CCNA Describe the capabilities of Microsoft Entra Questions

75 of 373 questions · Page 2/5 · Describe the capabilities of Microsoft Entra · Answers revealed

76
MCQhard

A company uses Microsoft Entra ID and a third-party SaaS application. They want to prevent users from downloading sensitive documents from the SaaS app when accessing from unmanaged personal devices, while still allowing read-only access. Which Conditional Access control should they apply to achieve this?

A.Require multifactor authentication (MFA)
B.Require compliant device (Intune compliance policy)
C.Use app control with Microsoft Defender for Cloud Apps session policy
D.Block access
AnswerC

Session policies in Microsoft Defender for Cloud Apps allow granular controls, such as blocking download while permitting read-only access, based on device state.

Why this answer

Option C is correct because Microsoft Defender for Cloud Apps (MDCA) session policies enable granular control over user actions within a SaaS app, such as blocking downloads while allowing read-only access. This is achieved through reverse proxy architecture that intercepts and enforces policies on HTTP/HTTPS traffic in real time, regardless of device compliance or identity provider status. Conditional Access with MDCA session control is the only option that provides app-level data protection without requiring device management or blocking access entirely.

Exam trap

The trap here is that candidates often confuse identity-based controls (like MFA or device compliance) with app-level data protection controls, not realizing that only MDCA session policies can enforce granular actions like 'block download' while still allowing read-only access within the app itself.

How to eliminate wrong answers

Option A is wrong because requiring multifactor authentication (MFA) only verifies identity and does not control what users can do within a SaaS app after authentication, such as downloading documents. Option B is wrong because requiring a compliant device via Intune compliance policy would block access entirely from unmanaged personal devices, rather than allowing read-only access while preventing downloads. Option D is wrong because blocking access would prevent all access, including the desired read-only capability, which is too restrictive for the requirement.

77
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Entra PIM activation request. The roleDefinitionId corresponds to the Global Administrator role. The request is for an 8-hour activation with a start time. What is the maximum allowed activation duration for Global Administrator in PIM?

A.4 hours
B.12 hours
C.24 hours
D.8 hours
AnswerD

The default maximum activation duration for Global Administrator is 8 hours.

Why this answer

Option D is correct because Microsoft Entra PIM enforces a maximum activation duration of 8 hours for the Global Administrator role. This limit is a built-in security control to reduce the risk window for highly privileged access, and any activation request exceeding 8 hours will be automatically rejected.

Exam trap

The trap here is that candidates confuse the default maximum activation duration for most roles (4 hours) with the Global Administrator's higher limit (8 hours), or they incorrectly assume all roles share the same 24-hour maximum.

How to eliminate wrong answers

Option A is wrong because 4 hours is the default maximum activation duration for most eligible roles, but Global Administrator has a higher limit of 8 hours. Option B is wrong because 12 hours exceeds the enforced maximum of 8 hours for Global Administrator; PIM does not allow any role to be activated for longer than its configured maximum, and 12 hours is not a valid option for any built-in role. Option C is wrong because 24 hours is the maximum activation duration allowed for some roles like Security Administrator or User Administrator, but Global Administrator is capped at 8 hours due to its critical privilege level.

78
MCQeasy

Your company is implementing Microsoft Entra ID and wants to ensure that users can sign in using their existing social media accounts. Which feature should you configure?

A.B2B collaboration
B.Conditional Access
C.External Identities
D.Identity Protection
AnswerC

External Identities support social identity providers like Google and Facebook.

Why this answer

External Identities in Microsoft Entra ID allows you to configure identity providers for social media accounts (e.g., Google, Facebook) so users can sign in with their existing credentials. This is done by enabling federation with social identity providers via the External Identities blade, which uses OAuth 2.0 and OpenID Connect protocols to authenticate users without creating a separate Microsoft account.

Exam trap

The trap here is that candidates confuse B2B collaboration (which is for business partners) with External Identities (which includes social identity providers), because both involve external users, but only External Identities supports social login providers like Google and Facebook.

How to eliminate wrong answers

Option A is wrong because B2B collaboration is specifically for inviting external business partners (e.g., from other Azure AD tenants) to access your resources, not for allowing social media account sign-ins. Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a feature for configuring social identity providers. Option D is wrong because Identity Protection is a risk-based detection and remediation service (e.g., leaked credentials, sign-in anomalies), not a feature for adding social identity providers.

79
MCQeasy

Refer to the exhibit. You are configuring an access package in Microsoft Entra Entitlement Management. Based on the policy, which users can request access to the HR App?

A.Any user in the organization can request access, but guests require manager approval.
B.Only administrators can assign access.
C.Only users in the HR department can request access.
D.Only guest users can request access.
AnswerA

UserManaged allows requests; approval required for guests.

Why this answer

Option A is correct because the access package policy shown in the exhibit is configured with 'For users in your directory' as the scope and 'Specific connected organization' is not selected, meaning any internal user can request. The policy also has 'Approval' set to 'Manager approval' only for 'Guest users', so internal users do not require approval, while guests do. This matches the description that any user in the organization can request, but guests need manager approval.

Exam trap

The trap here is that candidates may misinterpret the approval setting as applying to all users, when in fact it is configured only for guest users, leading them to incorrectly select an option that implies restricted access or exclusive guest access.

How to eliminate wrong answers

Option B is wrong because the policy allows users to request access directly; it does not restrict assignment to administrators only. Option C is wrong because the policy scope is set to 'All users' (or 'For users in your directory'), not limited to the HR department. Option D is wrong because the policy allows both internal users and guest users to request access, not exclusively guests.

80
MCQeasy

Your organization uses Microsoft Entra ID. A user reports that they are unable to access any Microsoft 365 services because they forgot their password. Which self-service tool should they use?

A.Self-Service Password Reset (SSPR)
B.Password reset admin portal
C.Identity Protection
D.Privileged Identity Management
AnswerA

SSPR enables users to reset their own passwords if configured.

Why this answer

Option C is correct because SSPR allows users to reset their own password. Option A (Password reset admin portal) is for administrators. Option B (Identity Protection) detects risks.

Option D (Privileged Identity Management) manages privileged roles.

81
MCQeasy

An organization wants to protect against password spray attacks by automatically blocking sign-ins from suspicious IP addresses. Which Microsoft Entra feature should they use?

A.Microsoft Entra Self-Service Password Reset
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Multifactor Authentication
AnswerB

Detects and blocks risky sign-ins based on IP reputation.

Why this answer

Option A is correct because Identity Protection uses risk detection to block suspicious sign-ins from known malicious IP addresses. Option B is wrong because SSPR deals with password reset. Option C is wrong because MFA adds verification but does not automatically block based on IP.

Option D is wrong because PIM manages admin roles.

82
MCQmedium

Your organization uses Microsoft Entra ID and needs to block sign-ins from legacy authentication protocols to reduce risk. Which feature should you use?

A.Security defaults
B.Privileged Identity Management
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access can block legacy authentication by targeting client apps.

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to block sign-ins from legacy authentication protocols by targeting client apps that use protocols like POP3, IMAP, SMTP, or older Office clients that do not support modern authentication. This is the correct feature because it provides granular, policy-based control to explicitly deny authentication requests that use legacy protocols, directly addressing the requirement to reduce risk from these less secure methods.

Exam trap

The trap here is that candidates often confuse Security defaults (which do block legacy authentication by default) with the ability to customize or target that block, but the question asks for a feature to 'block sign-ins from legacy authentication protocols' in a way that can be tailored to organizational needs, which only Conditional Access supports.

How to eliminate wrong answers

Option A is wrong because Security defaults provide a baseline set of security policies (like requiring MFA for all users and blocking legacy authentication) but are a fixed, non-customizable feature intended for small organizations; they cannot be selectively applied or fine-tuned to block legacy authentication for specific users or scenarios. Option B is wrong because Privileged Identity Management (PIM) is focused on just-in-time privileged access management, role activation, and approval workflows for administrative roles, not on controlling authentication protocols used during sign-in. Option C is wrong because Identity Protection uses risk-based policies (e.g., user risk, sign-in risk) to block or require MFA, but it does not have a direct setting to block legacy authentication protocols; it relies on Conditional Access policies to enforce such blocks.

83
MCQmedium

A company uses Microsoft Entra ID and wants to automatically detect and remediate over-privileged roles in their Azure subscriptions and AWS accounts. They need to get a unified view of permissions across multiple clouds. Which Microsoft Entra capability should they use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Permissions Management
C.Microsoft Entra Verified ID
D.Microsoft Entra ID Governance
AnswerB

Permissions Management (CIEM) gives a unified view of permissions across Azure, AWS, and GCP, and helps detect and fix over-privileged roles.

Why this answer

Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides visibility into permissions across multi-cloud environments, including Azure and AWS. It automatically detects over-privileged roles and can remediate them by enforcing least-privilege access policies, making it the correct choice for the described requirement.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID Governance with Permissions Management because both deal with 'permissions,' but Governance handles identity lifecycle and access reviews within Entra ID, not multi-cloud infrastructure permission analysis or automated remediation.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection focuses on detecting identity-based risks such as compromised credentials and sign-in anomalies, not on managing cloud infrastructure permissions. Option C is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials, unrelated to cloud permission management. Option D is wrong because Microsoft Entra ID Governance covers identity lifecycle, access reviews, and entitlement management within Microsoft Entra ID, but it does not provide multi-cloud permission visibility or automated remediation for over-privileged roles in AWS or Azure subscriptions.

84
MCQmedium

A user reports that they cannot access the company's HR application, which requires Microsoft Entra ID authentication. The user can access other apps that also use Entra ID. What is the most likely cause?

A.The user's account is disabled.
B.The tenant is blocked for all sign-ins.
C.The user's password expired.
D.A conditional access policy is blocking access to that specific app.
AnswerD

Conditional Access policies can target specific apps.

Why this answer

The user can access other Microsoft Entra ID-integrated apps, which rules out account-level issues like a disabled account or expired password. A conditional access policy can target specific applications, so it is the most likely cause of the block on just the HR app.

Exam trap

The trap here is that candidates often assume a user-specific issue (like disabled account or expired password) when they see a single user blocked, but the key clue is that other apps work, pointing to an app-specific conditional access policy rather than a global or user-level problem.

How to eliminate wrong answers

Option A is wrong because if the user's account were disabled, they would be unable to access any Entra ID-authenticated app, not just the HR app. Option B is wrong because a tenant-wide block would prevent all sign-ins for all users, not just this user's access to one app. Option C is wrong because an expired password would affect authentication to all apps using the same Entra ID tenant, not selectively block one app.

85
MCQmedium

A company wants to allow its partners to access a specific SharePoint Online site using their own corporate credentials. The company does not want to manage partner accounts. Which Microsoft Entra feature should they use?

A.Microsoft Entra External ID
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

Allows external users to access resources with their own credentials.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2B) allows organizations to grant external partners access to resources like SharePoint Online using their own corporate or social identities. This eliminates the need to create and manage separate user accounts for partners, as they authenticate through their home identity provider via federation or invitation redemption.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with the identity provider federation capability of External ID, mistakenly thinking policies alone can enable external authentication without a dedicated identity solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access reviews within an organization, not for enabling external partner access with their own credentials. Option C is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) for internal users, not for managing external partner authentication. Option D is wrong because Microsoft Entra Conditional Access enforces policies (e.g., MFA, device compliance) on sign-in events but does not itself provide the mechanism for external identities to authenticate using their own credentials; it works in conjunction with External ID.

86
MCQeasy

A user reports that they are unable to sign in to a SaaS application that is configured for single sign-on (SSO) with Microsoft Entra ID. The user can sign in to other applications. What should you check first?

