performed, and excludes trusted network locations. This ensures that MFA is enforced only when users connect from untrusted networks, meeting the security team's requirement.

Exam trap

The trap here is that candidates often confuse 'Grant control' with 'Session control' or overlook the need to exclude trusted locations, leading them to select an option that either enforces MFA everywhere or uses an inappropriate control like device compliance.

How to eliminate wrong answers

Option A is wrong because session control 'Use app enforced restrictions' does not enforce MFA; it relies on the application itself to enforce restrictions, which is not the same as requiring MFA via Conditional Access. Option C is wrong because it requires MFA for all access attempts without any location condition, which would enforce MFA even from trusted networks, violating the requirement to only enforce MFA from untrusted networks. Option D is wrong because it requires device compliance rather than MFA, and the condition on 'Client apps' does not address the location-based requirement for MFA enforcement.

5
MCQmedium

Refer to the exhibit. You are reviewing a risk detection report in Microsoft Entra Identity Protection. The report shows a user with high risk level and two risk events. What does the status 'remediated' indicate?

A.The risk is still active and requires investigation.
B.The risk has been resolved by a remediation action such as password reset.
C.The user's account has been confirmed as compromised.
D.The risk was dismissed by an administrator as false positive.
AnswerB

Remediated indicates the risk was mitigated.

Why this answer

In Microsoft Entra Identity Protection, the 'remediated' status indicates that the risk associated with the user has been resolved through an automated or manual remediation action, such as a password reset or completion of a multi-factor authentication (MFA) challenge. This means the detected risk event is no longer considered active, and the user's account has been brought back to a secure state. Option B correctly identifies that the risk was resolved by a remediation action.

Exam trap

The trap here is that candidates often confuse 'remediated' with 'dismissed as false positive', not realizing that 'remediated' implies a corrective action was taken (like password reset), while 'dismissed' means the risk was deemed invalid by an admin.

How to eliminate wrong answers

Option A is wrong because 'remediated' explicitly means the risk is no longer active; an active risk would be labeled 'at risk' or 'active', not 'remediated'. Option C is wrong because 'remediated' does not confirm compromise; it indicates the risk was mitigated, whereas a confirmed compromise would be shown as 'confirmed compromised' in the report. Option D is wrong because 'remediated' is distinct from 'dismissed as false positive'; a false positive dismissal would be labeled 'dismissed' or 'false positive', not 'remediated'.

6
Drag & Dropmedium

Sequence the steps to set up Microsoft Sentinel for a new workspace.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Setting up Sentinel requires a Log Analytics workspace, enabling Sentinel, connecting sources, creating rules, and automating responses.

7
MCQeasy

Your organization uses Microsoft Entra ID. You want to provide external partners with access to a SharePoint site using their own identity providers (e.g., Google, Facebook). Which feature should you use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra Identity Protection
C.Microsoft Entra External ID (B2C)
D.Conditional Access policies
AnswerC

External ID B2C supports social identity providers.

Why this answer

Option C is correct because Microsoft Entra External ID (B2C) is specifically designed for customer-facing applications where external users authenticate using social identity providers like Google, Facebook, or Microsoft accounts. It supports OAuth 2.0 and OpenID Connect protocols to allow partners to sign in with their own identity providers, and it can be integrated with SharePoint sites via custom policies or app registrations. This feature provides the necessary federation and user self-service capabilities for external partner access with social identities.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (designed for enterprise guest users) with Microsoft Entra External ID (B2C) (designed for consumer/social identity scenarios), leading them to select Option A when the question explicitly requires support for social identity providers like Google and Facebook.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is intended for business-to-business scenarios where external partners are invited as guest users in the tenant, but it does not natively support social identity providers like Google or Facebook for direct sign-in; it relies on the partner's existing Microsoft Entra ID or other enterprise identity providers. Option B is wrong because Microsoft Entra Identity Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not provide any mechanism for external user authentication or federation with social identity providers. Option D is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location, device compliance) after authentication, but they do not enable external users to authenticate with their own identity providers; they require an existing identity and authentication flow.

8
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to allow employees to sign in using their existing Facebook credentials. Which feature should they configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra External Identities
C.Microsoft Entra Conditional Access
D.Microsoft Entra Identity Protection
AnswerB

External Identities allows federation with social identity providers like Facebook.

Why this answer

Microsoft Entra External Identities (B) is the correct feature because it allows organizations to configure identity providers for external users, including social identity providers like Facebook. By enabling Facebook as an identity provider in the External Identities settings, employees can sign in using their existing Facebook credentials, which are federated via OAuth 2.0 and OpenID Connect protocols.

Exam trap

The trap here is that candidates often confuse External Identities (which handles external and social identity providers) with Conditional Access or Identity Protection, mistakenly thinking those features can directly enable social login, when in fact they only enforce policies or detect risks after authentication is configured.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles in Microsoft Entra ID, not for configuring external identity providers like Facebook. Option C is wrong because Microsoft Entra Conditional Access enforces policies based on signals such as user location or device compliance, but it does not configure or enable social identity providers for authentication. Option D is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials or anomalous sign-ins), but it does not allow integration with external identity providers like Facebook.

9
MCQhard

You need to implement a solution that allows users to access cloud applications without entering a password, using Windows Hello for Business. Which Microsoft Entra feature integrates with Windows Hello for Business?

A.Conditional Access
B.Microsoft Entra ID
C.FIDO2 security keys
D.Microsoft Authenticator
AnswerB

Entra ID supports Windows Hello for Business as a credential.

Why this answer

Option B is correct because Microsoft Entra ID supports Windows Hello for Business as a strong credential. Option A is incorrect because Microsoft Authenticator is a separate MFA app. Option C is incorrect because FIDO2 security keys are another method but not Windows Hello.

Option D is incorrect because Conditional Access can require Windows Hello but does not integrate it.

10
MCQmedium

A company uses Microsoft Entra ID. The IT department has three teams: Helpdesk, Global Administrators, and Security Administrators. The company wants to allow the Helpdesk team to manage password resets and group memberships, but only for users who belong to the 'Sales' organizational unit. Which Microsoft Entra feature should the administrator use to define this delegated administrative scope?

A.Administrative Units
B.Privileged Identity Management (PIM)
C.Conditional Access policies
D.Identity Governance (Access Reviews)
AnswerA

Administrative Units allow you to delegate administrative tasks to specific groups of users, restricting their management scope to a subset of directory objects (e.g., users in a department). This is correct.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions scoped to specific organizational units, such as the 'Sales' OU. By placing Sales users into an AU and assigning the Helpdesk team roles like 'Helpdesk Administrator' or 'User Administrator' scoped to that AU, you precisely control which users they can manage for password resets and group memberships. This directly meets the requirement for delegated administrative scope without granting broader tenant-wide permissions.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with scope delegation, but PIM controls *when* a role is used (time-bound activation), not *where* it can be applied (scope), which is the core requirement of this question.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM provides just-in-time activation and approval workflows for privileged roles, not the ability to scope administrative permissions to a specific organizational unit. Option C (Conditional Access policies) is wrong because Conditional Access controls authentication and access conditions (e.g., location, device compliance) for sign-ins, not delegated administration of user objects. Option D (Identity Governance with Access Reviews) is wrong because Access Reviews are used to periodically certify user access and group memberships, not to define the scope of administrative delegation.

11
Multi-Selecthard

Which TWO are capabilities of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Self-service password reset
C.Identity Protection
D.Access Reviews
E.Conditional Access
AnswersA, D

Entitlement Management is part of Entra ID Governance.

Why this answer

Entitlement Management and Access Reviews are capabilities of Entra ID Governance. Conditional Access is a separate feature, Identity Protection is security, and SSPR is user self-service.

12
MCQmedium

A company uses Microsoft Entra ID. The security team wants to automatically respond to risky user behaviors, such as sign-ins from anonymous IP addresses or impossible travel between geographically distant locations within an unrealistic time frame. They need a solution that can automatically trigger actions like forcing a password reset or blocking sign-in for users identified as high risk. Which Microsoft Entra ID capability should they configure?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Governance
AnswerB

Identity Protection detects risks and allows you to configure automated responses such as requiring MFA, forcing password reset, or blocking access for high-risk users.

Why this answer

Microsoft Entra Identity Protection is the correct capability because it is specifically designed to detect and automatically respond to risky user behaviors, such as sign-ins from anonymous IP addresses or impossible travel. It uses machine learning to assign risk levels and can trigger automated actions like forcing a password reset or blocking sign-in for high-risk users, aligning directly with the security team's requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the enforcement mechanism that requires a risk signal from Identity Protection to trigger automated responses like blocking or password reset.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky behaviors or assign risk levels; it relies on signals from Identity Protection to trigger actions like requiring MFA. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, access reviews, and auditing for administrative roles, not on detecting or responding to user sign-in risk behaviors. Option D is wrong because Microsoft Entra Identity Governance manages identity lifecycle processes such as access certifications, entitlement management, and provisioning, but it does not include risk detection or automated response to risky sign-ins.

13
MCQeasy

Your organization is using Microsoft Entra ID. You want to provide a single sign-on (SSO) experience for users accessing multiple SaaS applications. Which feature should you implement?

A.Microsoft Entra ID as an identity provider
B.Microsoft Entra application proxy
C.Microsoft Entra myapps portal
D.Microsoft Entra Privileged Identity Management
AnswerA

Microsoft Entra ID supports federated SSO with many SaaS apps.

Why this answer

Microsoft Entra ID acts as an identity provider (IdP) to enable single sign-on (SSO) for SaaS applications. When configured as the IdP, Entra ID authenticates the user once and issues a security token (e.g., SAML 2.0 assertion or OpenID Connect token) that is accepted by the SaaS application, eliminating the need for repeated logins. This is the core mechanism for federated SSO across multiple cloud applications.

Exam trap

The trap here is that candidates confuse the My Apps portal (a user interface for launching apps) with the actual SSO authentication mechanism, but the portal itself does not perform authentication—it relies on Entra ID as the identity provider.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Application Proxy is a reverse proxy solution for publishing on-premises web applications externally, not for providing SSO to SaaS applications. Option C is wrong because the My Apps portal is a user-facing dashboard that aggregates access to applications, but it does not itself provide the SSO authentication mechanism; it relies on Entra ID as the IdP. Option D is wrong because Privileged Identity Management (PIM) is a feature for managing, controlling, and monitoring access to privileged roles, not for enabling SSO to SaaS applications.

14
MCQmedium

Your company wants to use Microsoft Entra ID to provide single sign-on (SSO) to a SaaS application that supports SAML 2.0. What should you configure in Microsoft Entra ID?

A.Enable Microsoft Entra ID Domain Services
B.Add the application from the Microsoft Entra ID Gallery in Enterprise applications
C.Configure Microsoft Entra ID Governance
D.Register the application in App registrations
AnswerB

Enterprise applications provide pre-integrated SSO for SaaS apps.

Why this answer

Option B is correct because adding the SaaS application from the Microsoft Entra ID Gallery in Enterprise applications is the standard method to configure SAML 2.0-based single sign-on (SSO). The gallery provides pre-integrated templates that include the necessary SAML endpoints, certificates, and attribute mappings, enabling seamless federation between Entra ID and the external application.

