CCNA Describe the capabilities of Microsoft Entra Questions

75 of 373 questions · Page 4/5 · Describe the capabilities of Microsoft Entra · Answers revealed

226
MCQhard

A company uses Microsoft Entra ID and Intune for mobile device management. They want to enforce different access requirements for their finance application: when users access from an unmanaged personal device, they must perform multi-factor authentication (MFA). When they access from a corporate-managed device that is marked as compliant (e.g., joined to Azure AD, antivirus up-to-date, encryption enabled), MFA should not be required. Device compliance is reported by Intune. Which Microsoft Entra ID feature should they use to define these rules?

A.Identity Protection risk policies
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Intune device compliance policies
AnswerB

Conditional Access evaluates conditions such as device compliance (reported by Intune) and can grant access with or without MFA based on the conditions. This is the correct tool.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define granular access rules based on signals such as user, device, location, and application. In this scenario, the policy can be configured to require MFA when the device is not marked as compliant (e.g., unmanaged personal device) and to allow access without MFA when the device is reported as compliant by Intune. This is the correct feature because it directly evaluates device compliance status from Intune and enforces the specified access requirements.

Exam trap

The trap here is that candidates often confuse Intune device compliance policies (which define the rules for compliance) with Conditional Access policies (which enforce access decisions based on that compliance status), leading them to select Option D instead of the correct feature that actually enforces the MFA requirement.

How to eliminate wrong answers

Option A is wrong because Identity Protection risk policies focus on user and sign-in risk (e.g., leaked credentials, anonymous IP addresses) and do not evaluate device compliance status from Intune. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not device-based access rules for applications. Option D is wrong because Intune device compliance policies define the compliance criteria (e.g., encryption, antivirus) but do not enforce access decisions; they only report compliance status to Entra ID for Conditional Access to evaluate.

227
MCQmedium

Your organization is using Microsoft Entra ID with P2 licenses. You need to enforce a policy that requires administrators to request approval before activating their privileged roles, and approvals must expire after 8 hours. Additionally, you need to ensure that all privileged role activations are logged for auditing. Which combination of Microsoft Entra capabilities should you use?

A.Implement Identity Protection user risk policy to block high-risk admins, and use sign-in logs.
B.Configure Privileged Identity Management (PIM) for role activation with approval and expiration, and use PIM audit logs.
C.Create a Conditional Access policy requiring multi-factor authentication for admins, and use activity logs.
D.Set up Azure AD Access Reviews to require monthly review of privileged roles, and enable diagnostic settings.
AnswerB

Correct: PIM provides exactly these capabilities.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time role activation with configurable approval workflows and expiration durations, meeting the requirement for administrators to request approval and for approvals to expire after 8 hours. PIM audit logs capture all activation events, including who approved, when, and for which role, fulfilling the auditing requirement. This combination directly addresses the policy needs without relying on unrelated capabilities like user risk policies or access reviews.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control sign-in conditions) with PIM (which controls role activation), leading them to choose Option C because they think MFA enforcement is sufficient for privileged role security.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy blocks users based on risk level, not role activation approval or expiration, and sign-in logs do not capture privileged role activation events. Option C is wrong because Conditional Access policies enforce authentication requirements like MFA during sign-in, not role activation approval workflows or expiration, and activity logs lack the granularity of PIM-specific activation auditing. Option D is wrong because Azure AD Access Reviews are for periodic attestation of role membership, not for controlling activation with approval and expiration, and diagnostic settings export logs but do not enforce the approval or expiration policy.

228
MCQmedium

Your company, Wingtip Toys, uses Microsoft Entra ID with a free license. You have a third-party SaaS application that supports Security Assertion Markup Language (SAML) 2.0. You need to enable single sign-on (SSO) for users to access this application. However, the app requires attributes like department and employee ID in the SAML token. You also need to ensure that only users from a specific security group can access the app. What should you do?

A.Register the app using OpenID Connect and assign users to the app.
B.Add the app from the gallery using password-based SSO and configure group assignment.
C.Use Microsoft Entra Application Proxy to publish the app and configure pre-authentication.
D.Add the app from the gallery as a SAML application, configure claims mapping to include department and employee ID, and assign the app to the security group.
AnswerD

This meets all requirements.