A.Confirm the user's account is not disabled.
B.Verify that the user has reset their password recently.
C.Ensure the user has an appropriate Microsoft 365 license.
D.Check if the user is assigned to the application in Microsoft Entra ID.
AnswerD

If the user is not assigned, they will be denied access even with valid credentials.

Why this answer

Option D is correct because the most common cause of SSO failure for a single application, when the user can sign in to other apps, is that the user has not been assigned to that specific application in Microsoft Entra ID. Without explicit assignment, the user cannot authenticate via SSO even if their account is active and licensed. This is a core requirement for application-level access control in Entra ID.

Exam trap

The trap here is that candidates confuse global authentication issues (like disabled accounts or password problems) with application-specific authorization, which is governed by user assignment in Entra ID, not by the user's overall account state or licensing.

How to eliminate wrong answers

Option A is wrong because if the user's account were disabled, they would be unable to sign in to any application, not just the one in question. Option B is wrong because a recent password reset does not affect SSO sign-in; SSO relies on the user's primary authentication token, and a password change would apply globally, not selectively block one app. Option C is wrong because Microsoft 365 licensing is unrelated to SSO access for a third-party SaaS application; licensing controls access to Microsoft 365 services, not Entra ID application assignments.

87
MCQmedium

Refer to the exhibit. You are reviewing a risk detection in Microsoft Entra Identity Protection. The risk event indicates 'unfamiliarFeatures' with medium risk level for user John Doe from IP 203.0.113.5. What is the most likely cause of this risk detection?

A.There was an impossible travel event detected.
B.John Doe's credentials were leaked on the dark web.
C.The sign-in originated from an anonymous IP address.
D.The sign-in was from an unfamiliar location or device.
AnswerD

UnfamiliarFeatures detects sign-ins from unfamiliar locations or devices.

Why this answer

Option D is correct because 'unfamiliarFeatures' indicates sign-in from a location or device that is not familiar to the user. Option A is wrong because leaked credentials would show 'leakedCredentials' risk event. Option B is wrong because anonymous IP address would be 'anonymousIpAddress' risk event.

Option C is wrong because impossible travel would show 'impossibleTravel' risk event.

88
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their existing social media accounts, such as Google or Facebook, while maintaining security and compliance with conditional access policies. What should you configure?

A.Enable Microsoft Entra Permissions Management.
B.Deploy Microsoft Entra Verified ID.
C.Configure Microsoft Entra B2B collaboration for guest users.
D.Configure Microsoft Entra External ID with social identity providers.
AnswerD

External ID supports social identity providers and allows configuration of conditional access policies.

Why this answer

Option D is correct because Microsoft Entra External ID (formerly Azure AD External Identities) allows you to configure social identity providers such as Google and Facebook as external identity sources. This enables users to sign in with their existing social media accounts while still being subject to your tenant's conditional access policies, ensuring security and compliance.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (for business guest users) with Microsoft Entra External ID (which includes social identity providers for consumer-facing apps), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) tool for managing permissions across multi-cloud environments, not for configuring social identity providers. Option B is wrong because Microsoft Entra Verified ID is a decentralized identity solution based on verifiable credentials (W3C standards), not for integrating social media logins. Option C is wrong because Microsoft Entra B2B collaboration is designed for inviting external business partners as guest users using their work or school accounts, not for allowing end users to sign in with personal social media accounts.

89
Multi-Selecthard

Which THREE components are part of Microsoft Entra ID's identity governance? (Choose three.)

Select 3 answers
A.Self-Service Password Reset
B.Privileged Identity Management
C.Entitlement Management
D.Access Reviews
E.Conditional Access
AnswersB, C, D

PIM governs privileged roles.

Why this answer

Privileged Identity Management (PIM) is a core component of Microsoft Entra ID's identity governance because it provides just-in-time privileged access to Azure AD and Azure resources, with time-bound approvals and activation workflows. It enables organizations to manage, control, and monitor access to critical resources, reducing the risk of standing admin privileges.

Exam trap

The trap here is that candidates often confuse Conditional Access (a security control) with identity governance, or mistake Self-Service Password Reset (a user convenience feature) for a governance tool, when in fact governance focuses on managing who has access and for how long, not on how access is authenticated or enforced.

90
MCQeasy

A company wants to enable employees to securely access on-premises applications without needing a VPN. Which Microsoft Entra feature should they implement?

A.Identity Protection
B.B2B Collaboration
C.Application Proxy
D.Privileged Identity Management
AnswerC

Application Proxy publishes on-premises apps securely without VPN.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications by acting as a reverse proxy. It eliminates the need for a VPN by routing user traffic through the Entra ID service, which authenticates the user and then establishes a secure outbound connection to the on-premises application connector. This allows employees to access internal apps from anywhere using the same credentials and conditional access policies.

Exam trap

The trap here is that candidates often confuse Application Proxy with a VPN or assume that B2B Collaboration is needed for remote access, but the key differentiator is that Application Proxy is specifically designed for secure, VPN-less access to on-premises web apps through a reverse proxy architecture.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based detection and remediation tool that identifies compromised identities and suspicious sign-ins, not a remote access solution for on-premises applications. Option B is wrong because B2B Collaboration enables external users (partners, vendors) to access your organization's resources using their own identities, but it does not provide a reverse proxy or secure channel to on-premises apps. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time and time-bound access to privileged roles in Azure AD and Azure resources, not general remote access to on-premises applications.

91
MCQhard

Your organization is using Microsoft Entra ID with P2 licenses. You need to ensure that all guest users are reviewed for access quarterly, and if not approved, access is automatically removed. Which Microsoft Entra feature should you configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Identity Protection
C.Microsoft Entra Entitlement Management
D.Microsoft Entra Access Reviews
AnswerD

Access Reviews can be configured to automatically remove access if not approved.

Why this answer

Microsoft Entra Access Reviews (D) is the correct feature because it allows you to create recurring reviews for guest users, set the frequency to quarterly, and configure auto-apply settings to automatically remove access if the review is not approved. This directly meets the requirement for periodic attestation and automated remediation.

Exam trap

The trap here is that candidates confuse Entitlement Management (which creates access packages) with Access Reviews (which performs the actual recurring review and auto-removal), but only Access Reviews provides the quarterly schedule and automatic removal enforcement described in the scenario.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for periodic access reviews of guest users. Option B is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-in anomalies), not on scheduling and automating access reviews. Option C is wrong because Microsoft Entra Entitlement Management manages access packages and catalogs for resource provisioning, but it does not natively provide the recurring review and auto-removal cycle; it relies on Access Reviews for that functionality.

92
MCQhard

You are the identity administrator for a multinational company using Microsoft Entra ID. The company has a Microsoft 365 E5 subscription. The security team wants to enforce the following requirements: 1. All users must use multi-factor authentication (MFA) when accessing sensitive applications (e.g., finance app). 2. Users from the IT department must use passwordless authentication methods (e.g., Windows Hello for Business) when accessing any resource. 3. All access to sensitive applications must be logged and monitored for anomalous activity. 4. Guest users from partner organizations must be automatically reviewed quarterly to ensure they still need access. 5. The company wants to minimize administrative overhead by automating as much as possible. You need to design a solution that meets these requirements using Microsoft Entra ID capabilities. Which combination of actions should you take?

A.Configure Self-Service Password Reset (SSPR) for all users. Enable Microsoft Entra ID Protection. Create an access review for guests.
B.Use Microsoft Entra ID Protection to enforce MFA based on risk. Implement Privileged Identity Management (PIM) for IT. Configure access reviews for guests.
C.Enable security defaults to enforce MFA for all users. Configure Microsoft Entra ID Protection to monitor anomalies. Use Microsoft Entra ID Governance to automate guest access reviews.
D.Create Conditional Access policies: one requiring MFA for the finance app, another requiring passwordless authentication strength for IT. Enable Microsoft Entra ID Protection to log and monitor sign-in risks. Create an access review for guest users.
AnswerD

Meets all requirements: MFA for finance app, passwordless for IT, monitoring via ID Protection, and guest reviews.

Why this answer

Option D is correct because it uses Conditional Access policies to enforce MFA for the finance app and passwordless authentication strength for IT, meeting requirements 1 and 2. Microsoft Entra ID Protection logs and monitors sign-in risks for sensitive apps (requirement 3), and an access review for guest users automates quarterly reviews (requirement 4). This minimizes administrative overhead by leveraging automation, aligning with requirement 5.

Exam trap

The trap here is that candidates often confuse security defaults (which enforce MFA for all users but lack granularity) with Conditional Access policies (which allow targeted MFA and authentication strength requirements), and they may overlook that passwordless enforcement requires an authentication strength policy, not just MFA.

How to eliminate wrong answers

Option A is wrong because SSPR does not enforce MFA or passwordless authentication; it only allows self-service password reset, and Entra ID Protection alone cannot enforce MFA without a Conditional Access policy. Option B is wrong because PIM is for just-in-time privileged access management, not for enforcing passwordless authentication for all IT users; it also does not address the MFA requirement for the finance app. Option C is wrong because security defaults enforce MFA for all users, not just for sensitive apps, and they do not support passwordless authentication strength policies; Entra ID Governance is not a specific feature for automating guest access reviews (access reviews are part of Entra ID Governance, but the option incorrectly implies a separate product).

93
MCQhard

A multinational organization uses Microsoft Entra ID for identity management. External contractors need temporary elevated access to Azure resources for a critical project. The access must be time-bound (expires after 8 hours), require manager approval, and enforce multifactor authentication (MFA) when contractors activate the role. Which Microsoft Entra capability should they configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access Reviews
AnswerA

PIM allows administrators to define time-bound, just-in-time role assignments with approval requirements and can enforce MFA upon activation. This meets all the stated requirements.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources with time-bound activation (e.g., 8-hour expiry), requires approval workflows (manager approval), and enforces multifactor authentication (MFA) during role activation. PIM is specifically designed to manage, control, and monitor access to critical resources through time-limited, approved, and MFA-protected role assignments.

Exam trap

The trap here is that candidates confuse Conditional Access (which enforces MFA at sign-in) with PIM's ability to enforce MFA specifically during role activation, or they mistakenly think Access Reviews can grant time-bound access, when in fact Access Reviews only validate existing access and do not provide JIT activation or approval workflows.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide time-bound role activation, approval workflows, or MFA enforcement for privileged access. Option C (Conditional Access) is wrong because it enforces access policies (like MFA) based on signals (user, location, device) at sign-in time, but it does not manage role activation, time-bound expiry, or approval workflows for privileged roles. Option D (Access Reviews) is wrong because it is used to periodically review and certify existing group memberships or role assignments, not to grant temporary, time-bound elevated access with approval and MFA enforcement.

94
Drag & Dropmedium

Order the steps to create a conditional access policy in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Creating a conditional access policy requires admin sign-in, navigating to Conditional Access, creating a new policy, configuring assignments and controls, then enabling it.

95
MCQmedium

A company uses Microsoft Entra ID. They want to ensure only current employees have access to a sensitive HR application. They implement a process where group membership for the HR app is reviewed quarterly by the HR manager, and any unnecessary access is automatically removed. Which Microsoft Entra feature should they use?

A.A
B.B
C.C
D.D
AnswerC

Correct. Access Reviews in Microsoft Entra ID Governance allow scheduled reviews and automatic removal of unnecessary access.

Why this answer

Option C is correct because the scenario describes a recurring review of group membership for the HR application, with automatic removal of unnecessary access. This is exactly what Microsoft Entra ID Governance's Access Reviews feature provides: scheduled reviews (e.g., quarterly) where a reviewer (the HR manager) attests to each member's continued need, and stale access is automatically revoked upon completion.