Exam trap

The trap here is that candidates confuse App registrations (for custom apps using OAuth/OpenID Connect) with Enterprise applications (for pre-integrated gallery apps using SAML), leading them to select option D instead of the correct B.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Domain Services (formerly Azure AD DS) provides managed domain services like LDAP and Kerberos for legacy applications, not SAML-based SSO for SaaS apps. Option C is wrong because Microsoft Entra ID Governance focuses on identity lifecycle, access reviews, and entitlement management, not the direct configuration of SAML SSO for a specific application. Option D is wrong because App registrations is used for custom application development (OAuth 2.0/OpenID Connect), not for integrating pre-built gallery applications that support SAML 2.0; gallery apps are added via Enterprise applications.

15
MCQeasy

A company uses Microsoft Entra ID. The security team wants to automatically block sign-ins from IP addresses that exhibit brute-force attack patterns. Which capability should they enable?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra External Identities
D.Microsoft Entra Conditional Access
AnswerA

Identity Protection uses machine learning to detect sign-in risks and can block them automatically.

Why this answer

Microsoft Entra Identity Protection is the correct capability because it uses machine learning and heuristic detection to automatically identify and block sign-ins from IP addresses exhibiting brute-force attack patterns, such as repeated failed authentication attempts. It can trigger risk-based policies, including blocking access or requiring multi-factor authentication, without manual intervention. This directly addresses the security team's requirement to automate the response to brute-force patterns.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces policies based on conditions) with Identity Protection (which provides the risk detection signals), leading them to select D, even though Conditional Access alone cannot automatically detect brute-force patterns without Identity Protection's risk assessments.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) is focused on managing, controlling, and monitoring access to privileged roles (e.g., Global Administrator) through just-in-time activation and approval workflows, not on detecting or blocking brute-force sign-in patterns. Option C is wrong because Microsoft Entra External Identities is designed for managing collaboration with external users (e.g., B2B and B2C scenarios), including identity providers and guest user access, and does not include automated brute-force detection or blocking. Option D is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking access) based on conditions like location or device state, but it does not natively detect brute-force attack patterns; it relies on signals from Identity Protection or other sources to trigger such responses.

16
MCQmedium

A company uses Microsoft Entra ID and wants to automatically detect potential security risks such as leaked credentials and suspicious sign-in patterns. They also need the ability to investigate these risks and configure automated responses based on risk levels. Which Microsoft Entra capability should they use?

A.Microsoft Entra ID Governance
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Domain Services
AnswerB

Identity Protection is the correct service for detecting identity risks and enabling automated risk-based policies such as requiring MFA or password changes.

Why this answer

Microsoft Entra Identity Protection is the correct service because it automatically detects potential security risks such as leaked credentials and suspicious sign-in patterns, provides investigation tools (e.g., risk reports and detailed risk event logs), and enables automated responses like conditional access policies that block or require MFA based on risk levels. This directly matches the scenario's requirements for detection, investigation, and automated remediation.

Exam trap

The trap here is confusing Identity Protection (which handles user and sign-in risk detection and automated response) with Privileged Identity Management (PIM), which only manages privileged role activation and does not detect leaked credentials or suspicious sign-in patterns.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on detecting security risks like leaked credentials or suspicious sign-in patterns. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) is specifically for managing, controlling, and monitoring access to privileged roles (e.g., just-in-time access), not for detecting general user sign-in risks or leaked credentials. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy applications, not risk detection or automated response capabilities.

17
MCQeasy

Your organization uses Microsoft Entra ID free tier. You need to synchronize user accounts from your on-premises Active Directory to the cloud. You also need to synchronize password hashes so that users can use the same password for cloud and on-premises resources. Which tool should you use?

A.Configure Microsoft Entra Domain Services to sync from on-premises.
B.Use Microsoft Graph API to create users and set passwords.
C.Install Microsoft Entra Connect and enable password hash synchronization.
D.Deploy Active Directory Federation Services (AD FS) to enable single sign-on.
AnswerC

Entra Connect synchronizes identities and password hashes.

Why this answer

Microsoft Entra Connect is the correct tool for synchronizing on-premises Active Directory user accounts to Microsoft Entra ID (formerly Azure AD) and enabling password hash synchronization. Password hash synchronization allows users to use the same password for both on-premises and cloud resources by syncing a hash of the on-premises password to Entra ID, which is supported in the free tier of Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services with Microsoft Entra Connect, thinking that Domain Services can sync from on-premises AD, when in fact it only syncs from Entra ID to the managed domain, not the other way around.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Domain Services (Azure AD DS) provides managed domain services like domain join and Group Policy, but it does not synchronize user accounts from on-premises AD to Entra ID; it syncs from Entra ID to the managed domain, not the reverse. Option B is wrong because the Microsoft Graph API can programmatically create users and set passwords, but it does not provide ongoing synchronization of existing on-premises AD accounts or password hash synchronization; it is an API for manual or scripted operations, not a sync tool. Option D is wrong because Active Directory Federation Services (AD FS) enables single sign-on (SSO) using federation, but it does not synchronize user accounts or password hashes; it relies on an existing identity store and is typically used for federated authentication, not sync.

18
MCQhard

You are the identity administrator for a large enterprise using Microsoft Entra ID. The company has 50,000 users and recently acquired a smaller company with 2,000 users that uses a third-party identity provider (IdP) based on SAML 2.0. The acquisition must be fully integrated within 30 days. The CISO mandates that all users must use MFA for any access to cloud applications. The acquired company's users currently do not use MFA. You need to choose an approach that minimizes changes to the acquired company's current authentication infrastructure while meeting the MFA requirement. The solution must also allow the acquired company's users to access resources in the parent tenant using their existing credentials. What should you do?

A.Configure B2B collaboration with the acquired company's IdP and enable MFA trust. In the parent tenant, create a Conditional Access policy that requires MFA for guest users.
B.Set up password hash synchronization from the acquired company's IdP to the parent tenant and enable MFA for all sync'ed users.
C.Create new user accounts in the parent tenant for the acquired company's users and assign them Microsoft Entra ID P2 licenses to enable MFA via Conditional Access.
D.Migrate all acquired company users to the parent tenant's on-premises Active Directory and sync them to Microsoft Entra ID. Enable MFA via Conditional Access.
AnswerA

This allows the acquired company to use their existing IdP, and MFA trust allows the parent tenant to accept the acquired company's MFA claims or enforce its own.

Why this answer

Option A is correct because B2B collaboration allows the acquired company's users to authenticate against their existing SAML 2.0 IdP using their current credentials, minimizing infrastructure changes. By enabling MFA trust, the parent tenant can rely on the MFA claims already issued by the third-party IdP if it supports MFA, but since it does not, you can enforce MFA in the parent tenant via a Conditional Access policy that requires MFA for guest users. This approach meets the CISO's mandate without requiring the acquired company to deploy MFA on their own IdP or migrate users.

Exam trap

The trap here is that candidates often assume B2B collaboration cannot enforce MFA for guest users, or they mistakenly think password hash synchronization is a valid option for a third-party SAML IdP, when in fact PHS is only applicable to on-premises Active Directory environments.

How to eliminate wrong answers

Option B is wrong because password hash synchronization (PHS) requires the acquired company's IdP to be integrated with Microsoft Entra ID via Azure AD Connect, which is designed for on-premises Active Directory, not a third-party SAML 2.0 IdP; PHS also does not allow users to authenticate with their existing IdP credentials. Option C is wrong because creating new user accounts in the parent tenant forces the acquired company's users to manage separate credentials, violating the requirement to use their existing credentials. Option D is wrong because migrating users to the parent tenant's on-premises AD is a complex, time-consuming process that cannot be completed within 30 days and fundamentally changes the acquired company's authentication infrastructure, contradicting the goal of minimizing changes.

19
MCQmedium

Your company uses Microsoft Entra ID. You need to monitor and detect suspicious sign-in activities, such as sign-ins from anonymous IP addresses or unfamiliar locations. Which Microsoft Entra feature provides this capability?

A.Microsoft Entra audit logs
B.Conditional Access
C.Microsoft Entra Connect
D.Microsoft Entra ID Protection
AnswerD

ID Protection uses machine learning to detect and respond to identity risks.

Why this answer

Microsoft Entra ID Protection is the correct answer because it is specifically designed to detect and respond to identity-based risks, including suspicious sign-in activities such as sign-ins from anonymous IP addresses (e.g., Tor network) and unfamiliar locations. It uses machine learning algorithms and heuristic detection to assign a risk level to each sign-in, enabling automated remediation or alerting.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy enforcement engine) with the detection capability itself, not realizing that Conditional Access relies on risk assessments from ID Protection to act on suspicious sign-ins.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra audit logs record all changes and activities within the tenant (e.g., user creation, role changes) but do not perform real-time risk detection or analysis of sign-in patterns. Option B is wrong because Conditional Access enforces access policies based on conditions (e.g., location, device state) but does not inherently detect suspicious activities; it relies on signals from other services like ID Protection. Option C is wrong because Microsoft Entra Connect is a tool for synchronizing on-premises Active Directory objects to Microsoft Entra ID and has no role in monitoring or detecting sign-in anomalies.

20
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that only users with a specific role can reset passwords for other users in their organization. Which feature should they use?

A.Privileged Identity Management
B.Conditional Access
C.Administrative Units
D.Identity Protection
AnswerC

Administrative Units let you define a scope (e.g., all users in Sales) and assign administrative roles that are limited to that scope, such as password reset.

Why this answer

Administrative Units allow you to delegate administrative tasks, such as password resets, to users who have a specific role scoped to a subset of users. By assigning the Helpdesk Administrator role to an Administrative Unit, you ensure that only those users can reset passwords for members of that unit, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with role-based delegation, but PIM controls when a role is active, not who can perform a specific action on a specific set of users.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) provides time-based and approval-based role activation to reduce standing access, but it does not scope password reset permissions to specific users; it manages role eligibility and activation. Option B is wrong because Conditional Access enforces access controls based on signals like location or device state, but it does not delegate or restrict who can perform administrative tasks like password resets. Option D is wrong because Identity Protection detects and responds to identity-based risks, such as leaked credentials or suspicious sign-ins, but it does not control which users have permission to reset passwords.

21
Multi-Selecthard

Which THREE are benefits of using Microsoft Entra ID as an identity provider? (Choose three.)

Select 3 answers
A.Web application hosting
B.Conditional Access policies
C.Centralized database management
D.Multifactor authentication
E.Single sign-on to thousands of cloud apps
AnswersB, D, E

Enables policy-based access control.

Why this answer

Microsoft Entra ID (formerly Azure AD) is a cloud-based identity and access management service. Conditional Access policies (B) are a core feature that allow you to enforce access controls based on signals like user, location, and device state, making it a direct benefit of using Entra ID as an identity provider.

Exam trap

The trap here is that candidates confuse the identity provider's capabilities (like SSO, MFA, and Conditional Access) with unrelated Azure services (like App Service for hosting or Azure SQL for database management), leading them to select options that are not identity-specific.