Why this answer

Option D is correct because the scenario requires SAML 2.0 support, custom attribute claims (department and employee ID), and group-based access control. Adding the app from the gallery as a SAML application allows you to configure SAML-based SSO, map claims to include the required attributes, and assign the app to a specific security group to restrict access. This fully meets the requirements using Microsoft Entra ID's free license.

Exam trap

The trap here is that candidates may confuse SAML with OpenID Connect or password-based SSO, or incorrectly assume that Application Proxy is suitable for SaaS apps, when only a SAML gallery app supports custom attribute claims and group-based assignment for a third-party SaaS application.

How to eliminate wrong answers

Option A is wrong because OpenID Connect is an authentication protocol built on OAuth 2.0, not SAML 2.0, and it does not support the SAML token format or custom SAML attribute claims required by the app. Option B is wrong because password-based SSO does not use SAML tokens and cannot include custom attributes like department and employee ID in a token; it relies on form-fill or credential injection, not SAML assertions. Option C is wrong because Microsoft Entra Application Proxy is used for publishing on-premises apps, not for third-party SaaS applications, and it does not provide SAML token customization or gallery-based SAML configuration.

229
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) for identity management. They want to automatically block sign-ins from users whose credentials have been compromised and require them to change their password before access is granted. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Protection
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerA

Identity Protection detects risks like leaked credentials and can enforce policies to block sign-ins and require password changes.

Why this answer

Microsoft Entra ID Protection is the correct capability because it automatically detects compromised credentials by analyzing telemetry from Microsoft's Threat Intelligence and the wider ecosystem. When a user's credentials are found in a known leak, Entra ID Protection can enforce a policy that blocks sign-in and requires the user to change their password via an integrated remediation workflow, directly addressing the scenario.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with risk-based policies, but Conditional Access alone cannot detect compromised credentials or enforce password changes—it requires Entra ID Protection as the risk signal source.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies are a decision engine that enforces access controls based on signals (like location or device state), but they do not inherently detect compromised credentials or trigger password changes; they rely on other services like Entra ID Protection for risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, access reviews, and auditing for administrative roles, not on detecting or remediating compromised user credentials. Option D is wrong because Self-Service Password Reset (SSPR) allows users to voluntarily reset their own passwords, but it does not automatically block sign-ins or force a password change based on compromised credential detection; it requires user initiation.

230
MCQmedium

An organization uses Microsoft Entra ID and wants to require users to re-authenticate every 4 hours when accessing a critical financial application, even if the user already has an active sign-in session. Which Conditional Access control should be configured?

A.Grant control 'Require multi-factor authentication'
B.Session control 'Sign-in frequency'
C.Session control 'Persistent browser session'
D.Grant control 'Require device to be marked as compliant'
AnswerB

Correct. The sign-in frequency session control allows administrators to set the time interval after which a user must re-authenticate, even if the session is still active.

Why this answer

The 'Sign-in frequency' session control in Conditional Access allows administrators to specify the time interval after which a user must re-authenticate, even if they have an active session. By setting this to 4 hours, the organization ensures that users re-authenticate before accessing the critical financial application, overriding any existing session tokens.

Exam trap

The trap here is confusing session controls (which manage token lifetime and re-authentication behavior) with grant controls (which enforce conditions at initial sign-in), leading candidates to select 'Require multi-factor authentication' thinking it will force periodic re-authentication.

How to eliminate wrong answers

Option A is wrong because 'Require multi-factor authentication' is a grant control that enforces an additional verification factor at sign-in, but it does not enforce a re-authentication interval; once MFA is satisfied, the session persists until token expiry. Option C is wrong because 'Persistent browser session' controls whether the browser keeps the user signed in after closing, not the frequency of re-authentication during an active session. Option D is wrong because 'Require device to be marked as compliant' ensures the device meets compliance policies (e.g., OS updates, antivirus), but it does not enforce a time-based re-authentication requirement.

231
MCQeasy

You are viewing an application registration in Microsoft Entra ID. What can you conclude about this app?

A.The app is disabled and cannot be used
B.The app is a single-tenant application that is enabled but has no app roles defined
C.The app has custom roles for role-based access
D.The app is multi-tenant and can be used by other tenants
AnswerB

SignInAudience indicates single-tenant and AppRoles is empty.

Why this answer

The application registration shows 'App roles' with a value of 0, which means no app roles are defined. The 'Supported account types' setting indicates 'Accounts in this organizational directory only', confirming it is a single-tenant application. The 'Enabled for users to sign-in?' toggle is set to 'Yes', so the app is enabled and can be used.