Exam trap

The trap here is that candidates often confuse Access Reviews with Privileged Identity Management (PIM) because both involve 'review' and 'access,' but PIM is specifically for privileged roles and time-bound activation, not for recurring attestation of standard application group memberships.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for recurring attestation of standard group membership for an application. Option B is wrong because Conditional Access policies enforce real-time access controls based on conditions (location, device, risk), but they do not provide periodic review or automatic removal of group memberships. Option D is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on scheduling and automating group membership attestation.

96
MCQeasy

You are designing an identity solution for a new company that will use Microsoft Entra ID. The company wants employees to use biometrics (fingerprint) on their mobile devices to sign in without typing a password. Which Microsoft Entra feature should you implement?

A.Windows Hello for Business
B.Microsoft Authenticator app (passwordless)
C.SMS-based sign-in
D.FIDO2 security keys
AnswerB

Microsoft Authenticator app supports passwordless sign-in using fingerprint or face on mobile devices.

Why this answer

The Microsoft Authenticator app (passwordless) allows users to sign in to Microsoft Entra ID using biometrics (fingerprint, face, or PIN) on their mobile device without entering a password. This feature uses the device's built-in biometric capabilities to verify the user's identity, making it the correct choice for the described scenario.

Exam trap

The trap here is that candidates may confuse Windows Hello for Business with mobile biometrics, but Windows Hello for Business is specifically tied to Windows devices and not to mobile phones or tablets.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business is designed for Windows devices (PCs, laptops) using biometrics like fingerprint or facial recognition, not for mobile devices. Option C is wrong because SMS-based sign-in uses a text message code, not biometrics, and still requires a password for initial setup. Option D is wrong because FIDO2 security keys are hardware-based external devices (e.g., USB keys) that require physical possession, not mobile device biometrics.

97
MCQmedium

A user reports that they cannot access a cloud app even though they are in the correct location and have a valid license. The administrator suspects a Conditional Access policy might be blocking access. Which tool should the admin use to diagnose the issue?

A.Sign-in logs
B.My Apps portal
C.Conditional Access 'What If' tool
D.Audit logs
AnswerC

The 'What If' tool simulates a sign-in to evaluate which policies would apply.

Why this answer

The Conditional Access 'What If' tool is specifically designed to simulate how a Conditional Access policy would apply to a given user, application, and sign-in condition. It allows the admin to test policy effects without affecting the user's actual sign-in, making it the ideal diagnostic tool when a policy is suspected of blocking access.

Exam trap

The trap here is that candidates often confuse the Sign-in logs (which show what happened) with the 'What If' tool (which shows what would happen), leading them to choose the reactive log instead of the proactive simulation tool.

How to eliminate wrong answers

Option A is wrong because Sign-in logs show historical sign-in events and their status (success, failure, blocked), but they do not allow proactive simulation of Conditional Access policies to determine why a specific access attempt was blocked. Option B is wrong because the My Apps portal is an end-user interface for launching assigned applications, not a diagnostic tool for analyzing Conditional Access policy impacts. Option D is wrong because Audit logs track changes made to directory resources (e.g., policy modifications, user updates), not real-time sign-in attempts or Conditional Access policy evaluations.

98
MCQmedium

A company's security team discovers that most recent account compromises resulted from attackers exploiting legacy authentication protocols (POP3, IMAP, SMTP Auth) that do not support multi-factor authentication. The team wants to immediately block all sign-in attempts using these legacy protocols while still allowing modern authentication methods (e.g., OAuth 2.0). Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Multi-factor Authentication
AnswerA

Conditional Access policies can include a 'Block legacy authentication' condition. This allows administrators to create a policy that blocks all sign-ins from clients that do not support MFA, effectively stopping attacks that rely on legacy protocols while preserving modern authentication.

Why this answer

Conditional Access policies in Microsoft Entra ID can be configured to block authentication attempts from legacy protocols (POP3, IMAP, SMTP Auth) by targeting client apps that do not support modern authentication. This allows the security team to immediately enforce a block on all sign-ins using these protocols while still permitting modern OAuth 2.0-based methods, directly addressing the requirement without disabling MFA for users who can use modern clients.

Exam trap

The trap here is that candidates often confuse the 'block legacy authentication' capability with MFA or Identity Protection, assuming that enabling MFA alone will stop legacy protocol abuse, when in fact legacy protocols bypass MFA entirely and require a Conditional Access policy to be explicitly blocked.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is a risk-based detection and remediation service that identifies compromised identities or risky sign-ins, but it cannot directly block specific authentication protocols like POP3 or SMTP Auth. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews, not on controlling authentication protocols or blocking legacy methods. Option D (Multi-factor Authentication) is wrong because legacy protocols do not support MFA challenges; enabling MFA alone does not prevent attackers from using these protocols to bypass MFA entirely.

99
MCQeasy

Refer to the exhibit. You run this PowerShell cmdlet. What is the outcome?

A.A guest user is created in Microsoft Entra ID and an invitation email is sent.
B.The external user is added as a member user without an invitation.
C.The external user is provisioned as a consumer account in Azure AD B2C.
D.The external user is added as a member user and cannot be a guest.
AnswerA

The cmdlet creates a B2B guest user and sends an invitation email.

Why this answer

The `New-MgInvitation` cmdlet creates a guest user in Microsoft Entra ID and sends an invitation email by default. This is the standard behavior for B2B collaboration, where the external user is assigned the 'Guest' user type and receives an email to accept the invitation and redeem their account.

Exam trap

The trap here is that candidates often confuse the `New-MgInvitation` cmdlet with `New-MgUser`, which creates a member user, and mistakenly think the invitation email is optional or that the user type can be changed to member without additional steps.

How to eliminate wrong answers

Option B is wrong because `New-MgInvitation` always sends an invitation email; it does not add the external user as a member user without an invitation. Option C is wrong because Azure AD B2C consumer accounts are created using separate B2C-specific cmdlets (e.g., `New-AzureADMSB2CUser`), not `New-MgInvitation`. Option D is wrong because the cmdlet explicitly creates a guest user, not a member user, and the guest user type cannot be changed to member via this cmdlet.

100
MCQmedium

A company uses Microsoft Entra ID and wants to allow users to reset their own passwords without help desk intervention. However, they want to ensure that only users who have already registered for multifactor authentication (MFA) can use self-service password reset (SSPR). Which Microsoft Entra feature should the administrator configure to enforce this requirement?

A.Conditional Access
B.Self-Service Password Reset (SSPR) settings
C.Identity Protection
D.Privileged Identity Management
AnswerB

SSPR settings include authentication method requirements. The administrator can require users to register for MFA as part of the SSPR registration process or require MFA as one of the authentication methods.

Why this answer

Option B is correct because Self-Service Password Reset (SSPR) settings in Microsoft Entra ID include a configuration option to require users to register for multifactor authentication (MFA) before they can use SSPR. By enabling the 'Require users to register when they sign in' setting under SSPR, the administrator ensures that only MFA-registered users can reset their own passwords, meeting the requirement without additional policies.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces MFA during sign-in) with the SSPR registration requirement, but Conditional Access does not control the SSPR registration prerequisite—only the SSPR settings can enforce that users must be MFA-registered before using password reset.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA during sign-in) but does not directly control SSPR registration requirements; it cannot enforce that only MFA-registered users can use SSPR. Option C is wrong because Identity Protection is designed to detect and respond to identity risks (e.g., leaked credentials, anomalous sign-ins) and does not manage SSPR registration or usage restrictions. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and access reviews, not password reset registration enforcement.

101
MCQmedium

A company uses Microsoft Entra ID and Intune for mobile device management. They want to grant access to a confidential project management site only from devices that are encrypted and have the latest anti-malware updates. Which Conditional Access assignment should they configure to enforce this requirement?

A.Sign-in risk
B.Device state
C.User risk
D.Application
AnswerB

Correct. Device state policies can require a device to be marked as compliant, which enforces that it meets Intune-defined requirements like encryption and up-to-date anti-malware.

Why this answer

Option B (Device state) is correct because Conditional Access policies can use the 'Device state' condition to require that devices are marked as compliant or are hybrid Azure AD joined. Compliance is determined by Intune compliance policies, which can enforce requirements like encryption and up-to-date anti-malware. By setting the 'Device state' condition to 'Compliant device' or 'Hybrid Azure AD joined device', access to the confidential site is granted only to devices meeting those security baselines.

Exam trap

The trap here is that candidates confuse 'Device state' (which enforces device compliance like encryption and anti-malware) with 'Sign-in risk' or 'User risk', which are identity-focused risk detections unrelated to device health.

How to eliminate wrong answers

Option A (Sign-in risk) is wrong because sign-in risk is a real-time detection of anomalous sign-in behavior (e.g., impossible travel, anonymous IP) and does not evaluate device encryption or anti-malware status. Option C (User risk) is wrong because user risk assesses the likelihood that a user's identity has been compromised based on historical events (e.g., leaked credentials), not device health attributes. Option D (Application) is wrong because the Application condition specifies which cloud apps the policy applies to, not the device compliance state; it controls scope, not device security posture.

102
MCQmedium

Your organization uses Microsoft Entra ID with P1 licenses. You need to provide a temporary access pass for a new employee to set up their account without a password. Which Microsoft Entra feature should you use?

A.Microsoft Entra Temporary Access Pass
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection
D.Microsoft Entra Verified ID
AnswerA

TAP is a time-limited passcode for passwordless onboarding.

Why this answer

The Temporary Access Pass (TAP) is a time-limited passcode issued by an administrator that allows a user to register passwordless authentication methods (e.g., Microsoft Authenticator, FIDO2 security key) without needing an existing password. This directly meets the requirement for a new employee to set up their account without a password, and it is available with Microsoft Entra ID P1 licenses.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with any 'temporary' access feature, but PIM grants temporary privileged roles, not a passwordless onboarding token.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access reviews, not for issuing temporary credentials for passwordless onboarding. Option C is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not provide a mechanism to create a temporary pass for initial setup. Option D is wrong because Verified ID is a decentralized identity solution for issuing and verifying verifiable credentials (e.g., diplomas, IDs) and is unrelated to temporary access passes for passwordless registration.

103
MCQmedium

Your company uses Microsoft Entra ID. You need to enforce that all users register for MFA within 14 days of account creation. Which feature should you use?

A.Identity Protection
B.MFA registration campaign
C.Conditional Access
D.Security defaults
AnswerB

The registration campaign policy can require users to register MFA within a set number of days.

Why this answer

The MFA registration campaign is specifically designed to nudge users to register for MFA within a configurable time frame after account creation. It sends targeted notifications and enforces registration by blocking access until the user completes MFA setup, directly meeting the 14-day requirement.

Exam trap

The trap here is that candidates often confuse Conditional Access (which enforces MFA at sign-in) with the registration campaign (which enforces the initial MFA setup process), not realizing that Conditional Access cannot force a user to register within a specific number of days—it only blocks access if MFA is absent.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based detection and remediation tool (e.g., detecting leaked credentials or risky sign-ins), not a mechanism to enforce MFA registration deadlines. Option C is wrong because Conditional Access policies can require MFA during sign-in but cannot enforce a registration deadline or send reminder prompts; they only block access if MFA is not already registered. Option D is wrong because Security defaults enforce MFA registration for all users but do not allow a custom 14-day grace period—they require registration at first sign-in with no configurable delay.

104
MCQhard

Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution that automatically detects and remediates users with leaked credentials. Additionally, you need to require users to change their password when a high risk is detected. Which Microsoft Entra features should you configure?