22
MCQeasy

A company uses Microsoft Entra ID. The security manager wants to provide temporary, time-bound elevated access to the Global Administrator role only when needed, and require approval from a designated approver. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Privileged Identity Management (PIM)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Identity Governance (Access Reviews)
AnswerB

PIM provides just-in-time activation of privileged roles with workflows, time-bound access, and approval requirements, meeting all the stated needs.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing users to activate the Global Administrator role for a limited, time-bound duration only when needed, and it enforces approval workflows from designated approvers. This directly matches the security manager's requirement for temporary, approval-based elevation.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls sign-in conditions) with PIM (which controls role activation), leading them to pick A because they think 'time-bound' refers to session timeout policies rather than role activation duration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access controls access based on conditions like location or device compliance, but it does not provide time-bound role activation or approval workflows for privileged roles. Option C is wrong because Microsoft Entra Identity Protection detects and responds to identity risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role activation or approval. Option D is wrong because Microsoft Entra Identity Governance (Access Reviews) is used for periodic certification of group memberships or role assignments, not for on-demand, time-bound elevation with approval.

23
MCQmedium

A company uses Microsoft Entra ID. The security team wants to configure a policy so that when a user signs in from an unfamiliar location (not on the company's trusted IP ranges) or from an unfamiliar device, they are prompted for additional verification (e.g., MFA). However, if the sign-in is from a trusted location (e.g., office IP range) and a known device, no additional verification is required. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra ID Protection
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Access Reviews
AnswerB

Conditional Access enables policies that evaluate conditions including user/group, location (via named locations), device state (compliant, domain-joined), and application. It can require MFA for untrusted locations/devices and allow access without MFA for trusted ones.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it allows administrators to define policies that evaluate sign-in context—such as user location (via named locations with trusted IP ranges) and device state (compliant or hybrid Azure AD joined)—and then enforce actions like requiring MFA only when conditions are not met. This directly matches the requirement to prompt for additional verification from unfamiliar locations or devices while skipping it for trusted ones.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection with Conditional Access, but ID Protection provides risk signals (e.g., unfamiliar sign-in properties) that can be used by Conditional Access policies, not the policy engine itself that enforces location- and device-based MFA prompts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and responding to identity risks (e.g., leaked credentials, anonymous IP addresses) and can trigger MFA based on risk level, but it does not natively evaluate trusted IP ranges or known device states for conditional access decisions without being combined with Conditional Access policies. Option C is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and access governance, not for controlling sign-in conditions based on location or device familiarity. Option D is wrong because Access Reviews are used to periodically review and certify group memberships, application access, or role assignments, not to enforce real-time authentication policies based on sign-in context.

24
MCQeasy

Your organization is implementing a Zero Trust security model. Which Microsoft Entra ID capability helps verify the identity of users before granting access to resources?

A.Microsoft Entra ID Connect
B.Microsoft Entra ID Domain Services
C.Microsoft Entra ID Governance
D.Microsoft Entra ID Protection
AnswerD

Evaluates user and sign-in risks to enforce conditional access policies.

Why this answer

Microsoft Entra ID Protection (D) is the correct answer because it directly addresses the Zero Trust principle of 'verify explicitly' by using real-time risk detection and conditional access policies to verify user identity before granting access. It evaluates sign-in risk, user risk, and enforces policies like multi-factor authentication (MFA) or blocking access when suspicious activity is detected, ensuring that only legitimate users can access resources.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection with Microsoft Entra ID Governance, mistakenly thinking that governance policies (like access reviews) verify identity, when in fact governance manages permissions after access is granted, not the real-time verification required by Zero Trust.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Connect is a tool for synchronizing on-premises Active Directory objects to Microsoft Entra ID, not for verifying user identity at access time. Option B is wrong because Microsoft Entra ID Domain Services provides managed domain services like Kerberos and LDAP for legacy applications, but it does not perform identity verification or risk-based access control. Option C is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on real-time identity verification or risk assessment during authentication.

25
MCQhard

Your organization plans to migrate from on-premises Active Directory to Microsoft Entra ID. You need to design the identity synchronization strategy to support password hash synchronization and password writeback. Which tool should you use?

A.Microsoft Identity Manager
B.Active Directory Federation Services
C.Microsoft Entra Cloud Sync
D.Microsoft Entra Connect
AnswerD

Entra Connect supports password hash sync and writeback.

Why this answer

Microsoft Entra Connect is the correct tool because it supports both password hash synchronization and password writeback, which are required for the migration scenario. Password hash sync synchronizes a hash of the on-premises AD password to Entra ID, while password writeback enables password changes in the cloud to be written back to on-premises AD. Entra Connect is the primary hybrid identity tool that integrates on-premises directories with Microsoft Entra ID, offering these features natively.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Cloud Sync with Entra Connect, assuming Cloud Sync supports all the same features, but Cloud Sync lacks password writeback support, making it unsuitable for this requirement.

How to eliminate wrong answers

Option A is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution for managing users and groups across multiple directories, but it does not directly support password hash synchronization or password writeback to Entra ID; those features are specific to Entra Connect. Option B is wrong because Active Directory Federation Services (AD FS) is a federation service that provides single sign-on (SSO) and claims-based authentication, but it does not perform password hash synchronization or password writeback; it relies on federation trust rather than password sync. Option C is wrong because Microsoft Entra Cloud Sync is a lightweight agent designed for syncing users from on-premises AD to Entra ID, but it does not support password writeback; password writeback requires the full Entra Connect installation.

26
MCQmedium

A company wants to prevent users from setting weak passwords that are commonly found in leaked databases. They use Microsoft Entra ID (Microsoft Entra ID). Which feature should they enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra ID Password Protection
C.Microsoft Entra ID Privileged Identity Management
D.Microsoft Entra ID Conditional Access
AnswerB

Correct. This feature enforces password policies by banning common passwords from a global and custom list, reducing password-related risks.

Why this answer

Microsoft Entra ID Password Protection is the correct feature because it specifically blocks weak passwords by comparing them against a global list of commonly compromised passwords (e.g., from leaked databases) and an optional custom banned password list. This feature enforces password strength at the time of creation or reset, preventing users from setting passwords that appear in known breaches.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which alerts on leaked credentials after they are used) with Password Protection (which proactively blocks weak passwords at creation), leading them to choose the risk-detection feature instead of the prevention feature.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce password policies or block weak passwords at creation. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not password strength enforcement. Option D is wrong because Conditional Access evaluates sign-in conditions (e.g., location, device compliance) to grant or block access, but it does not validate or block weak passwords during password setting.

27
MCQmedium

A user reports that they cannot access a critical application, receiving an error that their session has expired. The sign-in logs show the user was prompted for multifactor authentication (MFA) multiple times during the same session. What should an administrator review to reduce these interruptions?

A.Microsoft Entra tenant-wide MFA settings
B.Microsoft Entra Conditional Access session controls
C.Microsoft Entra Identity Protection policies
D.Microsoft Entra Privileged Identity Management settings
AnswerB

Session controls allow configuring sign-in frequency and persistent browser sessions to reduce MFA prompts.

Why this answer

Option C is correct because adjusting session controls in Conditional Access policies can reduce repeated MFA prompts. Option A is wrong because Identity Protection focuses on risk detection. Option B is wrong because PIM is for role management.

Option D is wrong because the default tenant-wide MFA policy is not as granular as Conditional Access.

28
Multi-Selecthard

Your organization uses Microsoft Entra ID. Which THREE authentication methods can be used for passwordless sign-in?

Select 3 answers
A.Microsoft Authenticator (phone sign-in)
B.SMS-based verification
C.FIDO2 security keys
D.Windows Hello for Business
E.Time-based one-time password (TOTP)
AnswersA, C, D

Microsoft Authenticator can enable passwordless phone sign-in.

Why this answer

Microsoft Authenticator (phone sign-in) enables passwordless authentication by using a cryptographic key pair tied to the user's device. When signing in, the user approves a notification on their phone, and the Authenticator app signs the challenge with the private key, eliminating the need for a password.

Exam trap

The trap here is that candidates confuse second-factor methods like TOTP or SMS codes with passwordless authentication, but passwordless requires the primary authentication factor to be something you have (device or key) without needing a password at all.

29
Multi-Selecthard

Which THREE of the following are features of Microsoft Entra ID Protection?

Select 3 answers
A.Access reviews
B.User risk detection (e.g., leaked credentials)
C.Sign-in risk detection (e.g., anonymous IP addresses)
D.Entitlement management
E.Risk-based Conditional Access policies
AnswersB, C, E

ID Protection detects user risk events like leaked credentials.

Why this answer

Option B is correct because Microsoft Entra ID Protection includes user risk detection, which identifies accounts that may have been compromised based on signals such as leaked credentials, unusual activity, or password spray attacks. This feature helps administrators automatically respond to elevated user risk by triggering remediation actions like password reset or blocking sign-ins.

Exam trap

The trap here is that candidates confuse Entra ID Protection with Entra ID Governance features (Access reviews and Entitlement management), which are separate capabilities focused on lifecycle and compliance rather than risk detection and remediation.

30
MCQeasy

Your organization is deploying Microsoft Entra ID. You need to ensure that users can sign in using their existing on-premises Active Directory credentials without creating new cloud passwords. Which feature should you configure?

A.Microsoft Entra Connect
B.Microsoft Entra Multifactor Authentication
C.Microsoft Entra Self-Service Password Reset
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Entra Connect syncs identities and enables password hash sync or pass-through authentication.

Why this answer

Microsoft Entra Connect is the correct feature because it synchronizes on-premises Active Directory identities to Microsoft Entra ID and enables password hash synchronization or pass-through authentication, allowing users to sign in with their existing on-premises credentials without creating new cloud passwords. This ensures a seamless hybrid identity experience where the same username and password work for both on-premises and cloud resources.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect with Microsoft Entra Multifactor Authentication, thinking that MFA alone can authenticate against on-premises credentials, but MFA only provides an additional verification step and does not handle primary authentication against on-premises Active Directory.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Multifactor Authentication adds a second layer of security but does not synchronize or authenticate on-premises credentials; it requires an existing identity in the cloud. Option C is wrong because Microsoft Entra Self-Service Password Reset allows users to reset their own passwords but does not enable sign-in with existing on-premises credentials; it relies on an already synchronized or cloud-only identity. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role assignments, not credential synchronization or authentication against on-premises Active Directory.

31
Multi-Selectmedium

A company uses Microsoft Entra ID. They need to implement a Conditional Access policy for the finance application that requires multifactor authentication (MFA) when a user accesses the app from an unmanaged device. Additionally, they want to block access if the sign-in risk level is high. Which two grant controls should they configure in the policy? (Select two.)

Select 2 answers
A.Require multi-factor authentication
B.Block access
C.Require device to be marked as compliant
D.Require approved client app
AnswersA, B

Correct. This grant control forces users to complete MFA when the condition (unmanaged device) is met, satisfying the requirement for an extra verification step.

Why this answer

Option A is correct because the scenario explicitly requires multifactor authentication (MFA) when a user accesses the finance application from an unmanaged device. In Microsoft Entra ID Conditional Access, the 'Require multi-factor authentication' grant control enforces MFA as part of the policy, directly meeting this requirement. Option B is correct because the scenario also requires blocking access if the sign-in risk level is high.

The 'Block access' grant control is the appropriate control to deny authentication when a high-risk sign-in is detected, as it overrides any other grant controls.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'unmanaged device' conditions, but unmanaged devices are not necessarily non-compliant; the policy specifically targets unmanaged devices for MFA, not compliance enforcement.