Exam trap

The trap here is that candidates often confuse a disabled app (where the 'Enabled for users to sign-in?' toggle is set to 'No') with an app that has no app roles defined, leading them to incorrectly select option A when the app is actually enabled but lacks roles.

How to eliminate wrong answers

Option A is wrong because the 'Enabled for users to sign-in?' toggle is set to 'Yes', meaning the app is enabled and can be used. Option C is wrong because the 'App roles' count is 0, indicating no custom roles are defined; custom roles would require at least one app role to be listed. Option D is wrong because the 'Supported account types' is set to 'Accounts in this organizational directory only', which explicitly restricts the app to a single tenant, not multi-tenant.

232
MCQeasy

An organization wants to allow users to reset their own passwords without help desk intervention. Which Microsoft Entra feature should they enable?

A.Conditional Access
B.Self-service password reset
C.Privileged Identity Management
D.Identity Protection
AnswerB

SSPR enables users to reset their own passwords.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature specifically designed to allow users to reset their own passwords without requiring help desk intervention. It enforces security through authentication methods (e.g., phone, email, security questions) and can be configured to meet organizational policies. This directly addresses the scenario of reducing help desk workload for password resets.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with SSPR (which handles the password reset process itself), leading them to select A because they think 'self-service' implies a policy-based control.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-ins from untrusted locations) based on signals like user, device, or location — it does not provide a mechanism for users to reset their own passwords. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation, approval workflows, and access reviews for elevated roles; it does not handle end-user password resets. Option D is wrong because Identity Protection uses risk detection (e.g., leaked credentials, anonymous IP addresses) to trigger automated responses like blocking sign-ins or requiring MFA — it does not enable users to reset their own passwords.

233
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that only users from the finance department can access a sensitive application, and they must be granted access dynamically based on their department attribute. What should you configure?

A.Create an administrative unit for the finance department.
B.Create a dynamic group with rule: user.department -eq "Finance".
C.Enable self-service group management.
D.Configure entitlement management with an access package for the finance application.
AnswerB

Dynamic groups automatically add or remove members based on attributes.

Why this answer

Option B is correct because a dynamic group in Microsoft Entra ID automatically adds or removes members based on a rule, such as `user.department -eq "Finance"`. This ensures that only users whose department attribute equals "Finance" are granted access to the sensitive application, and membership updates dynamically as the attribute changes, without manual intervention.

Exam trap

The trap here is that candidates often confuse administrative units (which manage administrative boundaries) with dynamic groups (which manage access based on attributes), leading them to select Option A instead of the correct dynamic group solution.

How to eliminate wrong answers

Option A is wrong because administrative units are used to delegate administrative scopes (e.g., managing users in a specific department), not to control access to applications dynamically based on user attributes. Option C is wrong because self-service group management allows users to create and manage their own groups, but it does not enforce dynamic membership rules based on the department attribute; it relies on manual or approval-based membership. Option D is wrong because entitlement management with access packages provides a governance framework for requesting and approving access, but it does not automatically assign membership based on a dynamic attribute like department; it typically requires manual assignment or approval workflows.

234
MCQhard

A company uses Microsoft Entra ID Privileged Identity Management (PIM) to manage elevated access to Microsoft Entra ID roles. They want to ensure that a user who activates a privileged role must provide a justification and receive approval from their manager before activation is complete. Which PIM configuration should be used?

A.Configure role settings to require multi-factor authentication on activation
B.Configure role settings to require approval on activation
C.Configure role settings to assign the user as permanently active
D.Configure role settings to require an Microsoft Entra ID compliant device
AnswerB

Correct. By requiring approval, PIM will route the activation request to designated approvers (often managers) who must approve before the role is activated. Justification is typically required regardless.

Why this answer

Option B is correct because Microsoft Entra ID Privileged Identity Management (PIM) allows administrators to configure role settings that require approval before a role is activated. By enabling the 'Require approval to activate' setting, a designated approver (such as the user's manager) must review and approve the activation request, ensuring that the justification is validated before access is granted.

Exam trap

The trap here is that candidates often confuse 'require approval' with 'require MFA' or 'require compliant device,' not realizing that only the approval setting introduces a separate review step by another person, which is explicitly needed for manager authorization.