A.Enable Microsoft Entra Identity Protection, configure a user risk policy to require password change when risk is medium or high.
B.Create an Access Review for all users and require them to confirm their access quarterly.
C.Enable Privileged Identity Management (PIM) and require multi-factor authentication for all role activations.
D.Configure a Conditional Access policy to require password change when sign-in risk is high.
AnswerA

Correct: Identity Protection detects leaked credentials and user risk policy forces password change.

Why this answer

Option A is correct because Microsoft Entra Identity Protection detects leaked credentials by monitoring for credential exposures on the dark web and other sources. Configuring a user risk policy to require a password change when risk is medium or high automatically remediates the detected risk by forcing the user to update their password, directly addressing the requirement for automatic detection and remediation.

Exam trap

The trap here is confusing user risk (which detects leaked credentials and other user-level threats) with sign-in risk (which evaluates real-time session anomalies), leading candidates to incorrectly select Option D, which only addresses sign-in risk and not the required leaked credential detection.

How to eliminate wrong answers

Option B is wrong because Access Reviews are designed for periodic attestation of access rights, not for detecting or remediating leaked credentials or enforcing password changes based on risk. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and requires MFA for those activations, but it does not detect leaked credentials or enforce user password changes for general users. Option D is wrong because a Conditional Access policy can require a password change only when sign-in risk is high, but it does not automatically detect leaked credentials; sign-in risk evaluates real-time session anomalies, not leaked credential exposure, and the question specifically requires detection of leaked credentials, which is a user risk feature.

105
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Select two.)

Select 2 answers
A.Antivirus and antimalware protection
B.Identity as a Service (IDaaS) for cloud applications
C.Provide network firewall services
D.Manage mobile devices and applications
E.Single sign-on (SSO) to thousands of SaaS applications
AnswersB, E

Microsoft Entra ID is a cloud-based identity service.

Why this answer

Microsoft Entra ID is a cloud-based identity and access management service, providing Identity as a Service (IDaaS) for cloud applications. It enables organizations to manage user identities and control access to resources, including thousands of pre-integrated SaaS applications through single sign-on (SSO). This makes option B correct because Entra ID's core function is identity management, not endpoint security or network infrastructure.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID with broader security suites like Microsoft 365 Defender or Azure security services, mistakenly attributing endpoint protection or network firewall capabilities to identity management.

106
MCQmedium

A company uses Microsoft Entra ID and wants to allow external business partners to request access to a specific application through an approval process. The access should be time-limited and automatically expired. Which Microsoft Entra ID feature should be configured?

A.Conditional Access
B.Entitlement management
C.Privileged Identity Management (PIM)
D.Self-service group management
AnswerB

Entitlement management uses access packages to allow users to request access, with approval workflows and automatic expiration, ideal for external partners.

Why this answer

Microsoft Entra entitlement management (part of Identity Governance) allows organizations to manage access for internal and external users through access packages, which include policies for requesting, approving, and automatically expiring access. Conditional Access is for enforcing policies during sign-in, PIM manages privileged roles, and self-service group management allows users to manage group membership but does not provide approval workflows or time-limited access for external users out-of-the-box.

107
MCQeasy

Your company wants to allow employees to use their corporate Microsoft Entra ID credentials to sign in to third-party SaaS applications like Salesforce and ServiceNow. Which Microsoft Entra feature should you configure?

A.Conditional Access policies.
B.Microsoft Entra B2B collaboration.
C.Microsoft Entra Identity Protection.
D.Enterprise applications with pre-integrated gallery apps.
AnswerD

Enterprise apps allow SSO configuration for SaaS apps.

Why this answer

Option D is correct because configuring a third-party SaaS application like Salesforce or ServiceNow as an Enterprise Application in Microsoft Entra ID allows you to set up federation using SAML 2.0 or OpenID Connect, enabling users to sign in with their corporate Entra ID credentials. The pre-integrated gallery apps provide pre-configured templates that simplify the setup of single sign-on (SSO) and user provisioning, making it the appropriate feature for this requirement.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access after authentication) with the actual SSO configuration feature, or they mistakenly think B2B collaboration is for internal users accessing external apps, when it is specifically for external users accessing internal resources.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location restrictions) after SSO is configured, not to enable the initial sign-in with corporate credentials. Option B is wrong because Microsoft Entra B2B collaboration is designed for inviting external users (guests) from other organizations, not for enabling internal employees to use their corporate credentials for third-party SaaS apps. Option C is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, impossible travel), not a feature for configuring SSO or authentication to external applications.

108
MCQmedium

A company uses Microsoft Entra ID. The security team needs to grant temporary elevated access to the Global Administrator role for a specific task, such as configuring a new security policy. They want the user to request activation, which is then approved by a manager, and the privileges automatically expire after 4 hours. Which Microsoft Entra feature should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerC

PIM allows just-in-time activation of privileged roles with approval and automatic expiration, matching the described requirements.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, allowing users to request activation of roles like Global Administrator. The activation can require approval from a manager and is automatically deactivated after a configurable maximum duration (e.g., 4 hours), directly meeting the security team's requirements.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Conditional Access, because both involve policies and access control, but PIM specifically handles just-in-time privileged role activation with approval and expiration, while Conditional Access focuses on access conditions for all users.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like user location or device compliance, but it does not provide time-bound role activation with approval workflows. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials), not manage privileged role activation or expiration. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, not to elevate or manage role assignments.

109
MCQmedium

A company uses Microsoft Entra ID. The security team wants to provide just-in-time (JIT) administrative access to Azure resources. They require that administrators must request approval before gaining elevated privileges, and that the elevated access automatically expires after the task is completed. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerC

Correct. PIM enables just-in-time privileged access, requiring approval and setting time-bound access that automatically expires.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources with time-bound activation, approval workflows, and automatic expiration. PIM allows administrators to request elevation for a specific role, which must be approved by designated approvers, and the elevated access automatically expires after the configured duration (e.g., 1–8 hours). This directly meets the security team's requirements for approval-based, time-limited administrative access.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps and resources) with PIM (which controls time-bound elevation of roles), because both involve 'access' and 'conditions,' but only PIM provides JIT activation with approval and automatic expiration.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like user location or device compliance, but it does not provide JIT role activation, approval workflows, or automatic expiration of elevated privileges. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials or sign-ins from anonymous IPs), but it does not manage privileged role assignments or time-bound elevation. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, which is unrelated to granting or managing elevated administrative access to Azure resources.

110
MCQmedium

A company uses Microsoft Entra ID. They want to require all users accessing the external vendor portal to accept a terms of use document before they are granted access. The acceptance must be revoked after 30 days, requiring the user to accept again. Which Conditional Access component should the administrator configure?

A.Assignments
B.Access controls (Grant)
C.Conditions
D.Session controls
AnswerB

Access controls (Grant) allow you to require multifactor authentication, device compliance, and terms of use acceptance.

Why this answer

The administrator needs to enforce a terms of use acceptance that expires after 30 days. In Conditional Access, the 'Access controls (Grant)' section includes the 'Require terms of use' option, which can be configured to require re-acceptance after a specified duration (e.g., 30 days). This directly meets the requirement by blocking access until the user accepts the current version of the terms of use document.

Exam trap

The trap here is that candidates often confuse 'Session controls' (which manage sign-in frequency or app restrictions) with the ability to enforce terms of use acceptance, but only the 'Grant' control can require a terms of use document to be accepted.

How to eliminate wrong answers

Option A is wrong because 'Assignments' define which users, groups, or applications the policy applies to, not the specific access requirements like terms of use acceptance. Option C is wrong because 'Conditions' define signals such as location, device state, or risk level that trigger the policy, but they do not enforce the acceptance of a terms of use document. Option D is wrong because 'Session controls' manage user experience during a session (e.g., app enforced restrictions, sign-in frequency), but they cannot enforce a terms of use acceptance requirement.

111
MCQeasy

You are configuring Microsoft Entra ID Governance. You need to ensure that when a user leaves the organization, their access to all SaaS applications is automatically revoked. Which Microsoft Entra feature should you use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Privileged Identity Management (PIM)
C.Microsoft Entra Access Reviews
D.Microsoft Entra Terms of Use
AnswerC

Access Reviews can automatically remove access when users leave or are disabled.

Why this answer

Microsoft Entra Access Reviews allows administrators to create recurring reviews of user access to SaaS applications. When a user leaves the organization, an automated access review can be configured to remove their access based on the review results, ensuring revocation of access to all assigned SaaS apps. This directly addresses the requirement for automatic revocation upon departure.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access during authentication) with lifecycle management features like Access Reviews, which handle ongoing governance and automatic removal of access after a user leaves.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access enforces access policies based on conditions like location or device state at sign-in time, but it does not automatically revoke access when a user leaves the organization. Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not the lifecycle-based revocation of access to SaaS applications for departing users. Option D is wrong because Microsoft Entra Terms of Use presents acceptance policies to users before accessing resources, but it does not automate access removal when a user leaves.

112
Multi-Selectmedium

Which TWO features are part of Microsoft Entra ID P2 licensing? (Choose two.)

Select 2 answers
A.Conditional Access
B.Basic Mobility and Security
C.Microsoft Entra Identity Protection
D.Microsoft Entra Self-Service Password Reset
E.Microsoft Entra Privileged Identity Management
AnswersC, E

Identity Protection is a P2 feature.

Why this answer

Microsoft Entra ID P2 licensing includes advanced security features such as Microsoft Entra Identity Protection and Microsoft Entra Privileged Identity Management (PIM). Identity Protection uses machine learning to detect and remediate identity-based risks like leaked credentials and anomalous sign-in patterns, while PIM provides just-in-time privileged access and approval workflows. These capabilities are exclusive to P2 and are not available in P1 or free tiers.

Exam trap

The trap here is that candidates often confuse Conditional Access (a P1 feature) as a P2 exclusive because it is commonly paired with Identity Protection in security demos, but Conditional Access itself does not require P2 licensing.

113
Multi-Selecthard

Which three features are available in Microsoft Entra ID P2 but not in P1? (Choose three.)

Select 3 answers
A.Access reviews
B.Privileged Identity Management (PIM)
C.Identity Protection risk-based policies
D.Conditional Access policies
E.Self-service password reset (SSPR) with writeback
AnswersA, B, C

Access reviews require P2.

Why this answer

Access reviews are a Microsoft Entra ID P2 feature that allows administrators to automate periodic reviews of group memberships, application access, and role assignments. This capability is not available in P1, which lacks the automated review workflows and attestation features that P2 provides for governance and compliance.

Exam trap

The trap here is that candidates often confuse Conditional Access policies as a P2-only feature, but they are actually available in P1, while P2 adds Identity Protection risk-based policies and PIM, not the base Conditional Access engine.

114
MCQmedium

Your organization uses Microsoft Entra ID to manage identities. You need to ensure that users receive a notification when their password is about to expire. Which feature should you configure?

A.Self-service password reset (SSPR)
B.Password expiration notifications
C.Identity Protection
D.Privileged Identity Management
AnswerB

Entra ID can email users before password expires.

Why this answer

Password expiration notifications is the correct feature because it directly sends email notifications to users when their password is nearing expiration. This feature is configured in the Microsoft Entra admin center under 'Password expiration notifications' and allows you to set the number of days before expiration that users are notified. It is a simple, built-in mechanism that does not require additional licensing or complex configuration.

Exam trap

The trap here is that candidates confuse 'password expiration notifications' with 'self-service password reset' (SSPR), assuming that SSPR includes proactive alerts, when in fact SSPR is a reactive reset tool and does not send expiration warnings.