32
Matchingmedium

Match each compliance term to its correct definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Where data is stored geographically

Data subject to laws of the country where it is stored

Process of identifying and delivering electronic information for legal cases

Preserve data for litigation purposes

Categorizing data based on sensitivity

Why these pairings

These are fundamental compliance concepts in Microsoft 365.

33
Multi-Selectmedium

Which THREE features are part of Microsoft Entra Identity Governance?

Select 3 answers
A.Microsoft Entra Connect
B.Privileged Identity Management
C.Access reviews
D.ID Protection
E.Entitlement management
AnswersB, C, E

PIM manages privileged roles.

Why this answer

Privileged Identity Management (PIM) is a core feature of Microsoft Entra Identity Governance because it provides just-in-time privileged access to Azure AD and Azure resources, with time-bound activation and approval workflows. It directly supports the governance principle of least privilege by ensuring users only have elevated permissions when needed and for a limited duration.

Exam trap

The trap here is that candidates confuse Microsoft Entra Connect (a synchronization tool) with Identity Governance features, or mistake ID Protection (a risk-detection service) for a governance capability, when the exam specifically tests the three pillars of Identity Governance: entitlement management, access reviews, and privileged identity management.

34
MCQhard

A company has Microsoft Entra ID with Conditional Access policies. Users report being prompted for MFA every time they access the company's CRM app from their corporate laptops. However, the policy is configured to require MFA only for untrusted locations. What is the most likely cause?

A.Users are authenticating via device code flow.
B.The Conditional Access policy has the 'Persistent browser session' setting enabled.
C.The policy is blocking legacy authentication.
D.The corporate laptops are not marked as compliant devices.
AnswerD

If devices are not compliant, Conditional Access may require MFA even from trusted locations.

Why this answer

The most likely cause is that the corporate laptops are not marked as compliant devices. Conditional Access policies can use device compliance as a condition; if the laptops are not compliant, they may be treated as untrusted, triggering MFA even if the location is trusted. Device compliance is determined by Microsoft Intune or another MDM, and without it, the policy's location condition may not override the device state.

Exam trap

The trap here is that candidates assume location is the only condition evaluated, but Conditional Access policies can combine multiple conditions, and device compliance often overrides location when devices are not trusted.

How to eliminate wrong answers

Option A is wrong because device code flow is an authentication method for devices without browsers (e.g., CLI tools) and does not inherently bypass location-based MFA conditions. Option B is wrong because the 'Persistent browser session' setting controls session lifetime, not the frequency of MFA prompts based on location; it would not cause repeated MFA on every access. Option C is wrong because blocking legacy authentication would prevent access entirely for non-modern auth clients, not cause repeated MFA prompts for users already using modern authentication.

35
MCQeasy

A user reports that they cannot access Microsoft 365 apps from a public Wi-Fi network. The admin sees a Conditional Access policy requiring a compliant device and a trusted location. Which component enforces this policy?

A.Microsoft Entra ID
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra Conditional Access
D.Microsoft Intune
AnswerC

Enforces access policies based on conditions.

Why this answer

Microsoft Entra Conditional Access is the policy engine that evaluates conditions (e.g., location, device compliance) and enforces access decisions. When a user attempts to access Microsoft 365 apps, the Conditional Access policy is evaluated by Microsoft Entra ID, which then blocks or grants access based on the policy rules. The policy itself is defined in Microsoft Entra Conditional Access, but the enforcement point is the Microsoft Entra ID authentication and authorization service.

Exam trap

The trap here is that candidates often confuse the policy definition component (Microsoft Entra Conditional Access) with the enforcement component (Microsoft Entra ID), but the question asks for the component that 'enforces' the policy, which is Microsoft Entra ID itself, not the policy configuration interface.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID is the identity and authentication service that processes the Conditional Access policy, but it is not the component that 'enforces' the policy; the policy is defined in the Conditional Access feature of Microsoft Entra ID. Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility and control over cloud app usage, but it does not enforce Conditional Access policies for initial sign-in to Microsoft 365 apps. Option D is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service that manages device compliance, but it does not enforce Conditional Access policies; it provides the compliance status that Conditional Access policies can use as a condition.

36
MCQhard

A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have a custom line-of-business application that uses Windows Integrated Authentication and requires Kerberos. Which approach should they use to enable hybrid identity?

A.Deploy Microsoft Entra Kerberos authentication and register the app
B.Use password hash synchronization (PHS) and configure the app for OAuth
C.Use pass-through authentication (PTA) and configure the app for SAML
D.Federate with Active Directory Federation Services (ADFS)
AnswerA

Entra Kerberos authentication enables Kerberos for hybrid apps.

Why this answer

Option A is correct because Microsoft Entra Kerberos authentication enables hybrid identity for legacy on-premises applications that require Kerberos and Windows Integrated Authentication. By deploying this feature, the app can authenticate users against Microsoft Entra ID while still receiving Kerberos tickets, allowing a seamless migration without modifying the application's authentication code.

Exam trap

The trap here is that candidates often assume that any hybrid identity scenario requires federation (ADFS) or that modern protocols like OAuth/SAML can always replace Kerberos, but Microsoft Entra Kerberos authentication is specifically designed to support legacy Kerberos-dependent apps without federation.

How to eliminate wrong answers

Option B is wrong because password hash synchronization (PHS) does not provide Kerberos tickets; it only synchronizes password hashes for cloud authentication, and configuring the app for OAuth would require the app to support OAuth, which it does not (it uses Windows Integrated Authentication). Option C is wrong because pass-through authentication (PTA) validates passwords on-premises but does not issue Kerberos tickets; SAML is a different protocol that the app does not support. Option D is wrong because federating with Active Directory Federation Services (ADFS) would add unnecessary complexity and is not the recommended modern approach for enabling Kerberos-based hybrid identity; Microsoft Entra Kerberos authentication is the simpler, cloud-native solution.

37
MCQmedium

A university wants to provide its students with a verifiable digital transcript that the students can share with potential employers. The university uses Microsoft Entra Verified ID to issue credentials. When an employer wants to verify a student's transcript, they scan a QR code or receive a link. Which Microsoft Entra ID feature allows the university to issue these tamper-proof credentials and allows employers to verify them without contacting the university directly?

A.Microsoft Entra ID Protection
B.Microsoft Entra Domain Services
C.Microsoft Entra Verified ID
D.Microsoft Entra Permissions Management
AnswerC

Verified ID is used to issue and verify decentralized digital credentials.

Why this answer

Microsoft Entra Verified ID (option C) is the correct answer because it is the decentralized identity solution built on open standards (W3C Decentralized Identifiers and Verifiable Credentials) that allows the university to issue tamper-proof digital credentials. Employers can verify these credentials independently by scanning a QR code or following a link, without needing to contact the university, because the verification is done cryptographically against the issuer's public DID on a distributed ledger.

Exam trap

The trap here is that candidates may confuse 'Verified ID' with general identity protection or access management features, but the key differentiator is the decentralized, tamper-proof credential issuance and independent verification capability that only Verified ID provides.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects identity-based risks (e.g., leaked credentials, sign-in anomalies) and enforces conditional access policies; it does not issue or verify verifiable credentials. Option B is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy applications and does not support decentralized identity or verifiable credential issuance. Option D is wrong because Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that helps manage and audit permissions across multi-cloud environments; it has no role in issuing or verifying verifiable credentials.

38
MCQhard

Your organization has multiple on-premises directories and wants to synchronize them to Microsoft Entra ID. However, you must avoid duplicate user objects. Which feature should you configure?

A.Password Hash Sync
B.Pass-through Authentication
C.Active Directory Federation Services
D.Source anchor attribute
AnswerD

Source anchor uniquely identifies objects across directories, preventing duplicates.

Why this answer

The source anchor attribute (often the objectGUID in on-premises directories) is used during synchronization to uniquely identify each object and prevent duplicates. By mapping each on-premises object to a single, immutable source anchor, Microsoft Entra Connect ensures that even if multiple directories contain the same user, only one corresponding object is created in Entra ID.

Exam trap

The trap here is that candidates often confuse features that handle authentication (Password Hash Sync, Pass-through Authentication, AD FS) with the identity-mapping mechanism (source anchor) that prevents duplicate objects during synchronization.

How to eliminate wrong answers

Option A is wrong because Password Hash Sync is a method for synchronizing user password hashes for authentication, not for preventing duplicate user objects. Option B is wrong because Pass-through Authentication validates passwords directly against on-premises Active Directory without synchronizing hashes, but does not address object deduplication. Option C is wrong because Active Directory Federation Services (AD FS) provides federated authentication using claims and does not handle object identity mapping or duplicate prevention during directory synchronization.

39
Multi-Selecteasy

Which THREE are features of Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Firewall management
B.Multifactor authentication
C.Self-service password reset
D.Single sign-on
E.Anti-malware protection
AnswersB, C, D

MFA is a feature of Entra ID.

Why this answer

Microsoft Entra ID provides multifactor authentication (MFA) as a core identity security feature, requiring users to verify their identity using two or more methods such as a password plus a phone call or mobile app notification. This significantly reduces the risk of credential theft and unauthorized access.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID with broader Azure security services, incorrectly assuming it includes network or endpoint protection features like firewall management or anti-malware, when in reality it is strictly an identity and access management solution.

40
MCQeasy

Your organization wants to use Microsoft Entra ID to authenticate users from a partner company that uses its own identity provider. Which federation standard should you use?

A.OAuth 2.0
B.SCIM
C.OpenID Connect
D.SAML 2.0
AnswerD

SAML 2.0 is commonly used for federation between identity providers.

Why this answer

SAML 2.0 is the correct federation standard because it enables cross-organization authentication by allowing Microsoft Entra ID to trust assertions from a partner company's own identity provider. SAML 2.0 is specifically designed for enterprise federation scenarios where an external IdP authenticates users and sends a SAML assertion to Entra ID for access.

Exam trap

The trap here is that candidates confuse OpenID Connect (which is for modern app authentication) with SAML 2.0 (which is the standard for enterprise federation between separate identity providers), especially when the question mentions 'federation' and 'partner company using its own identity provider'.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 is an authorization framework, not an authentication protocol; it issues access tokens for delegated access but does not provide user identity assertions. Option B is wrong because SCIM (System for Cross-domain Identity Management) is a provisioning standard for automating user identity lifecycle management, not for authentication or federation. Option C is wrong because OpenID Connect is an authentication layer built on OAuth 2.0, but it is optimized for modern applications and social logins, not for the enterprise federation scenario where a partner company uses its own identity provider with SAML 2.0 assertions.

41
MCQmedium

A company wants to allow external business partners to access its internal applications using their own corporate credentials (e.g., their Microsoft Entra ID or Google account), without creating separate user accounts in the company's directory. Which Microsoft Entra ID feature should they use?

A.Azure AD B2C (Business-to-Consumer)
B.B2B collaboration
C.Microsoft Entra Domain Services
D.Conditional Access
AnswerB

B2B collaboration allows external partners to sign in using their own work, school, or social identities, providing seamless access with minimal administrative overhead.

Why this answer

B2B collaboration allows the company to grant external business partners access to its internal applications using their own corporate identities (such as Microsoft Entra ID or Google accounts) without creating separate user accounts in the company's directory. It leverages federation trust and cross-tenant authentication, enabling partners to authenticate with their home organizations while accessing resources in the host tenant.