How to eliminate wrong answers

Option A is wrong because requiring multi-factor authentication (MFA) on activation enforces additional identity verification but does not involve a separate approval workflow or manager review. Option C is wrong because assigning the user as permanently active eliminates the need for activation entirely, bypassing both justification and approval requirements. Option D is wrong because requiring a Microsoft Entra ID compliant device enforces device health policies but does not implement an approval process for role activation.

235
MCQmedium

A company requires that all users accessing a financial application from outside the corporate network must complete multi-factor authentication (MFA). The IT team is configuring a Microsoft Entra ID Conditional Access policy to enforce this requirement. Which component of the policy should be configured to apply the MFA requirement?

A.Conditions
B.Assignments
C.Session controls
D.Grant controls
AnswerD

Grant controls determine whether access is blocked or allowed and can require additional conditions like MFA, device compliance, or terms of use. Configuring 'Require multi-factor authentication' under Grant controls enforces the MFA requirement.

Why this answer

Grant controls are the component of a Conditional Access policy that enforce the actual access requirements, such as requiring multi-factor authentication (MFA). By configuring the 'Require multi-factor authentication' checkbox under Grant controls, the policy ensures that users must complete MFA before accessing the financial application. This is the correct setting to apply the MFA requirement.

Exam trap

The trap here is confusing Grant controls (which enforce the MFA requirement) with Conditions (which define the 'when' of the policy), leading candidates to incorrectly select Conditions because they think it controls the MFA trigger rather than the enforcement action.

How to eliminate wrong answers

Option A is wrong because Conditions define the signals or triggers (e.g., user risk, device platform, location) that determine when the policy applies, not the enforcement action like MFA. Option B is wrong because Assignments specify which users, groups, or applications are included in or excluded from the policy, not the access control requirement itself. Option C is wrong because Session controls manage user experience after access is granted (e.g., limiting session duration or enforcing app restrictions), not the initial authentication requirement like MFA.

236
MCQeasy

You need to provide external partners with access to your organization's SharePoint site. The partners must use their own credentials. Which Microsoft Entra feature should you use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra Identity Governance
C.Privileged Identity Management
D.Microsoft Entra ID Protection
AnswerA

B2B allows external users to sign in with their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it enables external users (partners) to access your organization's resources using their own identities (e.g., work, social, or other Azure AD accounts). It leverages the existing Azure AD tenant to issue guest user objects and supports SAML/WS-Federation or OIDC for authentication, allowing partners to authenticate with their own credentials without requiring a separate account or password in your tenant.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C (not listed), or mistakenly think Identity Governance or PIM can handle external authentication, when in fact B2B collaboration is the only feature that allows external users to bring their own credentials for resource access.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Governance) is wrong because it focuses on managing the lifecycle of identities and access rights (e.g., access reviews, entitlement management) but does not itself provide the mechanism for external users to authenticate with their own credentials. Option C (Privileged Identity Management) is wrong because it is designed to manage, control, and monitor privileged roles and just-in-time access within your own directory, not to enable external authentication. Option D (Microsoft Entra ID Protection) is wrong because it is a security tool that detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not facilitate external user sign-in with their own credentials.

237
MCQeasy

Your organization uses Microsoft Entra ID. You need to ensure that users can reset their own passwords without help desk intervention, while maintaining security by requiring multi-factor authentication (MFA) during the reset process. Which feature should you enable?

A.Microsoft Entra Identity Protection.
B.Microsoft Entra Multi-Factor Authentication.
C.Conditional Access policies.
D.Microsoft Entra self-service password reset (SSPR).
AnswerD

SSPR allows users to reset passwords and can be configured to require MFA.

Why this answer

Microsoft Entra self-service password reset (SSPR) is the feature specifically designed to allow users to reset their own passwords without help desk intervention. When combined with Microsoft Entra Multi-Factor Authentication (MFA) as a registration and reset requirement, SSPR enforces MFA during the reset process, meeting both the self-service and security requirements.

Exam trap

The trap here is that candidates often confuse the authentication enforcement mechanism (MFA or Conditional Access) with the actual self-service reset feature, mistakenly selecting MFA or Conditional Access instead of SSPR, which is the only option that directly provides the password reset functionality.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation service that can trigger automated responses (e.g., requiring MFA or blocking sign-ins) but does not itself enable users to reset passwords. Option B is wrong because Microsoft Entra Multi-Factor Authentication alone provides an additional verification step during authentication but does not include the self-service password reset capability. Option C is wrong because Conditional Access policies enforce access controls (e.g., requiring MFA or blocking locations) based on conditions, but they do not directly enable users to reset their own passwords.