How to eliminate wrong answers

Option A is wrong because Self-service password reset (SSPR) allows users to reset their own passwords when forgotten or expired, but it does not proactively send notifications about upcoming password expiration. Option C is wrong because Identity Protection is a risk-based security feature that detects and responds to identity threats, such as leaked credentials or suspicious sign-ins, and does not handle password expiration notifications. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time access and role activation for privileged roles, and has no capability to send password expiration alerts.

115
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Defender for Cloud Apps. You want to monitor and control the use of cloud apps by enforcing session policies, such as preventing downloads from unmanaged devices. Which integration should you use?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Intune
D.Microsoft Defender for Cloud Apps
AnswerD

Defender for Cloud Apps provides session policies via Conditional Access App Control.

Why this answer

Microsoft Defender for Cloud Apps is the correct integration because it provides Cloud Access Security Broker (CASB) functionality, enabling session policies via reverse proxy to control user actions like blocking downloads from unmanaged devices. These policies are enforced in real-time by inspecting and modifying traffic to cloud apps based on device compliance signals from Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Intune's device management capabilities with the real-time session enforcement provided by Defender for Cloud Apps, assuming Intune can directly block downloads from unmanaged devices in cloud apps, which it cannot.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview focuses on data governance, compliance, and information protection (e.g., DLP, retention labels), not on real-time session control of cloud app usage. Option B is wrong because Microsoft Sentinel is a Security Information and Event Management (SIEM) and SOAR tool for threat detection and response, not for enforcing granular session policies on cloud apps. Option C is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) service that manages devices and apps, but it does not provide the reverse proxy session-level controls needed to enforce policies like preventing downloads from unmanaged devices in cloud apps.

116
Multi-Selecthard

You are a security architect for a large enterprise using Microsoft Entra ID. You need to implement a solution that enforces least-privilege access and reduces lateral movement. Which THREE Microsoft Entra capabilities should you include in your design?

Select 3 answers
A.Identity Protection
B.Password hash synchronization
C.Privileged Identity Management (PIM)
D.Conditional Access policies
E.Microsoft Defender for Cloud Apps
AnswersA, C, D

Correct: Identity Protection detects and remediates identity-based risks, helping to reduce lateral movement.

Why this answer

Identity Protection is correct because it uses machine learning to detect and automatically respond to identity-based risks, such as leaked credentials or anomalous sign-in patterns, which directly reduces the attack surface and limits lateral movement by blocking or challenging risky authentications before an attacker can pivot.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for SaaS app governance) with a core Entra ID capability, or mistakenly think password hash synchronization provides a security benefit beyond authentication synchronization.

117
MCQhard

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Sentinel. The query returns sign-in logs with error code 50076. What does this error indicate?

A.The user did not pass multi-factor authentication.
B.The user account is disabled.
C.The user's password has expired.
D.The sign-in was blocked by a Conditional Access policy.
AnswerA

Error 50076 means MFA challenge failed.

Why this answer

Error code 50076 in Microsoft Entra sign-in logs specifically indicates that the user did not pass multi-factor authentication (MFA). This error is returned when the MFA challenge fails, such as when the user enters an incorrect verification code, denies the push notification, or the MFA session expires. It is a direct signal that the authentication attempt was not completed successfully due to MFA failure.

Exam trap

The trap here is that candidates confuse the error code for failing MFA (50076) with the error code for being blocked by a Conditional Access policy (53003), because both involve MFA enforcement, but the error codes indicate different stages of the authentication flow.

How to eliminate wrong answers

Option B is wrong because a disabled user account would generate error code 50057 (user account is disabled), not 50076. Option C is wrong because an expired password results in error code 50055 (password expired), not 50076. Option D is wrong because a sign-in blocked by a Conditional Access policy would return error code 53003 (blocked by Conditional Access), not 50076.

118
MCQmedium

A company uses Microsoft Entra ID (Microsoft Entra ID) and wants to allow users to sign in using biometrics (fingerprint or face) on their mobile devices instead of passwords. They want this to work for both iOS and Android devices. Which Microsoft Entra ID feature should they enable?

A.Passwordless authentication using Microsoft Authenticator
B.Microsoft Entra Connect Sync Health
C.Microsoft Entra ID Protection
D.Self-Service Password Reset (SSPR)
AnswerA

Microsoft Authenticator app can be configured for passwordless phone sign-in, enabling users to authenticate with a biometric gesture or PIN without entering a password.

Why this answer

Option A is correct because Microsoft Authenticator supports passwordless authentication using FIDO2-based biometric verification on mobile devices. This feature allows users to sign in with a fingerprint or face on both iOS and Android, eliminating the need for a password while leveraging the device's built-in biometric capabilities.

Exam trap

The trap here is that candidates may confuse Self-Service Password Reset (SSPR) with passwordless authentication, but SSPR only resets passwords and does not enable biometric sign-in without a password.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Connect Sync Health is a monitoring tool for synchronization health, not a feature for passwordless authentication. Option C is wrong because Microsoft Entra ID Protection is a security service that detects and responds to identity risks, not a mechanism for biometric sign-in. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their passwords, not to sign in without a password using biometrics.

119
MCQmedium

A company wants to allow external business partners to access a specific SharePoint Online site using their own corporate identities (such as Google or Facebook accounts). The company also needs to enforce multi-factor authentication (MFA) for these external users. Which Microsoft Entra capability should the administrator configure?

A.Microsoft Entra Connect
B.Microsoft Entra External Identities (B2B collaboration)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerB

B2B collaboration allows you to invite external users to your tenant using their own identities (e.g., Google, Facebook, or any Microsoft Entra ID tenant). Combined with Conditional Access, you can enforce MFA for those guest users.

Why this answer

Microsoft Entra External Identities (B2B collaboration) allows you to invite external users (including those with social identities like Google or Facebook) to access your organization's resources using their own identities. It supports conditional access policies, including the enforcement of multi-factor authentication (MFA) for guest users, which meets both requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (which handles hybrid identity sync) with External Identities (which handles guest user access), or they assume Identity Protection or PIM can be used to grant external access, when they are security monitoring and privilege management tools respectively.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for synchronizing on-premises Active Directory identities to Microsoft Entra ID, not for inviting external users with social identities. Option C is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation tool for user identities, not a mechanism to invite external users or enforce MFA on guest access. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews, not external user invitations or MFA enforcement for guest users.

120
Multi-Selecthard

Which TWO of the following are benefits of using Microsoft Entra ID Governance?

Select 2 answers
A.Network segmentation for on-premises resources.
B.Automated access reviews for group memberships.
C.Synchronizing identities from on-premises Active Directory.
D.Lifecycle workflows for employee onboarding and offboarding.
E.Enforcing multi-factor authentication for all users.
AnswersB, D

Access reviews are a governance feature.

Why this answer

Options A and D are correct. Entra ID Governance includes access reviews and lifecycle workflows. Option B is wrong because MFA enforcement is Conditional Access.

Option C is wrong because network segmentation is not identity governance. Option E is wrong because identity synchronization is Microsoft Entra Connect.

121
MCQeasy

Your organization uses Microsoft Entra ID Governance. You need to ensure that guest users' access to internal applications is automatically removed after 90 days. What should you configure?

A.Entitlement management
B.Access reviews
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerB

Access reviews can be configured to automatically remove access after a specified number of days.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to configure recurring reviews of guest user access to internal applications. By creating an access review with a duration of 90 days and enabling automatic removal of denied users, you ensure that guest access is automatically revoked after the review period ends. This directly meets the requirement for time-based automatic removal.

Exam trap

The trap here is that candidates confuse entitlement management's access package expiration with the automatic removal requirement, but entitlement management only removes access at the end of an access package assignment duration, not based on a recurring review cycle that can enforce removal after a specific number of days regardless of the access package lifecycle.

How to eliminate wrong answers

Option A is wrong because entitlement management manages access packages and catalogs for provisioning access, but it does not automatically remove access after a fixed duration without an associated access review policy. Option C is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised accounts, sign-in anomalies), not on scheduling automatic removal of guest access. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it is designed for administrative roles, not for managing guest user access to internal applications with a 90-day removal policy.

122
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID? (Select TWO.)

Select 2 answers
A.One-time password (OTP) tokens
B.Password
C.Smart card with PIN
D.Biometric (fingerprint/face)
E.FIDO2 security keys
AnswersB, E

Traditional password authentication.

Why this answer

Password is a fundamental authentication method supported by Microsoft Entra ID. It is the most common primary authentication factor used for user sign-in, where the user provides a username and password that is verified against the directory. Entra ID supports password-based authentication for cloud-only accounts, synchronized on-premises passwords via Password Hash Sync, and pass-through authentication.

Exam trap

The trap here is that candidates often confuse authentication methods supported by Microsoft Entra ID with those supported by on-premises Active Directory or device-level authentication, leading them to incorrectly select smart card with PIN or biometric as native Entra ID methods.

123
MCQhard

Refer to the exhibit. The JSON shows a conditional access policy in Microsoft Entra ID. A user signs in from a trusted location using a browser. Which controls will be enforced?

A.MFA, terms of use acceptance, and application enforced restrictions.
B.MFA, terms of use acceptance, sign-in frequency every 1 hour, and Cloud App Security monitoring.
C.Only MFA and terms of use acceptance.
D.Only sign-in frequency and Cloud App Security monitoring.
AnswerB

All configured grant and session controls are applied.

Why this answer

Option B is correct because the conditional access policy in the exhibit grants access only when all specified conditions are met: the user is at a trusted location, the client app is a browser, and the grant controls include 'Require multi-factor authentication', 'Require terms of use acceptance', 'Sign-in frequency (every 1 hour)', and 'Use Cloud App Security for monitoring'. Since the user signs in from a trusted location using a browser, all grant controls are enforced simultaneously.

Exam trap

The trap here is that candidates often assume that a 'trusted location' bypasses all controls except MFA, but in reality, conditional access policies enforce every configured grant and session control regardless of the location condition being met.

How to eliminate wrong answers

Option A is wrong because it omits the 'Sign-in frequency every 1 hour' and 'Cloud App Security monitoring' controls that are explicitly listed in the policy. Option C is wrong because it incorrectly states that only MFA and terms of use acceptance are enforced, ignoring the sign-in frequency and Cloud App Security controls. Option D is wrong because it excludes MFA and terms of use acceptance, which are mandatory grant controls in the policy.

124
MCQhard

Refer to the exhibit. You are configuring a Conditional Access policy that requires compliant device for access to Microsoft 365. The device shown in the exhibit is Azure AD joined, compliant, and managed. However, a user signing in from this device is still blocked. What is the most likely cause?

A.The device profile type is 'Workplace', which is not allowed.
B.The device is not compliant.
C.The device is not managed.
D.The Conditional Access policy requires Hybrid Azure AD joined device.
AnswerD

The device is Azure AD joined, not hybrid; if the policy requires hybrid, it would be blocked.

Why this answer

Option D is correct because the exhibit shows the device is Azure AD joined, compliant, and managed, yet the user is still blocked. This indicates the Conditional Access policy is configured to require a Hybrid Azure AD joined device, which is a stricter requirement than just being Azure AD joined. A Hybrid Azure AD joined device must be both domain-joined to on-premises Active Directory and registered with Azure AD, whereas an Azure AD joined device is only cloud-joined.

Since the device in the exhibit is only Azure AD joined, it does not satisfy the Hybrid Azure AD joined condition, causing the block.

Exam trap

The trap here is that candidates assume 'compliant' and 'managed' automatically satisfy all Conditional Access device requirements, but Microsoft distinguishes between Azure AD joined, Hybrid Azure AD joined, and registered devices, and policies can require a specific join type that the device does not meet.