Exam trap

The trap here is confusing B2B collaboration (for business partners with existing corporate identities) with Azure AD B2C (for customers using social or local accounts), as both involve external users but serve fundamentally different scenarios.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing identity management with social or local accounts, not for business partner access using existing corporate credentials. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP and Kerberos for legacy applications, not external identity federation. Option D is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a feature for inviting external users with their own credentials.

42
MCQmedium

A company uses Microsoft Entra ID. They want to enforce that users accessing the payroll application from outside the corporate network must use multifactor authentication and must access the app only from devices that are marked as compliant by Intune. Which Conditional Access component should they use to combine these requirements?

A.Conditions
B.Grant controls
C.Sign-in risk policy
D.Session controls
AnswerB

Correct. Grant controls allow you to require MFA, require compliant device, or other controls to be satisfied before access is granted.

Why this answer

B is correct because Grant controls in a Conditional Access policy allow administrators to specify the access requirements that must be satisfied before a user can access a resource. In this scenario, the requirement to enforce both multifactor authentication and device compliance (from Intune) is achieved by configuring the Grant control to 'Require multifactor authentication' and 'Require device to be marked as compliant', combined with the 'Require all the selected controls' option. This ensures that both conditions must be met simultaneously for access to the payroll application from outside the corporate network.

Exam trap

The trap here is that candidates confuse 'Conditions' (the 'when' and 'where' of the policy) with 'Grant controls' (the 'what must happen' to gain access), leading them to incorrectly select Conditions as the component that combines the requirements.

How to eliminate wrong answers

Option A is wrong because Conditions define the signals or triggers for the policy (e.g., user location, device platform, application), not the actions or requirements that must be met once the policy is triggered. Option C is wrong because Sign-in risk policy is a specific type of Identity Protection policy that responds to real-time risk detections (e.g., anonymous IP address, atypical travel) and is not designed to combine static requirements like MFA and device compliance for a specific application. Option D is wrong because Session controls enforce limitations on the user session after access is granted (e.g., app-enforced restrictions, sign-in frequency), not the pre-access requirements like MFA or device compliance.

43
MCQeasy

A company uses Microsoft Entra ID. They have a financial application that should only be accessible from Windows devices. The security team wants to create a Conditional Access policy to block access from other operating systems such as macOS or Linux. Which assignment condition should they configure?

A.Locations
B.Device platforms
C.Client apps
D.Sign-in risk
AnswerB

The Device platforms condition allows you to specify the operating system of the device. Setting it to 'Windows' will block access from macOS, Linux, and other platforms.

Why this answer

The Device platforms condition in a Conditional Access policy allows administrators to target specific operating systems (e.g., Windows, iOS, Android, macOS) or block others. By configuring this condition to only include Windows devices, the policy will block access from macOS, Linux, or any other non-Windows platform. This directly addresses the security team's requirement to restrict the financial application to Windows devices only.

Exam trap

The trap here is that candidates often confuse Device platforms with Client apps, thinking that blocking 'mobile apps' or 'browsers' would restrict the OS, but Client apps only controls the type of application client, not the underlying operating system.

How to eliminate wrong answers

Option A is wrong because Locations condition controls access based on geographic IP ranges or named locations (e.g., corporate network vs. external), not the operating system of the device. Option C is wrong because Client apps condition filters by application type (e.g., browser, mobile app, legacy authentication) and cannot distinguish between Windows, macOS, or Linux devices. Option D is wrong because Sign-in risk condition uses Microsoft Entra ID Protection to detect risky sign-in behaviors (e.g., anonymous IP, leaked credentials) and has no awareness of the device's operating system.

44
MCQmedium

A company wants to automatically detect and alert the security team when a user sign-in appears to originate from a known compromised credential or from an anonymizing VPN service. The company wants to receive a risk score for each sign-in and be able to trigger automated remediation actions. Which Microsoft Entra ID feature should they enable?

A.Microsoft Entra ID Protection
B.Microsoft Entra Identity Governance
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra External Identities
AnswerA

Correct. Microsoft Entra ID Protection detects and responds to identity risks like leaked credentials and anonymous VPN usage.

Why this answer

Microsoft Entra ID Protection is the correct feature because it is specifically designed to detect and respond to identity-based risks, including sign-ins from compromised credentials and anonymizing VPN services (e.g., Tor). It assigns a risk score (low, medium, high) to each sign-in and user, and supports automated remediation actions such as requiring multi-factor authentication (MFA) or blocking sign-in via Conditional Access policies integrated with the risk detection.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'risk' or 'security,' but PIM only manages privileged role activation and does not detect or score sign-in risks from compromised credentials or anonymizing VPNs.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Governance) is wrong because it focuses on managing identity lifecycles, access reviews, and entitlement management, not on real-time risk detection or automated remediation of compromised sign-ins. Option C (Microsoft Entra Privileged Identity Management) is wrong because it is designed for just-in-time privileged access, role activation, and oversight of administrative roles, not for detecting risky sign-ins from anonymized sources or compromised credentials. Option D (Microsoft Entra External Identities) is wrong because it enables collaboration with external users (e.g., B2B and B2C scenarios) and does not include risk detection or scoring for sign-in events.

45
MCQmedium

A company has an on-premises Active Directory domain and uses Microsoft Entra ID (Azure AD) for cloud applications. They purchase new Windows 10 laptops that are not yet joined to any domain. The IT admin wants users to be able to sign in with their existing on-premises credentials and automatically have the laptops joined to both the on-premises AD domain and Microsoft Entra ID. Which device identity option should the admin configure?

A.Microsoft Entra registered
B.Microsoft Entra joined
C.Microsoft Entra hybrid joined
D.On-premises domain join only
AnswerC

Correct. Hybrid join allows devices to be joined to both on-premises AD and Microsoft Entra ID.

Why this answer

Option C is correct because Microsoft Entra hybrid join allows devices to be joined to both an on-premises Active Directory domain and Microsoft Entra ID simultaneously. This enables users to sign in with their existing on-premises credentials and automatically have the laptops registered in both directories, meeting the requirement for a seamless single sign-on experience.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra joined' (cloud-only) with 'Microsoft Entra hybrid joined' (dual-joined), failing to recognize that the requirement for on-premises credentials and automatic dual join necessitates the hybrid option.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra registered devices are not joined to any domain; they are only registered in Entra ID for cloud-based access, lacking on-premises AD join. Option B is wrong because Microsoft Entra joined devices are joined solely to Entra ID, not to an on-premises AD domain, so they cannot use on-premises credentials for sign-in. Option D is wrong because an on-premises domain join only connects the device to the local AD, without any integration with Microsoft Entra ID, failing to meet the requirement for cloud join.

46
MCQmedium

A company uses Microsoft Entra ID. The IT help desk team needs to be able to reset passwords and manage user account properties, but only for users located in the United Kingdom. The organization has created a dynamic group that contains all UK users. Which Microsoft Entra feature should an administrator use to delegate these administrative permissions specifically to the help desk team, limited to the UK user scope?

A.Administrative Units
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Access Packages
AnswerA

Administrative Units allow you to delegate administrative roles scoped to specific sets of users, groups, or devices. This enables the help desk to manage only UK users.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow an administrator to delegate administrative permissions over a subset of users, groups, or devices, scoped to a specific organizational boundary. By creating an AU that contains the dynamic group of UK users, the administrator can assign the Helpdesk Administrator role scoped to that AU, granting the help desk team the ability to reset passwords and manage user account properties only for those UK users. This directly meets the requirement of delegating permissions limited to the UK user scope.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with scope delegation, assuming PIM can limit permissions to a subset of users, when in fact PIM only controls role activation timing and approval, not the scope of the role's authority.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on conditions like location or risk, not a delegation mechanism for administrative permissions. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time activation and approval workflows for privileged roles, but it does not scope permissions to a subset of users like UK users; it controls who can use a role, not where the role applies. Option D is wrong because Access Packages are part of Entitlement Management and are used to automate access requests and approvals for resources like groups or apps, not to delegate administrative permissions for user management tasks.

47
MCQmedium

You are reviewing a Conditional Access policy JSON. What is the result of this policy?

A.All users must complete MFA to access all cloud apps
B.Users from untrusted locations must complete MFA or use a compliant device to access Office 365
C.Users must complete MFA and use a compliant device from all locations
D.Users from trusted locations must complete MFA and use a compliant device
AnswerB

The policy excludes trusted locations and uses OR condition.

Why this answer

The policy JSON grants access to Office 365 if the user is from an untrusted location and either completes MFA or uses a compliant device. This matches option B exactly. The 'OR' condition between MFA and compliant device is key, and the scope is limited to Office 365, not all cloud apps.

Exam trap

The trap here is that candidates often misread the 'OR' condition as 'AND' or assume the policy applies to all cloud apps instead of the specific app (Office 365), leading them to choose options A or C.

How to eliminate wrong answers

Option A is wrong because the policy targets only Office 365, not all cloud apps, and it applies only to untrusted locations, not all users. Option C is wrong because the policy uses an 'OR' condition (MFA OR compliant device), not an 'AND', and it applies only to untrusted locations, not all locations. Option D is wrong because the policy targets untrusted locations, not trusted locations, and uses an 'OR' condition, not 'AND'.

48
MCQmedium

An organization uses Microsoft Intune to manage devices. They want to ensure that only devices marked as compliant can access corporate email in Exchange Online. Which Conditional Access component should they configure?

A.Conditions -> Device state
B.Grant controls -> Require device to be marked as compliant
C.Sign-in risk policy
D.Session controls -> Use Conditional Access App Control
AnswerB

This Grant control enforces that only devices evaluated as compliant by Intune (or another MDM) can access the resource, directly meeting the requirement.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant control in Conditional Access enforces that only Intune-compliant devices can access Exchange Online. This integrates with Microsoft Entra ID to check the device compliance status reported by Intune before granting access to corporate email.

Exam trap

The trap here is confusing 'Conditions -> Device state' (which filters by platform or state) with the actual compliance enforcement in 'Grant controls', leading candidates to choose Option A thinking it checks compliance directly.

How to eliminate wrong answers

Option A is wrong because 'Conditions -> Device state' is used to target specific device platforms or states (e.g., Windows, iOS) but does not enforce compliance; it only filters which devices the policy applies to. Option C is wrong because 'Sign-in risk policy' is part of Identity Protection and assesses user sign-in risk (e.g., leaked credentials), not device compliance. Option D is wrong because 'Session controls -> Use Conditional Access App Control' enforces session-level restrictions (e.g., blocking download) via Microsoft Defender for Cloud Apps, not device compliance checks.

49
MCQhard

Your organization uses Microsoft Entra ID and Microsoft Sentinel. You need to analyze sign-in logs to detect risky sign-ins that are not blocked by Conditional Access policies. Which Microsoft Entra feature provides risk detection and can feed into Sentinel?

A.Microsoft Entra Verified ID
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Entitlement Management
AnswerB

Identity Protection detects risky sign-ins and users, and can be integrated with Sentinel.

Why this answer

Microsoft Entra Identity Protection is the correct feature because it specifically provides risk detection for sign-ins and users, including leaked credentials, anonymous IP addresses, and atypical travel. It can feed these risk detections directly into Microsoft Sentinel via a connector, enabling advanced analysis and automated response. Conditional Access policies can use Identity Protection's risk signals to block or require MFA, but Identity Protection itself identifies the risky sign-ins that policies may not block.