238
MCQeasy

Your company uses Microsoft Entra ID to manage user identities. You need to ensure that users can sign in using their existing social media accounts. Which Microsoft Entra feature should you configure?

A.Microsoft Entra External ID
B.Microsoft Entra B2B collaboration
C.Conditional Access policies
D.Privileged Identity Management
AnswerA

External ID allows adding social identity providers like Facebook and Google.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2C) is the correct feature because it is specifically designed to enable external identities, including social identity providers like Google, Facebook, and Microsoft accounts, for customer-facing applications. It supports standards such as OAuth 2.0 and OpenID Connect to allow users to sign in with their existing social media accounts without needing a separate Microsoft Entra ID account.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (for business partners) with Microsoft Entra External ID (for customers/consumers), mistakenly thinking B2B can also handle social identity providers, but B2B only supports organizational accounts (e.g., work/school) and not social logins.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is designed for business-to-business scenarios, allowing external business partners to access your organization's resources using their own corporate identities, not for consumers signing in with social media accounts. Option C is wrong because Conditional Access policies are used to enforce access controls (e.g., MFA, location) after authentication, not to configure identity providers or enable social sign-in. Option D is wrong because Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within Microsoft Entra ID, and has no role in configuring external or social identity providers.

239
MCQhard

Refer to the exhibit. The Conditional Access policy shown is applied to all users accessing Office 365. A user with a compliant device but no MFA registered attempts to access Exchange Online. What will happen?

A.Access is blocked
B.Access is granted because the policy is only for Office 365 and the user uses Exchange Online
C.Access is granted after MFA registration prompt
D.Access is granted because the device is compliant
AnswerA

The policy requires both MFA and compliant device; MFA is not registered.

Why this answer

The Conditional Access policy requires MFA registration for all users accessing Office 365 cloud apps. Since the user has not registered MFA, the policy's grant control (Require MFA registration) is not satisfied, and the policy blocks access. The device compliance status is irrelevant because the policy does not include device compliance as a grant control.

Exam trap

The trap here is that candidates assume a compliant device automatically satisfies Conditional Access policies, but the policy explicitly requires MFA registration, and device compliance is irrelevant unless included as a grant control.

How to eliminate wrong answers

Option B is wrong because Exchange Online is included under Office 365 in the Conditional Access policy's cloud apps assignment, so the policy applies to Exchange Online access. Option C is wrong because the policy does not grant access with an MFA registration prompt; it blocks access when the MFA registration requirement is not met. Option D is wrong because the policy does not have a 'Require compliant device' grant control, so device compliance alone does not satisfy the policy's requirements.

240
Multi-Selectmedium

Which TWO Microsoft Entra features can be used together to enforce risk-based conditional access?

Select 2 answers
A.Entra Verified ID
B.Conditional Access
C.Identity Protection
D.Self-Service Password Reset
E.Privileged Identity Management
AnswersB, C

Uses risk as a condition to enforce policies.

Why this answer

Conditional Access (B) is correct because it is the policy engine that enforces access decisions based on signals, including risk levels. Identity Protection (C) is correct because it detects and calculates user and sign-in risk in real time using machine learning. Together, Identity Protection provides the risk assessment, and Conditional Access enforces the policy (e.g., block or require MFA) based on that risk.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with risk-based access, but PIM controls role activation, not risk evaluation, while Identity Protection is the dedicated risk detection service.

241
MCQmedium

A company uses Microsoft Entra ID and Intune for device management. The security team wants to create a Conditional Access policy for a sensitive research application. They require that: 1) The user must use a device that is marked as compliant by Intune, and 2) The user must accept the company's terms of use before accessing the app. Which grant control combination should they configure in the policy?

A.Select 'Require device to be marked as compliant' and 'Require terms of use' and choose 'Require one of the selected controls'
B.Select 'Require multi-factor authentication' and 'Require terms of use' and choose 'Require all the selected controls'
C.Select 'Require device to be marked as compliant' and 'Require terms of use' and choose 'Require all the selected controls'
D.Select only 'Require terms of use' and configure device compliance as a condition
AnswerC

This correctly enforces both device compliance and terms of use acceptance because the 'Require all' setting ensures that both grant controls are satisfied.