How to eliminate wrong answers

Option A is wrong because 'Workplace' is not a valid device profile type in Azure AD; the exhibit shows the device is Azure AD joined, and the profile type field is irrelevant to the policy requirement. Option B is wrong because the exhibit explicitly states the device is compliant, so non-compliance cannot be the cause of the block. Option C is wrong because the exhibit states the device is managed (e.g., via Intune or MDM), so lack of management is not the issue.

125
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to delegate the ability to manage role assignments in Entra ID without granting global admin rights. Which feature should you use?

A.Entitlement Management
B.Conditional Access
C.Administrative Units
D.Privileged Identity Management
AnswerD

PIM allows you to assign roles and delegate management.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 enables just-in-time, time-bound, and approval-based role assignments, allowing you to delegate role management without granting permanent global admin rights. PIM provides role activation workflows and auditing, making it the correct feature for delegating role assignment management.

Exam trap

The trap here is confusing Administrative Units (which limit scope) with Privileged Identity Management (which manages role assignment delegation and activation), as both deal with role management but serve different purposes.

How to eliminate wrong answers

Option A is wrong because Entitlement Management is for managing access packages and resource access lifecycle, not for delegating role assignments in Entra ID. Option B is wrong because Conditional Access enforces access policies based on signals like user location or device compliance, but does not delegate role management. Option C is wrong because Administrative Units restrict administrative scope to specific organizational units (e.g., departments) but do not delegate the ability to manage role assignments themselves; they limit where a role applies, not who can assign roles.

126
MCQmedium

A company wants to prevent users from using common passwords like 'Password123' and custom banned passwords such as 'Contoso2024' during sign-up or password change. They also need to apply a common list of banned passwords across tenant-wide. Which Microsoft Entra feature should they configure?

A.Conditional Access
B.Microsoft Entra ID Password Protection
C.Identity Protection
D.Multifactor Authentication (MFA)
AnswerB

Microsoft Entra ID Password Protection blocks weak passwords by allowing administrators to define custom banned password lists and leveraging a global banned list.

Why this answer

Microsoft Entra ID Password Protection allows administrators to enforce both a global banned password list (Microsoft-managed) and a custom banned password list (tenant-specific). This feature blocks weak passwords like 'Password123' and custom entries like 'Contoso2024' during sign-up or password change operations, making it the correct choice for tenant-wide password policy enforcement.

Exam trap

The trap here is that candidates confuse Conditional Access (which controls access conditions) with password protection policies, or assume Identity Protection handles password bans when it actually focuses on risk detection, not password content enforcement.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from certain locations) based on signals like user risk or device compliance, not for banning specific passwords. Option C is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not manage password content policies. Option D is wrong because Multifactor Authentication (MFA) adds a second verification layer (e.g., phone call, app notification) but does not evaluate or block the use of common or custom banned passwords.

127
MCQhard

Your company uses Microsoft Entra ID and wants to automatically assign licenses to new employees based on their department. Which feature should you use?

A.Privileged Identity Management
B.Access reviews
C.Dynamic groups and group-based licensing
D.Entitlement management
AnswerC

Dynamic groups automatically include users based on attributes; group-based licensing assigns licenses to the group.

Why this answer

Dynamic groups in Microsoft Entra ID allow you to automatically add or remove users based on attributes like department. Combined with group-based licensing, you can assign licenses (e.g., Microsoft 365 E5) to all members of that group, so when a new employee is added with the matching department attribute, they automatically receive the correct license without manual intervention.

Exam trap

The trap here is that candidates confuse Entitlement management (which manages access packages) with automatic license assignment, but Entitlement management does not natively assign licenses based on department attributes—it requires custom integration, whereas Dynamic groups with group-based licensing is the direct, built-in solution.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is used for just-in-time privileged role activation and access oversight, not for automatic license assignment. Option B is wrong because Access reviews are periodic attestations to verify that users still need access, not a mechanism to assign licenses automatically. Option D is wrong because Entitlement management handles access packages and approval workflows for resource access, not direct license assignment based on department attributes.

128
MCQhard

A company uses Microsoft Entra ID and needs to regularly review membership of a group that grants access to a sensitive HR application. The identity team wants to automate quarterly reviews and automatically remove users who fail to respond or are denied by the reviewer. Which Microsoft Entra ID feature should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerD

Access Reviews enables administrators to create recurring reviews of group memberships, application access, and role assignments. Unresponsive or denied users can be automatically removed based on review settings.

Why this answer

Option D is correct because Microsoft Entra Access Reviews are specifically designed to automate periodic attestation of group memberships, including the ability to automatically remove users who do not respond or are denied by the reviewer. This feature supports quarterly recurring reviews and integrates directly with Entra ID groups to enforce access governance for sensitive applications.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Access Reviews because both involve 'reviews,' but PIM only handles role activation and approval workflows, not recurring group membership attestation with automatic removal.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces real-time access policies based on signals like location or device compliance, but it does not perform periodic membership reviews or automate removal of users. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., compromised credentials, suspicious sign-ins), not on reviewing group membership assignments. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and activation workflows for roles, but it does not automate recurring attestation of group memberships or remove non-responding users from standard security groups.

129
MCQmedium

A company uses Microsoft Entra ID and wants to provide external business partners with access to a specific internal application. The partners already use Microsoft Entra ID in their own organization. The company wants the partners to use their existing corporate credentials to sign in, without creating new user accounts in the company's tenant. The company also wants to manage the access lifecycle, including automatically removing access after a project ends. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C
C.Identity Protection
D.Privileged Identity Management (PIM)
AnswerA

Correct. B2B collaboration enables external partners to use their own corporate identities to access apps in your tenant, with full lifecycle management capabilities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows external users from partner organizations who already have their own Microsoft Entra ID accounts to sign in using their existing corporate credentials, without requiring new user accounts in the company's tenant. It also supports access lifecycle management through features like entitlement management and access reviews, enabling automatic removal of access when a project ends.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners with existing corporate identities) with B2C (for customers using social or local accounts), leading them to select B2C when the scenario clearly describes partner organizations using their own corporate credentials.

How to eliminate wrong answers

Option B (Microsoft Entra B2C) is wrong because it is designed for customer-facing identity management, allowing external users to sign in with social or local accounts, not for business partner collaboration using existing corporate credentials. Option C (Identity Protection) is wrong because it is a risk-based security tool that detects and responds to identity threats, not a feature for inviting external users or managing access lifecycle. Option D (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews for internal admin roles, not on inviting external business partners or managing their access lifecycle.

130
MCQmedium

A company wants to allow employees to securely access internal applications from their personal devices. The security policy requires that access is only granted if the device is compliant with company security policies (e.g., encryption enabled, password required, up-to-date operating system). Which Microsoft Entra ID capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Microsoft Entra Verified ID
AnswerA

Correct. Conditional Access policies can require a device to be marked as compliant (via Intune) as a condition for granting access to applications.

Why this answer

Conditional Access in Microsoft Entra ID is the correct capability because it allows administrators to define policies that enforce device compliance before granting access to applications. By integrating with Microsoft Intune, Conditional Access can require that devices meet specific security policies—such as encryption, password requirements, and OS updates—before allowing access. This directly addresses the requirement to grant access only from compliant personal devices.

Exam trap

The trap here is that candidates often confuse Identity Protection (risk-based conditional access) with device compliance Conditional Access, but Identity Protection does not evaluate device health or compliance policies.

How to eliminate wrong answers

Option B is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins), not on enforcing device compliance. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not device-level security checks. Option D is wrong because Microsoft Entra Verified ID is a decentralized identity solution for verifiable credentials (e.g., digital IDs), not for device compliance enforcement.

131
MCQmedium

A company uses Microsoft Entra ID. A junior administrator needs to occasionally reset passwords for the IT department. The security team wants to grant this permission only for a limited time and require an approval from a senior administrator before the permission becomes active. All password reset actions must be audited. Which Microsoft Entra ID feature should they configure?

A.Entra ID Identity Protection
B.Entra ID Privileged Identity Management (PIM)
C.Entra ID Conditional Access
D.Entra ID Terms of Use
AnswerB

PIM enables just-in-time role activation with approval workflows, time limits, and detailed audit logs, exactly matching the requirement.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access, allowing the junior administrator to request a time-limited role for password reset that requires approval from a senior administrator. PIM also enables auditing of all role activations and actions, meeting the security team's requirements for limited duration, approval workflow, and auditability.

Exam trap

The trap here is that candidates often confuse PIM with Conditional Access, thinking that Conditional Access can enforce time-limited permissions, but Conditional Access controls access to resources based on conditions, not the activation or approval of privileged roles.

How to eliminate wrong answers

Option A is wrong because Entra ID Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) and does not provide time-limited role activation or approval workflows. Option C is wrong because Conditional Access enforces access policies based on conditions like location or device state, but it cannot grant or limit administrative permissions for specific tasks like password reset. Option D is wrong because Entra ID Terms of Use is used to present and track acceptance of legal or policy documents before access, and it does not manage role activation, approval, or auditing of administrative actions.

132
MCQmedium

Your company uses Microsoft Entra ID and wants to implement a passwordless authentication strategy for all users. You have a mix of Windows 10 devices, iOS devices, and Android devices. You need a solution that works across all platforms and does not require users to remember passwords. What should you implement?

A.Deploy FIDO2 security keys to all users and register them in Microsoft Entra ID.
B.Deploy Microsoft Authenticator with phone sign-in enabled for all users.
C.Implement certificate-based authentication using smart cards.
D.Enable Windows Hello for Business on all Windows devices.
AnswerB

Correct: Works across Windows, iOS, and Android without passwords.

Why this answer

Microsoft Authenticator with phone sign-in enabled provides a cross-platform passwordless authentication solution that works on Windows 10, iOS, and Android devices. It uses a key-based authentication model where the user's phone generates a cryptographic key pair, eliminating the need for passwords while supporting all required device types.

Exam trap

The trap here is that candidates often assume FIDO2 security keys (Option A) are the only true passwordless solution, but they overlook the cross-platform limitation and the fact that Microsoft Authenticator also implements FIDO2/WebAuthn, making it the more practical choice for heterogeneous device environments.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys require a USB or NFC interface, which is not supported on all iOS devices (iOS does not support FIDO2 over NFC for authentication in all scenarios), and deploying physical keys to all users is less scalable and platform-agnostic than a phone-based solution. Option C is wrong because certificate-based authentication using smart cards requires specialized hardware (smart card readers) and is not natively supported on iOS and Android devices without additional middleware, making it impractical for a cross-platform passwordless strategy. Option D is wrong because Windows Hello for Business is limited to Windows devices and does not address iOS or Android devices, failing the requirement for a solution that works across all platforms.

133
Multi-Selecthard

Which TWO Microsoft Entra features can help protect against credential attacks?

Select 2 answers
A.Microsoft Entra Connect
B.Self-service password reset
C.Microsoft Entra password protection
D.Access reviews
E.Smart lockout
AnswersC, E

Password protection blocks weak passwords.

Why this answer

Microsoft Entra password protection (C) helps defend against credential attacks by automatically blocking weak passwords and common variations of known compromised passwords, such as those from botnets or public password lists. Smart lockout (E) protects against brute-force attacks by locking an account after a configurable number of failed sign-in attempts, using intelligent heuristics to distinguish between legitimate users and attackers. Both features directly mitigate password-based attacks like password spraying and brute force.

Exam trap

The trap here is that candidates often confuse self-service password reset (SSPR) with a security feature that prevents attacks, when in reality SSPR is a convenience feature for password recovery, not a proactive defense against credential threats.