Exam trap

The trap here is that candidates may confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'protection' and security, but PIM focuses on privileged role access, not sign-in risk detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials, not a risk detection or sign-in analysis feature. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role activation, not sign-in risk detection. Option D is wrong because Microsoft Entra Entitlement Management handles access packages and governance for application access, not risk detection for sign-ins.

50
MCQhard

A large enterprise uses Microsoft Entra ID with P2 licenses. The security team wants to implement just-in-time (JIT) access for privileged roles and require approval for role activation. Additionally, they want to receive alerts when a role is activated outside business hours. Which feature should they use?

A.Microsoft Entra Identity Protection.
B.Conditional Access policies.
C.Microsoft Entra Privileged Identity Management (PIM).
D.Microsoft Entra entitlement management.
AnswerC

PIM provides JIT role activation with approval and alerts.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) is the correct feature because it provides just-in-time (JIT) activation of privileged roles, supports approval workflows for role activation, and can send alerts when roles are activated outside business hours. PIM is specifically designed for managing, controlling, and monitoring access to privileged roles in Microsoft Entra ID, including time-bound activation and notification settings.

Exam trap

The trap here is that candidates confuse Conditional Access policies (which control sign-in conditions) with PIM's role activation controls, but Conditional Access cannot manage role activation, approval, or time-based alerts for privileged roles.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a tool for detecting and responding to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not provide JIT role activation, approval workflows, or alerts for role activation timing. Option B is wrong because Conditional Access policies enforce access controls based on conditions like location or device state but cannot manage privileged role activation, approval, or time-based alerts. Option D is wrong because Microsoft Entra entitlement management focuses on managing access packages and resource access for users and groups, not on privileged role activation with JIT, approval, or business-hours alerts.

51
MCQhard

A multinational organization uses Microsoft Entra ID and wants to allow employees to sign in to a custom customer-facing application using their existing social identities (e.g., LinkedIn, Google). They also need to enforce a specific terms of use agreement and be able to revoke a user's access if their social account is compromised. Which Microsoft Entra capability should they configure?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

B2C is designed for customer-facing applications, supports social identity providers, and allows configuration of terms of use and revocation of user access, meeting all requirements.

Why this answer

Microsoft Entra External ID (B2C) is the correct choice because it is specifically designed for customer-facing applications that need to support social identity providers (like LinkedIn and Google) via OAuth 2.0 and OpenID Connect. It allows you to enforce a custom terms of use agreement during sign-up and provides the ability to revoke a user's access by disabling their account in the B2C directory or removing the social identity mapping, which directly addresses the requirement to respond to a compromised social account.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (designed for external business partners accessing internal apps) with Microsoft Entra External ID (B2C) (designed for customer-facing apps with social identity providers), because both involve external users, but their use cases and capabilities are fundamentally different.

How to eliminate wrong answers

Option B (Microsoft Entra B2B collaboration) is wrong because it is designed for business-to-business scenarios, allowing external business partners to access your organization's internal resources (like SharePoint or Teams), not for customer-facing applications with social identity providers. Option C (Microsoft Entra Identity Protection) is wrong because it is a risk-based detection and remediation service for user sign-ins and identities, not a solution for managing external customer identities or enforcing terms of use agreements. Option D (Microsoft Entra Conditional Access) is wrong because it is a policy engine that enforces access controls (like MFA or device compliance) on sign-ins to your own resources, but it does not provide the ability to manage social identity providers or host a separate customer identity directory.

52
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to ensure that only devices that are enrolled in Intune and compliant with your organization's security policies can access corporate email. Which Microsoft Entra feature should you use?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Terms of Use
AnswerB

Conditional Access can enforce device compliance as a condition for access.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it enforces policy-based access controls that evaluate device compliance status reported by Microsoft Intune. By configuring a Conditional Access policy to require 'Device to be marked as compliant,' only devices enrolled in Intune and meeting security policies can access corporate email, leveraging the integration between Entra ID and Intune.

Exam trap

The trap here is that candidates often confuse Conditional Access with Privileged Identity Management (PIM) because both involve access control, but PIM focuses on privileged roles, not device compliance enforcement.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management manages access packages and identity governance for resource access, not device-level compliance enforcement. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) controls just-in-time privileged role activation and access reviews, not device compliance checks. Option D is wrong because Microsoft Entra Terms of Use presents acceptance agreements to users but does not evaluate device enrollment or compliance status.

53
Matchingmedium

Match each identity term to its correct meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

An entity that can be authenticated

Proving you are who you claim to be

Determining what an authenticated user can do

Trust relationship between identity providers

Creating and managing user accounts and access

Why these pairings

These are fundamental identity concepts.

54
Multi-Selectmedium

Your organization is planning to implement Microsoft Entra ID for identity and access management. Which TWO capabilities are provided by Microsoft Entra ID?

Select 2 answers
A.External identity management for customer-facing apps
B.Security event log analysis
C.Identity governance (e.g., access reviews)
D.Mobile device management (MDM)
E.Single sign-on (SSO) for cloud applications
AnswersC, E

Correct: Microsoft Entra ID includes access reviews and entitlement management as part of identity governance.

Why this answer

Microsoft Entra ID provides identity governance capabilities such as access reviews, which allow administrators to automate the process of reviewing and certifying user access to applications and groups. This ensures compliance and security by regularly validating that users have appropriate access rights. Single sign-on (SSO) is a core feature of Entra ID, enabling users to authenticate once and access multiple cloud applications without re-entering credentials, leveraging protocols like OAuth 2.0 and SAML 2.0.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID (workforce identity) with Microsoft Entra External ID (customer identity) or assume that log analysis and MDM are part of Entra ID, when they belong to separate Azure services like Sentinel and Intune.

55
MCQmedium

A company needs to ensure that only approved devices can access corporate resources. Which Microsoft Entra feature should they combine with Microsoft Intune?

A.Conditional Access
B.Application Proxy
C.Identity Protection
D.Privileged Identity Management
AnswerA

Conditional Access can require device compliance via Intune.

Why this answer

Conditional Access is the Microsoft Entra feature that enforces policies to grant or block access based on conditions such as device compliance. When combined with Microsoft Intune, which manages device compliance policies (e.g., requiring encryption, a specific OS version, or a healthy device health attestation), Conditional Access can block access from non-compliant or unapproved devices. This integration ensures that only devices marked as compliant by Intune can access corporate resources.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with user risk) with device-based access control, but Conditional Access is the policy engine that enforces device compliance from Intune.

How to eliminate wrong answers

Option B is wrong because Application Proxy provides secure remote access to on-premises web applications without requiring a VPN, but it does not enforce device compliance or approval. Option C is wrong because Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, impossible travel), but it does not control which devices are allowed to access resources. Option D is wrong because Privileged Identity Management manages just-in-time privileged role assignments and access reviews, not device-level access control.

56
MCQhard

A multinational company needs to enforce multi-factor authentication for all users but exclude a break-glass emergency account. Which approach should they take in Microsoft Entra ID?

A.Use identity protection to require MFA only for high-risk users
B.Enable security defaults and add the break-glass account to a group that bypasses MFA
C.Enable per-user MFA for all users and turn off for the break-glass account
D.Create a Conditional Access policy requiring MFA for all users, excluding the break-glass account
AnswerD

Conditional Access allows excluding specific accounts from MFA requirements.

Why this answer

Option D is correct because Conditional Access policies in Microsoft Entra ID allow granular control over authentication requirements, including the ability to exclude specific users or groups. By creating a policy that requires multi-factor authentication (MFA) for all users but explicitly excludes the break-glass account, the company ensures security while maintaining emergency access. This approach is more flexible and scalable than per-user MFA or security defaults, which lack the ability to selectively bypass MFA for critical accounts.

Exam trap

The trap here is that candidates may confuse security defaults with Conditional Access, assuming security defaults can be customized with exclusions, when in fact security defaults are a fixed baseline that cannot be modified to exclude specific accounts.

How to eliminate wrong answers

Option A is wrong because Identity Protection's risk-based policies require MFA only for users flagged as high-risk, not for all users, which fails to enforce universal MFA as required. Option B is wrong because security defaults enforce MFA for all users globally and do not allow excluding specific accounts via group membership; adding a break-glass account to a group does not bypass MFA in security defaults. Option C is wrong because per-user MFA is a legacy, less secure approach that does not support modern Conditional Access exclusions; turning off MFA for the break-glass account via per-user settings is possible but lacks the centralized control and reporting of Conditional Access, and Microsoft recommends migrating away from per-user MFA.

57
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to configure self-service password reset (SSPR) for all users. The security team requires that users must verify their identity with at least two methods before resetting a password. Which SSPR setting should be configured?

A.Number of methods required to reset: 2
B.Require re-registration on every authentication
C.Enable combined registration for SSPR and MFA
D.Set password expiration to 0 days
AnswerA

This setting directly specifies how many authentication methods a user must complete to reset their password. Setting it to 2 meets the requirement.

Why this answer

Self-Service Password Reset (SSPR) in Microsoft Entra ID allows administrators to set the number of authentication methods required to reset a password. By setting 'Number of methods required to reset' to 2, users must provide two verification methods (e.g., email and phone) to confirm their identity.

Exam trap

Candidates might confuse combined registration (Option C) with the number of methods required for reset, overlooking the direct control for identity verification.

58
Multi-Selecthard

Which THREE of the following are capabilities provided by Microsoft Entra ID Protection? (Select three.)

Select 3 answers
A.Automated investigation and remediation of identity risks
B.Passwordless authentication options
C.Device compliance assessment
D.Detection of compromised credentials and risky sign-ins
E.Risk-based conditional access policies
AnswersA, D, E

ID Protection can automatically respond to risks.

Why this answer

Option A is correct because Microsoft Entra ID Protection includes automated investigation and remediation capabilities that respond to detected identity risks. When a risk is identified, such as a compromised user account, the service can automatically trigger actions like requiring a password reset or blocking sign-in attempts, reducing the need for manual intervention.

Exam trap

The trap here is that candidates may confuse the broader set of Microsoft Entra ID features (like passwordless authentication or device compliance) with the specific risk detection and response capabilities of Entra ID Protection, which is narrowly focused on identity risk management.

59
MCQmedium

Your company uses Microsoft Entra ID with P1 licenses. You need to implement a policy that blocks access to Microsoft 365 from countries that are not authorized, except for users who are members of a specific security group. Which Microsoft Entra feature should you use?

A.Microsoft Entra Identity Protection.
B.Microsoft Entra entitlement management.
C.Microsoft Entra B2B collaboration.
D.Conditional Access policy with location condition and group exclusion.
AnswerD

Conditional Access can block by location and exclude specific groups.

Why this answer

D is correct because Conditional Access policies in Microsoft Entra ID allow you to define access controls based on location conditions, such as blocking access from specific countries. You can then exclude a security group from the block, ensuring that members of that group can still access Microsoft 365 from unauthorized countries. This directly meets the requirement of blocking access except for users in a specific group.

Exam trap

The trap here is that candidates often confuse Identity Protection (which deals with risk-based policies) with Conditional Access (which handles broader access controls like location), leading them to select A instead of D.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a feature for detecting and responding to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), not for implementing location-based access blocks with group exclusions. Option B is wrong because Microsoft Entra entitlement management is used to manage access packages and identity governance (e.g., automated access reviews and assignment of resources), not for enforcing real-time location-based access policies. Option C is wrong because Microsoft Entra B2B collaboration is designed to enable external users (guests) to access your organization's resources, not to block or allow internal users based on geographic location.