134
MCQhard

Your organization uses Microsoft Entra ID with P2 licenses. You need to implement a policy that requires users to perform multifactor authentication (MFA) when accessing the finance application from an untrusted network, but not when accessing it from the corporate network. Which Microsoft Entra feature should you configure?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra ID Protection MFA registration policy
C.Microsoft Entra Conditional Access policy
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerC

Conditional Access can enforce MFA based on location (untrusted vs corporate network).

Why this answer

Microsoft Entra Conditional Access policies allow you to enforce MFA based on conditions such as network location. By configuring a policy that targets the finance application and includes a condition for 'untrusted networks' (e.g., any location other than the corporate network's trusted IP ranges), you can require MFA only when access originates from outside the corporate network. This is the correct feature for granular, condition-based access controls.

Exam trap

The trap here is that candidates often confuse the MFA registration policy (which only ensures users have registered MFA methods) with a Conditional Access policy that actually enforces MFA during sign-in based on conditions like network location.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management is used for managing access packages and identity governance (e.g., automated access requests and reviews), not for enforcing MFA based on network location. Option B is wrong because the Microsoft Entra ID Protection MFA registration policy only enforces that users register for MFA, not that they perform MFA during sign-in based on network conditions. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not location-based MFA enforcement for application access.

135
MCQmedium

A company uses Microsoft Entra ID. The security team wants to grant temporary, time-limited administrative access to Azure subscriptions only when needed, with an approval workflow. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entra ID Governance
AnswerC

PIM enables just-in-time, time-bound privileged access with approval workflows, exactly matching the requirement.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure AD and Azure resources, including Azure subscriptions. PIM supports time-bound role activation with an approval workflow, allowing the security team to grant temporary administrative access only when needed, which directly matches the requirement.

Exam trap

The trap here is that candidates confuse PIM with Conditional Access, thinking that Conditional Access can enforce time-limited access via session controls, but Conditional Access cannot grant or revoke Azure RBAC role assignments or require an approval workflow for role activation.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) based on signals like user location or risk, but it does not provide time-limited role activation or an approval workflow for privileged access. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, anomalous sign-ins) and does not manage role assignments or temporary privileged access. Option D is wrong because Entra ID Governance encompasses broader capabilities like access reviews, entitlement management, and lifecycle workflows, but the specific feature for time-limited, approval-based privileged access to Azure subscriptions is PIM, not governance as a whole.

136
MCQmedium

An organization decides to eliminate passwords for their employees. They deploy Windows Hello for Business on company-issued laptops, allowing users to sign in with a PIN or a biometric gesture (e.g., fingerprint). The IT team also enables Microsoft Authenticator and FIDO2 security keys as alternative sign-in methods. Which Microsoft Entra ID capability are they leveraging?

A.Microsoft Entra ID Protection
B.Conditional Access
C.Passwordless authentication
D.Self-Service Password Reset (SSPR)
AnswerC

Passwordless authentication in Microsoft Entra ID includes Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys, allowing users to sign in securely without a password.

Why this answer

The organization is implementing passwordless authentication by removing passwords and using Windows Hello for Business (PIN/biometrics), Microsoft Authenticator, and FIDO2 security keys. These methods replace the password with a cryptographic key pair bound to the device or user, satisfying the definition of passwordless authentication in Microsoft Entra ID.

Exam trap

The trap here is that candidates confuse the authentication method (passwordless) with the security policies that protect it (Conditional Access) or the risk detection that monitors it (Identity Protection), leading them to select a wrong answer that sounds related but is not the core capability being demonstrated.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security tool that detects identity risks (e.g., leaked credentials, anomalous sign-ins) and enforces remediation, not a sign-in method. Option B is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or compliant devices) based on conditions, not an authentication method itself. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset forgotten passwords, which is irrelevant when passwords are eliminated entirely.

137
MCQhard

Refer to the exhibit. The Conditional Access policy is configured to block access for high-risk users. A user with a medium risk level attempts to sign in. What will happen?

A.Access is blocked
B.User is redirected to a password reset page
C.Access is granted
D.User is prompted for MFA
AnswerC

The policy condition is not met.

Why this answer

The Conditional Access policy is configured to block access for high-risk users only. Since the user has a medium risk level, the policy condition is not met, so the policy does not apply. Therefore, access is granted based on the default behavior of allowing sign-in when no Conditional Access policy is triggered.

Exam trap

The trap here is that candidates often assume any risk level triggers the block action, but Conditional Access policies only enforce controls when the condition exactly matches the configured risk level, not for lower or higher levels unless explicitly specified.

How to eliminate wrong answers

Option A is wrong because the policy specifically targets high-risk users, and a medium-risk user does not match the condition, so access is not blocked. Option B is wrong because a password reset page is triggered only by a policy that requires password change (e.g., user risk policy with 'Require password change' control), which is not configured here. Option D is wrong because MFA prompt would require a policy with 'Require multifactor authentication' control, which is not present in this configuration.

138
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Select 2 answers
A.Passwordless phone sign-in with Microsoft Authenticator
B.Biometric only (fingerprint/face) without device
C.SMS sign-in
D.FIDO2 security keys
E.Certificate-based authentication
AnswersA, D

Authenticator app supports passwordless sign-in.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator is a supported authentication method in Microsoft Entra ID. It allows users to sign in without a password by using a biometric or PIN gesture on their mobile device, leveraging the Microsoft Authenticator app to verify identity via a push notification or a time-based one-time passcode (TOTP). This method enhances security by reducing reliance on passwords and is part of Microsoft's passwordless authentication strategy.

Exam trap

The trap here is that candidates often confuse SMS as a primary authentication method when it is only a secondary verification factor for MFA, and they may incorrectly assume certificate-based authentication is natively supported in Entra ID without understanding its dependency on federation.

139
MCQhard

An organization is migrating from on-premises Active Directory to Microsoft Entra ID. They need to synchronize user passwords so that users can use the same password for both on-premises and cloud resources. Which authentication method should they choose?

A.Password Hash Synchronization
B.Seamless Single Sign-On
C.Pass-through Authentication
D.Federation with AD FS
AnswerA

Synchronizes password hashes for same password use.

Why this answer

Password Hash Synchronization (PHS) is the correct choice because it synchronizes a hash of the user's on-premises Active Directory password to Microsoft Entra ID, allowing users to authenticate with the same password for both on-premises and cloud resources. This method is specifically designed for password synchronization without requiring any additional infrastructure or real-time validation against on-premises systems.

Exam trap

The trap here is that candidates confuse 'synchronization' with 'single sign-on' or 'pass-through validation,' assuming that Seamless SSO or Pass-through Authentication also synchronize passwords, when in fact they do not transfer password hashes to the cloud.

How to eliminate wrong answers

Option B (Seamless Single Sign-On) is wrong because it does not synchronize passwords; it only provides automatic sign-in for domain-joined devices on corporate networks by using Kerberos delegation, but the actual password validation still relies on another method like PHS or Pass-through Authentication. Option C (Pass-through Authentication) is wrong because it validates passwords directly against on-premises Active Directory in real time without synchronizing password hashes to the cloud, which means it does not meet the requirement to synchronize passwords for offline or cloud-only authentication. Option D (Federation with AD FS) is wrong because it uses a federated trust with on-premises Active Directory Federation Services (AD FS) for authentication, requiring complex infrastructure and redirecting authentication to on-premises servers, rather than synchronizing password hashes to Microsoft Entra ID.

140
MCQmedium

A company uses Microsoft Entra ID. The IT department wants to ensure that users are prompted to change their password only when there is a high likelihood that their credentials have been compromised, rather than forcing periodic password changes. They also want to block users from using common passwords from a custom list of banned passwords. Which Microsoft Entra features should they use?

A.Identity Protection and Password Protection
B.Conditional Access and Multi-Factor Authentication
C.Privileged Identity Management and Identity Governance
D.Access Reviews and Entitlement Management
AnswerA

Identity Protection can force password changes on high user risk, and Password Protection blocks weak passwords, including custom banned lists.

Why this answer

Identity Protection uses machine learning to detect leaked credentials and risky sign-in behaviors, triggering a password change prompt only when compromise is likely, not on a fixed schedule. Password Protection enforces custom banned password lists (e.g., common passwords or company-specific terms) at the time of password change or reset, blocking weak passwords in real time.

Exam trap

The trap here is that candidates confuse Identity Protection with Conditional Access, assuming risk-based policies are the same as password change triggers, or they think Password Protection is part of MFA or PIM, when in fact it is a separate feature focused solely on password content validation.

How to eliminate wrong answers

Option B is wrong because Conditional Access controls access policies (e.g., requiring MFA based on risk) but does not manage password change triggers or banned password lists; Multi-Factor Authentication adds a second verification factor but does not detect credential compromise or enforce password bans. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not password policies or compromise detection; Identity Governance handles access certifications and lifecycle, not password change logic. Option D is wrong because Access Reviews are for periodic recertification of group memberships or application access, and Entitlement Management manages access packages and catalogs; neither feature triggers password changes based on compromise likelihood or enforces custom banned password lists.

141
MCQeasy

Your organization wants to enforce MFA for all users accessing the Azure portal. However, users accessing from the corporate office network should not be prompted for MFA. Which Conditional Access assignment should you configure?

A.Include all users, include trusted locations.
B.Include all trusted locations.
C.Include Azure portal app, exclude trusted locations.
D.Include all locations, exclude trusted locations.
AnswerD

This ensures MFA is required from untrusted locations, but not from corporate network.

Why this answer

Option D is correct because Conditional Access policies evaluate assignments based on conditions such as user, app, and location. To enforce MFA for all users accessing the Azure portal while excluding the corporate office network, you must include all users and the Azure portal app, then exclude trusted locations (the corporate network). This ensures MFA is required only when access originates from outside the trusted corporate network.

Exam trap

The trap here is that candidates often confuse 'include' and 'exclude' assignments, mistakenly thinking that including trusted locations will skip MFA, when in fact you must exclude trusted locations to bypass MFA from those networks.

How to eliminate wrong answers

Option A is wrong because it includes all users and includes trusted locations, which would require MFA even from the corporate network, contradicting the requirement to skip MFA from trusted locations. Option B is wrong because it only includes trusted locations, which does not specify which users or apps are targeted, leaving the policy incomplete and ineffective. Option C is wrong because it includes the Azure portal app but excludes trusted locations, yet it omits the user assignment (e.g., 'all users'), so the policy would not apply to any user.

142
MCQeasy

Your organization wants to enable single sign-on (SSO) for users accessing Microsoft 365 apps from unmanaged devices while enforcing multifactor authentication (MFA). Which Microsoft Entra feature should you configure?

A.Self-Service Password Reset (SSPR)
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Identity Protection
AnswerB

Conditional Access policies can enforce MFA and control access based on device compliance.

Why this answer

Conditional Access is the correct feature because it allows you to create policies that enforce specific access controls, such as requiring MFA, based on conditions like device state (unmanaged). By combining a device condition (e.g., 'Device is not compliant' or 'Device is unmanaged') with a grant control requiring MFA, you can achieve SSO for users while enforcing MFA on unmanaged devices. This directly addresses the requirement without affecting managed devices.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risk) with Conditional Access (which enforces policy), or mistakenly think SSPR or PIM can enforce MFA on unmanaged devices, when only Conditional Access provides the conditional logic to tie device state to authentication requirements.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) is a feature for users to reset their own passwords, not for enforcing MFA or controlling access based on device state. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not device-based access policies or MFA enforcement for all users. Option D is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not natively enforce MFA based on device management status; it can trigger Conditional Access policies but is not the policy engine itself.

143
Multi-Selecthard

A security administrator uses Microsoft Entra ID Protection to identify and respond to identity-based risks. Which two types of risk detections can be reviewed in Microsoft Entra ID Protection? (Choose two.)

Select 2 answers
A.Sign-in risk
B.User risk
C.Application permission risk
D.Device compliance risk
AnswersA, B

Sign-in risk detections include events such as impossible travel, anonymous IP addresses, and unfamiliar sign-in properties, which are evaluated by Identity Protection.

Why this answer

Microsoft Entra ID Protection evaluates identity-based risks by analyzing two primary detection types: sign-in risk and user risk. Sign-in risk assesses the probability that a specific authentication attempt is unauthorized, while user risk evaluates the likelihood that a user account has been compromised based on aggregated suspicious activities.

Exam trap

The trap here is that candidates often confuse risk detection types with other security features like device compliance or application permissions, but Entra ID Protection specifically focuses on sign-in and user risk detections only.

144
MCQmedium

A company has a Microsoft Entra ID tenant and an on-premises Active Directory Domain Services (AD DS) forest. They need to synchronize user accounts, groups, and passwords from AD DS to Microsoft Entra ID. Due to network restrictions, they prefer a lightweight agent that can be deployed on-premises and supports staging mode for testing. Which identity synchronization tool should they use?

A.Microsoft Entra Connect Sync
B.Microsoft Entra Connect Health
C.Microsoft Entra Cloud Sync
D.Microsoft Identity Manager (MIM)
AnswerA

Entra Connect Sync is the recommended tool for synchronizing a single AD DS forest to Microsoft Entra ID, offering staging mode and full identity sync.

Why this answer

Microsoft Entra Connect Sync is the correct choice because it is the full-featured synchronization tool that supports staging mode for testing and can be deployed as a lightweight agent on-premises. It synchronizes user accounts, groups, and passwords from AD DS to Microsoft Entra ID, including password hash synchronization, pass-through authentication, and federation integration, making it ideal for complex on-premises environments with network restrictions.

Exam trap

The trap here is that candidates confuse 'Cloud Sync' as the lightweight agent because it is simpler, but they overlook that Cloud Sync does not support staging mode, which is explicitly required in the question.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Connect Health is a monitoring and analytics tool, not a synchronization engine; it provides health insights for Entra Connect Sync but does not perform identity sync itself. Option C is wrong because Microsoft Entra Cloud Sync is a lightweight agent that syncs from AD DS to Entra ID but does not support staging mode; it is designed for simpler scenarios and lacks the full staging and testing capabilities of Entra Connect Sync. Option D is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution that can sync to Entra ID but is not a lightweight agent; it requires a full server deployment and does not natively support staging mode for Entra ID synchronization.

145
MCQmedium

Your company, Proseware, uses Microsoft Entra ID P2. You have a custom application that integrates with Microsoft Graph API to read user profiles. The application uses client credentials flow (application permissions). You need to ensure that the application can only read user profiles and not perform any other operations. Additionally, you want to review and approve the permissions periodically. What should you do?

A.Create a Conditional Access policy to restrict the app to read-only operations.
B.Enable Privileged Identity Management for the app and require approval for each API call.
C.Use delegated permissions for the application and assign users to the app role.
D.In Microsoft Entra ID, grant the application the User.Read.All permission and configure an access review for the application permissions.
AnswerD

This grants the minimal permission and enables periodic review.

Why this answer

Option D is correct because the application uses client credentials flow (application permissions), which requires granting an application permission like User.Read.All to read all user profiles. Configuring an access review for the application permissions in Microsoft Entra ID allows periodic review and approval of those permissions, meeting the requirement to ensure the app can only read user profiles and that permissions are reviewed periodically.

Exam trap

The trap here is that candidates may confuse Conditional Access policies or PIM with permission management, not realizing that application permissions in the client credentials flow are static and require access reviews for periodic oversight, not dynamic runtime controls.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control user sign-in and access conditions, not the scope of permissions granted to an application; they cannot restrict an app to read-only operations after permissions are granted. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation, not for requiring approval on each API call; it does not restrict the permissions of an application or approve individual API calls. Option C is wrong because delegated permissions operate on behalf of a signed-in user and are not suitable for a client credentials flow (application permissions) which runs without a user context; assigning users to an app role does not change the permission type.

146
MCQmedium

Your organization, Fabrikam, has recently merged with another company. You need to provide seamless access to resources for users from both companies while maintaining separate identity directories. The users from the acquired company have their own Microsoft Entra ID tenant. You need to enable them to access applications in your tenant using their existing corporate credentials, without creating new accounts. Additionally, you want to enforce conditional access policies from your tenant for these users. Which approach should you use?

A.Create new user accounts in your tenant for the acquired company's users and assign them access.
B.Set up a federation trust between your tenant and the other company's on-premises Active Directory.
C.Use Microsoft Entra B2C to create a custom identity provider for the other company.
D.Use Microsoft Entra B2B collaboration to invite users from the other tenant as guest users, and apply conditional access policies to guest users.
AnswerD

B2B collaboration supports cross-tenant access with existing credentials and policy enforcement.

Why this answer

Microsoft Entra B2B collaboration allows you to invite external users from another Microsoft Entra tenant to access your applications using their own corporate identities. This approach meets the requirement of not creating new accounts, and because guest users are represented as user objects in your tenant, you can enforce your own conditional access policies on them. Option D is correct because it directly addresses the need for seamless access with separate directories and policy control.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (for business-to-business guest access with existing corporate identities) with Microsoft Entra B2C (for customer-facing identity management), leading candidates to incorrectly select option C.

How to eliminate wrong answers

Option A is wrong because creating new user accounts violates the requirement to use existing corporate credentials without creating new accounts. Option B is wrong because federation trust with on-premises Active Directory does not directly enable access to applications in your Microsoft Entra tenant for users from another Microsoft Entra tenant; it is used for hybrid identity scenarios with your own on-premises directory. Option C is wrong because Microsoft Entra B2C is designed for customer-facing identity management with social or local accounts, not for enabling access for users from another Microsoft Entra tenant using their existing corporate credentials.

147
MCQeasy

A company uses Microsoft Entra ID. They want to allow employees to access the expense reporting application only from managed devices that are compliant with security policies and from trusted IP ranges. Additionally, if the user's sign-in risk is high, access must be blocked. Which of the following conditions should the administrator configure in a Conditional Access policy to enforce these requirements?

A.Only Device state and Locations
B.Only Sign-in risk and Device state
C.Device state, Locations, and Sign-in risk
D.Only Locations and Sign-in risk
AnswerC

All three conditions are needed: Device state for compliance, Locations for trusted IPs, and Sign-in risk for blocking high-risk sign-ins.

Why this answer

Option C is correct because the scenario requires three distinct conditions: device compliance (Device state), trusted network locations (Locations), and high sign-in risk (Sign-in risk). Conditional Access policies in Microsoft Entra ID allow combining these assignments to enforce granular access controls. Only by including all three can the administrator block access when the user's sign-in risk is high, while also requiring a managed device and trusted IP range.

Exam trap

The trap here is that candidates often assume only two conditions are needed (e.g., device and location, or risk and device) and overlook the third, but the question explicitly lists three distinct requirements that must all be enforced simultaneously.

How to eliminate wrong answers

Option A is wrong because it omits Sign-in risk, which is explicitly required to block access when sign-in risk is high. Option B is wrong because it omits Locations, which is needed to restrict access to trusted IP ranges. Option D is wrong because it omits Device state, which is required to enforce access only from managed devices that are compliant with security policies.

148
MCQmedium

A security administrator at an organization using Microsoft Entra ID needs to automatically detect user sign-ins that exhibit risky behavior, such as signing in from a suspicious IP address or using leaked credentials. The administrator also wants the system to automatically calculate a risk level for each user and take actions like requiring a password reset when risk is high. Which Microsoft Entra ID feature should the administrator use?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Identity Governance
AnswerA

Identity Protection detects and handles risky sign-ins and user behavior, providing automated risk-based remediation.

Why this answer

Microsoft Entra ID Protection is the correct feature because it automatically detects risky sign-in behaviors—such as sign-ins from suspicious IP addresses, anonymous IP addresses, or leaked credentials—and calculates a user risk level. It can then automatically trigger remediation actions like requiring a password reset when the risk level is high, directly matching the administrator's requirements.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the enforcement layer that uses risk signals from Identity Protection—it does not perform the detection or risk calculation itself.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time privileged role activation, access reviews, and approval workflows for administrative roles, not on detecting risky sign-in behaviors or calculating user risk levels. Option C (Conditional Access) is wrong because Conditional Access is a policy engine that enforces access controls based on signals (like risk from Identity Protection), but it does not itself detect risky behavior or calculate risk levels—it relies on Identity Protection for those signals. Option D (Identity Governance) is wrong because Identity Governance handles access lifecycle management, entitlement reviews, and compliance reporting, not real-time risk detection or automated remediation of risky sign-ins.

149
MCQmedium

A company wants to require multi-factor authentication (MFA) for all users accessing a financial application, but only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should be used?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerB

Conditional Access allows administrators to define policies that grant or block access based on conditions such as network location, requiring MFA when outside the corporate network.

Why this answer

Conditional Access is the correct choice because it allows administrators to define policies that enforce multi-factor authentication (MFA) based on specific conditions, such as network location. In this scenario, a Conditional Access policy can be configured to require MFA only when users access the financial application from outside the corporate network, using the 'Locations' condition to distinguish trusted IP ranges from external sign-ins. This granular control directly addresses the requirement without affecting internal access.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA triggers with Conditional Access's location-based MFA enforcement, assuming Identity Protection alone can enforce MFA based on network location, whereas it only provides risk signals that must be consumed by a Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because Identity Protection is a risk-based tool that detects and responds to identity threats (e.g., leaked credentials, anomalous sign-ins) but does not natively enforce MFA based on network location; it can trigger MFA via Conditional Access integration, but it is not the feature itself. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not location-based MFA enforcement for all users. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, not to enforce multi-factor authentication based on network conditions.

150
MCQhard

A multinational organization uses Microsoft Entra ID for identity management. The security team wants to implement a Conditional Access policy that blocks access from untrusted locations unless the user's device is marked as compliant by Microsoft Intune. However, users traveling to trusted partner locations should be allowed access even if their device is non-compliant. Which two conditions should be configured in the policy?

A.Locations: All trusted locations; Grant: Require compliant device.
B.Locations: All trusted locations; Grant: Block access.
C.Locations: All locations, exclude trusted locations; Grant: Require compliant device.
D.Locations: All locations; Grant: Require compliant device.
AnswerC

This blocks untrusted locations unless device is compliant, but allows trusted locations regardless of compliance.

Why this answer

Option C is correct because the policy must block access from untrusted locations unless the device is compliant, while allowing access from trusted partner locations even if the device is non-compliant. By setting 'Locations: All locations' and excluding trusted locations, the policy applies only to untrusted locations. Then, 'Grant: Require compliant device' ensures that only compliant devices can access from those untrusted locations, meeting both requirements.

Exam trap

The trap here is that candidates often confuse 'exclude trusted locations' with 'include trusted locations,' leading them to choose options that incorrectly apply the policy to trusted locations instead of untrusted ones.

How to eliminate wrong answers

Option A is wrong because it applies the policy to all trusted locations, which would block non-compliant devices from trusted partner locations, contradicting the requirement to allow access from trusted locations even if non-compliant. Option B is wrong because it blocks access from all trusted locations entirely, which does not allow any access from trusted partner locations, regardless of device compliance. Option D is wrong because it applies the policy to all locations without excluding trusted locations, meaning non-compliant devices would be blocked from trusted partner locations as well, failing the requirement to allow access from those locations.

← PreviousPage 2 of 5 · 373 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft Entra questions.