60
MCQhard

Refer to the exhibit. User2 attempts to activate the Global Administrator role. What must happen before User2 gains the role?

A.User3 must approve the activation request
B.An approver defined in PIM must approve the request
C.User1 must approve the activation request
D.User2 must pass MFA
AnswerB

PIM requires approval from designated approvers.

Why this answer

User2 is attempting to activate the Global Administrator role via Privileged Identity Management (PIM). In PIM, role activation requires approval from a designated approver (User3 in this scenario) before the role is granted. Option B correctly identifies that an approver defined in PIM must approve the request, which is the required step for activation.

Exam trap

The trap here is that candidates may assume MFA is the only requirement for activation, but the exhibit clearly shows an approval workflow is in place, making the approval step the immediate prerequisite before the role is granted.

How to eliminate wrong answers

Option A is wrong because User3 is the designated approver, but the statement 'User3 must approve the activation request' is too specific—it implies User3 is the only possible approver, whereas PIM allows multiple approvers or a group; the correct requirement is that an approver defined in PIM must approve. Option C is wrong because User1 is not mentioned as an approver in the exhibit; the exhibit shows User3 as the approver, so User1 has no role in this approval. Option D is wrong because while MFA may be required as part of the activation process (depending on policy), the question specifically asks what must happen before User2 gains the role, and the exhibit shows the approval step is the immediate prerequisite; MFA is often a separate prerequisite but not the direct answer to this scenario.

61
MCQmedium

An organization uses Microsoft Entra ID to manage user access. The security policy requires that membership in the 'Finance - Sensitive Data' group must be reviewed every quarter by the group owner to confirm that each member still requires access. The group owner must approve or deny each membership, and any denied memberships should be automatically removed. Which Microsoft Entra ID feature should be configured to automate this process?

A.Microsoft Entra ID Access Reviews
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Protection
AnswerA

Correct. Access Reviews enable periodic attestation of group memberships and application access with automatic removal of denied users.

Why this answer

Microsoft Entra ID Access Reviews is the correct feature because it enables periodic review of group memberships, where the group owner can approve or deny each member's continued access. When a member is denied, Access Reviews can be configured to automatically remove that user from the group, satisfying the security policy's requirement for quarterly reviews and automatic removal of denied memberships.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve approvals, but PIM handles time-bound role activation for privileged roles, not recurring membership reviews for standard groups.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM is designed for just-in-time privileged role activation and approval workflows for elevated roles, not for recurring membership reviews of a standard security group like 'Finance - Sensitive Data'. Option C (Conditional Access) is wrong because Conditional Access enforces access policies based on signals like location or device compliance at sign-in time, but it does not provide a mechanism for periodic group membership review or automatic removal. Option D (Identity Protection) is wrong because Identity Protection detects and remediates identity-based risks such as leaked credentials or suspicious sign-ins, but it does not manage group membership review cycles or owner approvals.

62
MCQeasy

The exhibit shows that a user was added to the Global Administrator role. Which Microsoft Entra feature should be used to provide just-in-time access to this role?

A.Privileged Identity Management
B.Conditional Access
C.Self-Service Password Reset
D.Identity Protection
AnswerA

Enables just-in-time privileged role access.

Why this answer

Privileged Identity Management (PIM) is the Microsoft Entra feature specifically designed to provide just-in-time (JIT) privileged access to roles like Global Administrator. PIM enables time-bound activation, approval workflows, and audit logging, ensuring users have elevated permissions only when needed and for a limited duration.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access to resources) with Privileged Identity Management (which controls elevation to administrative roles), leading them to select Conditional Access when the question explicitly asks for just-in-time role access.

How to eliminate wrong answers

Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) based on signals, but it does not provide time-bound role activation or JIT elevation to privileged roles. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, but it has no capability to grant or manage privileged role assignments. Option D is wrong because Identity Protection is a risk-detection service that identifies compromised identities and risky sign-ins, but it does not offer JIT role activation or privileged access management.

63
MCQmedium

A company uses Microsoft Entra ID. Their sales team wants to use a third-party customer relationship management (CRM) application that requires the 'Sign in and read user profile' permission and also a high-risk permission to 'Read all users' full profiles'. The security team wants to allow users to request access to this application, but they want to require an administrator to review and approve the high-risk permission request before consent is granted. Which Microsoft Entra ID feature should they configure?

A.Admin consent workflow
B.Conditional Access
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerA

Admin consent workflow enables users to request admin approval for permissions that require admin consent. An admin can then review and approve or deny the request.

Why this answer

The admin consent workflow in Microsoft Entra ID allows end users to request consent for applications that require permissions, while requiring administrator approval for high-risk permissions. In this scenario, the CRM app requests both a low-risk permission ('Sign in and read user profile') and a high-risk permission ('Read all users' full profiles'), and the security team wants admin review for the high-risk one. The admin consent workflow enables this by letting users initiate the request, then routing it to designated administrators for approval or denial, ensuring that high-risk permissions are not granted without oversight.

Exam trap

The trap here is that candidates often confuse the admin consent workflow with Privileged Identity Management (PIM) because both involve administrative approval, but PIM handles role activation, not application consent requests.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it controls access based on conditions like location or device state, not the consent process for application permissions. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks such as compromised accounts or sign-in anomalies, not application permission requests. Option D (Privileged Identity Management (PIM)) is wrong because it manages just-in-time privileged role assignments and activation, not the consent workflow for application permissions.

64
MCQmedium

A multinational organization uses Microsoft Entra ID. The IT help desk team is responsible for password resets and group management, but only for users located in the European region. The organization has created a group containing all European user accounts. Which Microsoft Entra feature should an administrator use to delegate these administrative tasks specifically to the help desk team, limited to the European user scope?

A.Administrative units
B.Access reviews
C.Conditional Access
D.Self-service password reset (SSPR)
AnswerA

Administrative units allow scoping of administrative roles (e.g., Helpdesk Administrator) to a specific subset of users, such as those in a particular region or department. This feature directly meets the requirement to delegate tasks limited to European users.

Why this answer

Administrative units (AUs) in Microsoft Entra ID allow administrators to delegate administrative permissions scoped to a specific subset of users, groups, or devices. By creating an AU containing only the European user group, the administrator can assign the help desk team roles (e.g., Helpdesk Administrator or User Administrator) limited to that AU, ensuring they can perform password resets and group management only for European users.

Exam trap

The trap here is that candidates often confuse delegation of administrative tasks with end-user self-service features (SSPR) or access control policies (Conditional Access), failing to recognize that Administrative Units are the dedicated Microsoft Entra feature for scoped role-based delegation.

How to eliminate wrong answers

Option B (Access reviews) is wrong because it is a governance feature for reviewing and recertifying access assignments, not for delegating administrative tasks with a scope. Option C (Conditional Access) is wrong because it enforces access control policies (e.g., MFA, location-based restrictions) at sign-in, not for delegating delegated administration or scoping permissions. Option D (Self-service password reset) is wrong because it allows end users to reset their own passwords without help desk intervention, not for delegating password reset tasks to a specific team with a limited scope.

65
MCQmedium

An administrator needs to grant a vendor temporary access to an Azure subscription for exactly 48 hours. After that time, access must be automatically revoked. Which Microsoft Entra feature should be used?

A.Microsoft Entra External Identities
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra access reviews
D.Microsoft Entra Conditional Access
AnswerB

PIM enables just-in-time and time-bound role assignments that expire automatically.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) allows administrators to configure just-in-time (JIT) access with time-bound activation and automatic expiration. By setting a maximum activation duration of 48 hours for a role assignment, PIM ensures the vendor's access is automatically revoked after that period without manual intervention.

Exam trap

The trap here is that candidates often confuse PIM's just-in-time access with External Identities (B2B), assuming that inviting a guest user inherently includes time limits, but B2B invitations do not automatically expire unless combined with other features like access reviews or PIM.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra External Identities is used for inviting external users (B2B collaboration) or managing customer identities (B2C), but it does not provide time-bound access with automatic revocation. Option C is wrong because Microsoft Entra access reviews are periodic attestation workflows that require manual or scheduled review cycles, not a mechanism to enforce a precise 48-hour automatic expiration. Option D is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state, but it cannot grant or revoke role-based access to an Azure subscription with a specific time limit.

66
Multi-Selectmedium

Your organization uses Microsoft Entra ID. Which TWO features help protect against identity-based attacks by detecting and responding to risks?

Select 2 answers
A.Privileged Identity Management
B.Access reviews
C.Conditional Access
D.Entitlement management
E.Identity Protection
AnswersC, E

Conditional Access can enforce policies based on risk detected by Identity Protection.

Why this answer

Conditional Access is correct because it enforces policy-based access controls that evaluate real-time signals (e.g., user location, device compliance, sign-in risk) to block or challenge suspicious sign-in attempts, directly mitigating identity-based attacks. Identity Protection is correct because it uses machine learning to detect risk signals such as leaked credentials, anonymous IP addresses, and atypical travel, then automatically triggers remediation actions like requiring password reset or blocking access.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Identity Protection, assuming PIM's role activation controls also detect attacks, when in fact PIM is purely a privileged access management tool with no risk detection capabilities.

67
MCQmedium

A company wants employees to be able to access corporate applications from their personal mobile devices, but only if those devices are enrolled in mobile device management (MDM) and have a PIN code set. Which Microsoft Entra capability should the administrator use to enforce these requirements?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management
D.Enterprise App Registration
AnswerB

Conditional Access can require that the device is marked as compliant (enrolled in MDM with a PIN) as a condition for granting access to corporate apps.

Why this answer

Conditional Access is the correct Microsoft Entra capability because it allows administrators to create policies that enforce specific requirements—such as device enrollment in MDM and a PIN code—before granting access to corporate applications. By configuring a Conditional Access policy with a grant control requiring 'Require device to be marked as compliant' (which depends on MDM enrollment and PIN compliance), the administrator can block access from personal devices that do not meet these conditions.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, thinking that risk-based policies (like requiring MFA for risky sign-ins) are the same as device compliance policies, but Identity Protection does not enforce device enrollment or PIN requirements.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not enforce device-level requirements like MDM enrollment or PIN code. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not device compliance or mobile device management policies. Option D is wrong because Enterprise App Registration is used to register and configure applications for authentication with Microsoft Entra ID, not to enforce device enrollment or PIN requirements.

68
MCQmedium

Refer to the exhibit. The JSON shows a conditional access policy. What is the effect of this policy?

A.Requires MFA for Office 365 from trusted locations.
B.Applies only to external guest users.
C.Blocks all access to Office 365 from trusted locations.
D.Requires a compliant device for Office 365.
AnswerA

Grant control requires MFA.

Why this answer

The policy assigns the 'Require multifactor authentication' grant to Office 365 cloud apps, and the condition restricts it to 'trusted locations' (typically corporate networks or compliant IP ranges). This means users accessing Office 365 from those trusted locations must complete MFA, while access from untrusted locations is not affected by this policy (it may be handled by other policies). Option A correctly describes this effect.

Exam trap

The trap here is that candidates confuse 'Require MFA' with 'Block access' or assume that trusted locations imply automatic access without MFA, when in fact the policy explicitly requires MFA even from trusted locations.

How to eliminate wrong answers

Option B is wrong because the policy targets 'All users' (not just external guest users) and does not include a filter for user type. Option C is wrong because the policy grants 'Require multifactor authentication' — it does not block access; blocking would require the 'Block access' control. Option D is wrong because the policy does not include a 'Require compliant device' grant; it only specifies MFA.

69
MCQhard

Your organization uses Microsoft Entra ID. You need to ensure that when a user's account is disabled on-premises, their access to cloud apps is blocked within 5 minutes. Which hybrid identity configuration should you use?

A.Microsoft Entra Connect Sync with directory synchronization
B.Seamless Single Sign-On
C.Pass-through Authentication
D.Password Hash Synchronization
AnswerA

Entra Connect Sync synchronizes user attributes, including account enabled/disabled status, typically within minutes.

Why this answer

Microsoft Entra Connect Sync with directory synchronization is the correct choice because it enables password hash synchronization combined with the ability to synchronize account state changes (such as disabled accounts) from on-premises Active Directory to Microsoft Entra ID. When a user account is disabled on-premises, the next synchronization cycle (which can be triggered on-demand or runs every 30 minutes by default) updates the cloud account's status, and with the 'EnableAccidentalDeletionPrevention' and 'PasswordWriteback' features, you can configure the sync to occur within 5 minutes using the 'Set-ADSyncScheduler' cmdlet to reduce the sync interval. This ensures that the disabled state is reflected in Microsoft Entra ID, blocking access to cloud apps promptly.

Exam trap

The trap here is that candidates often confuse Password Hash Synchronization (PHS) with full directory synchronization, not realizing that PHS alone does not synchronize account disabled status or other user attributes beyond password hashes.

How to eliminate wrong answers

Option B is wrong because Seamless Single Sign-On (SSO) only provides automatic sign-in for users on domain-joined devices, but it does not synchronize account state changes or enforce access blocking when an on-premises account is disabled. Option C is wrong because Pass-through Authentication validates passwords against on-premises Active Directory in real-time, but it does not synchronize account disabled status; it only handles authentication, not account state propagation. Option D is wrong because Password Hash Synchronization alone synchronizes password hashes but does not synchronize account disabled status or other user attribute changes; it requires directory synchronization (Entra Connect Sync) to propagate account state.

70
MCQmedium

A company manages Azure resources for multiple departments. The security team needs to grant IT administrators temporary, just-in-time access to high-privilege roles (e.g., Contributor, Owner) only when needed, with approval workflows. Which Microsoft Entra ID capability should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entitlement Management (Identity Governance)
AnswerC

PIM provides time-based and approval-based role activation to manage, control, and monitor access to privileged resources. It supports just-in-time access for elevated roles.

Why this answer

Privileged Identity Management (PIM) is the correct Microsoft Entra ID capability because it provides just-in-time (JIT) activation of high-privilege roles like Contributor and Owner, with time-bound approvals and approval workflows. PIM allows administrators to request temporary elevation to a role, which must be approved by designated approvers, and the access automatically expires after the specified duration. This directly addresses the requirement for temporary, approval-based access to privileged roles.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Entitlement Management, because both involve access requests and approvals, but PIM is specifically for just-in-time privileged role activation, while Entitlement Management is for ongoing access to resources like groups and apps.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on signals like user location or risk, but it does not provide JIT role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage role assignments or temporary elevation to high-privilege roles. Option D is wrong because Entitlement Management (Identity Governance) automates access requests and reviews for groups, apps, and SharePoint sites, but it is not designed for just-in-time activation of Azure RBAC roles like Contributor or Owner.

71
MCQmedium

You are evaluating the Conditional Access policy JSON exhibit. The policy includes MFA for Exchange Online but excludes trusted locations. A user reports that they are prompted for MFA when accessing webmail from a trusted IP address. Which is the most likely cause?

A.The location condition is configured to include trusted locations
B.The policy targets high sign-in risk
C.The policy does not apply to Exchange Online
D.The policy requires device compliance
AnswerA

The policy includes trusted locations, so it applies MFA to them. It should exclude trusted locations.

Why this answer

The policy includes MFA for Exchange Online, but the location condition 'includeLocations' with 'AllTrusted' means it applies to trusted locations, not excludes them. For exclusion, the policy should use 'excludeLocations'. Option C is correct.

Options A and B are incorrect because the JSON does not include device compliance or risk. Option D is incorrect because the condition applies to the app.

72
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy includes locations condition "AllTrusted". What is the effect of this policy?

A.Users are required to perform MFA when accessing from untrusted locations.
B.Users are blocked from accessing apps from trusted locations.
C.Users are required to perform MFA when accessing from trusted locations.
D.Users are allowed access without MFA from trusted locations.
AnswerC

The policy targets trusted locations and requires MFA.

Why this answer

In Microsoft Entra ID Conditional Access, the 'AllTrusted' locations condition includes locations marked as trusted (e.g., corporate network IP ranges or MFA-trusted IPs). When a policy is configured with this condition and set to 'Require MFA', it enforces MFA specifically when users access from those trusted locations. This is often used to require step-up authentication even from within the corporate network, for example, when accessing sensitive applications.

Exam trap

The trap here is that candidates often assume trusted locations automatically bypass MFA, but Conditional Access policies can explicitly require MFA from trusted locations for step-up authentication.

How to eliminate wrong answers

Option A is wrong because 'AllTrusted' targets trusted locations, not untrusted ones; requiring MFA from untrusted locations would use 'AllUntrusted' or 'All locations' with an exclude. Option B is wrong because Conditional Access policies do not block access from trusted locations by default; blocking would require a 'Block access' grant control, not a location condition alone. Option D is wrong because allowing access without MFA from trusted locations is the default behavior when no policy targets them; this policy explicitly requires MFA, so it does not allow access without MFA.

73
MCQmedium

A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 30 days on devices that are marked as compliant, but require MFA for every sign-in attempt on non-compliant devices. Which Conditional Access control should they configure to meet this requirement?

A.Grant control: Require MFA
B.Session control: Sign-in frequency
C.Conditions: Device state
D.Session control: Application restrictions
AnswerB

Sign-in frequency session control allows the administrator to specify how often a user must re-authenticate. This can be set to every 30 days for compliant devices and to 0 (every time) for non-compliant devices to achieve the goal.

Why this answer

The requirement specifies different MFA frequency based on device compliance: every 30 days for compliant devices and every sign-in for non-compliant devices. This is achieved by configuring a Session control called 'Sign-in frequency' in a Conditional Access policy, which allows administrators to set the reauthentication interval (e.g., 30 days) and can be scoped to specific conditions like device state (compliant vs. non-compliant). Grant controls like 'Require MFA' enforce MFA but do not control the frequency of re-prompting.

Exam trap

The trap here is that candidates confuse 'Grant controls' (which enforce MFA) with 'Session controls' (which manage sign-in frequency), leading them to pick 'Require MFA' instead of 'Sign-in frequency' when the question specifically asks about controlling the frequency of MFA prompts.

How to eliminate wrong answers

Option A is wrong because 'Grant control: Require MFA' enforces MFA on every sign-in but cannot differentiate between compliant and non-compliant devices or set a reauthentication frequency like 30 days. Option C is wrong because 'Conditions: Device state' is a condition that filters which devices the policy applies to (e.g., compliant or non-compliant), not a control that enforces MFA frequency. Option D is wrong because 'Session control: Application restrictions' controls access to specific apps or data (e.g., using app protection policies) and does not manage MFA reauthentication intervals.

74
MCQhard

Your organization, Contoso, uses Microsoft Entra ID for identity management. The security team has recently identified that several users have had their credentials compromised. You need to implement a solution that automatically enforces a password change for high-risk users and blocks sign-ins from risky locations. Additionally, you want to allow users to self-remediate by changing their password when they are at medium risk. You have the following requirements: - Users detected as high risk must be blocked from signing in until an administrator resets their password. - Users detected as medium risk must be prompted to change their password via self-service password reset before they can access resources. - All risk detections must be logged and reported to the security team. - The solution must use built-in Microsoft Entra capabilities without third-party tools. Which of the following actions should you take to meet the requirements?

A.Create conditional access policies that block sign-ins based on location and require MFA for all users.
B.Configure Microsoft Entra ID Protection user risk policies: set a policy to block access for high user risk and a policy to require password change for medium user risk. Enable risk reporting.
C.Administratively assign users to administrative units and require administrators to review risk manually.
D.Use Microsoft Entra ID Governance to create an access package and require approval for access.
AnswerB

This directly meets all requirements.

Why this answer

Option B is correct because Microsoft Entra ID Protection provides built-in user risk policies that automatically block sign-ins for high-risk users and require a password change for medium-risk users, meeting the requirements for automated enforcement and self-remediation. Additionally, ID Protection includes risk reporting capabilities that log all risk detections for the security team, all without third-party tools.

Exam trap

The trap here is that candidates often confuse conditional access policies (which control access based on conditions like location or device) with Identity Protection risk policies (which specifically enforce actions based on user or sign-in risk levels), leading them to choose Option A instead of the correct risk-based policy configuration.

How to eliminate wrong answers

Option A is wrong because conditional access policies that block sign-ins based on location and require MFA do not automatically enforce password changes based on user risk level, nor do they provide the granular risk-based remediation (block vs. password change) required for high and medium risk. Option C is wrong because manually assigning users to administrative units and requiring administrators to review risk manually does not automate enforcement or allow self-remediation; it contradicts the requirement for automatic password change and blocking. Option D is wrong because Microsoft Entra ID Governance access packages and approval workflows are designed for managing resource access and entitlement, not for enforcing risk-based password changes or blocking sign-ins based on compromised credentials.

75
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) to manage access to internal applications for employees and guest users. The compliance team requires that all guest users' access to a sensitive application must be reviewed every 90 days by the application owner. If the owner does not respond to the review request, the guest's access must be automatically revoked. Which Microsoft Entra ID feature should the company use?

A.Conditional Access
B.Identity Protection
C.Access Reviews
D.Privileged Identity Management (PIM)
AnswerC

Access Reviews allow administrators to create recurring reviews of access to groups, applications, or roles, and can be configured to automatically remove access if the reviewer does not respond.

Why this answer

Access Reviews in Microsoft Entra ID allow administrators to create recurring reviews of guest user access to applications, groups, or roles. The scenario requires a 90-day review cycle with automatic revocation if the owner does not respond, which is a built-in configuration option within an Access Review policy. This directly meets the compliance team's requirement for periodic attestation and automated removal of access.

Exam trap

The trap here is confusing Access Reviews with Privileged Identity Management (PIM), since both involve approvals and time-bound access, but PIM focuses on privileged role activation while Access Reviews handle recurring attestation of any user's access to resources.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device state, but it does not provide periodic attestation or automatic revocation based on reviewer non-response. Option B is wrong because Identity Protection detects and remediates identity-based risks such as leaked credentials or sign-ins from anonymous IP addresses, but it does not schedule recurring access reviews or revoke access due to reviewer inaction. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval workflows for privileged roles, but it is not designed for recurring attestation of guest user access to a sensitive application.

Page 1 of 5 · 373 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft Entra questions.