Why this answer

Option C is correct because the policy requires both conditions—device compliance and terms of use—to be enforced simultaneously. In Microsoft Entra Conditional Access, when multiple grant controls are selected and set to 'Require all the selected controls', the user must satisfy every control to gain access. This matches the security team's requirement that the device must be compliant AND the terms of use must be accepted.

Exam trap

The trap here is that candidates often confuse 'Require one of the selected controls' with 'Require all the selected controls', mistakenly thinking that 'one of' is sufficient when the question explicitly states both conditions must be met.

How to eliminate wrong answers

Option A is wrong because 'Require one of the selected controls' would allow the user to satisfy either device compliance OR terms of use, not both, which violates the requirement that both must be met. Option B is wrong because it includes 'Require multi-factor authentication', which is not a requirement specified by the security team, and it omits 'Require device to be marked as compliant', which is explicitly required. Option D is wrong because configuring device compliance as a condition (e.g., in the 'Conditions' blade) is not the same as enforcing it as a grant control; grant controls are the actions that must be satisfied, and device compliance must be selected as a grant control to enforce the requirement.

242
MCQmedium

A company wants to securely grant external business partners access to internal SharePoint sites and Teams channels. The partners use various identity providers, including Google and Microsoft personal accounts. The company needs to manage these external identities in their Microsoft Entra ID directory and enforce access policies. Which Microsoft Entra capability should they use?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra B2C (Business-to-Consumer)
C.Microsoft Entra Connect
D.Microsoft Entra Identity Protection
AnswerA

B2B collaboration enables secure external sharing with guest accounts, supporting a wide range of identity providers and directory management.

Why this answer

Microsoft Entra B2B collaboration is designed to securely share applications and resources with external guest users from any identity provider, including Google and Microsoft personal accounts. It allows the company to manage these external identities in their Entra ID directory and enforce conditional access policies, meeting the requirement to grant partners access to SharePoint and Teams.

Exam trap

The trap here is confusing B2B collaboration (for business partners) with B2C (for customers), leading candidates to select B2C because it also supports external identities, but B2C is not designed for internal resource sharing like SharePoint or Teams.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2C is a customer-facing identity management service for external customers, not for business partners, and it does not integrate with internal resources like SharePoint or Teams. Option C is wrong because Microsoft Entra Connect is used to synchronize on-premises Active Directory identities to the cloud, not to manage external partner identities. Option D is wrong because Microsoft Entra Identity Protection is a risk-detection and remediation tool for user accounts, not a solution for inviting or managing external identities.

243
MCQeasy

Your organization uses Microsoft Entra ID P1. You need to implement a solution that allows users to reset their own passwords without administrator intervention. The solution must also enforce a policy that requires users to verify their identity with two methods before resetting. What should you configure?

A.Configure Privileged Identity Management (PIM) to require approval for password reset.
B.Create an Identity Protection user risk policy to force password reset.
C.Configure a Conditional Access policy to require MFA for password changes.
D.Enable self-service password reset (SSPR) and configure the number of methods required to reset to 2.
AnswerD

SSPR provides password reset with customizable verification.

Why this answer

Option D is correct because self-service password reset (SSPR) in Microsoft Entra ID P1 allows users to reset their own passwords without administrator intervention. By configuring SSPR and setting the number of methods required to reset to 2, you enforce the policy that users must verify their identity with two authentication methods before resetting their password.

Exam trap

The trap here is that candidates often confuse Conditional Access MFA policies with SSPR's multi-method verification, not realizing that SSPR has its own separate configuration for the number of required verification methods, while Conditional Access policies apply to authentication events, not the password reset workflow.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles, not for enabling self-service password reset or enforcing multi-method verification for password resets. Option B is wrong because Identity Protection user risk policies trigger automatic password resets based on detected user risk, but they do not allow users to initiate their own password resets without administrator intervention, nor do they enforce a specific number of verification methods for the reset process. Option C is wrong because a Conditional Access policy requiring MFA for password changes would force users to authenticate with MFA when changing their password, but it does not enable self-service password reset; it only secures the change action, not the reset flow, and does not configure the number of methods required for reset.

244
MCQmedium

The exhibit shows a sign-in failure for John Doe. The admin wants to allow the sign-in while still enforcing MFA. What should the admin do?

A.Modify the Conditional Access policy to exclude Azure PowerShell or to support MFA for this client.
B.Disable MFA for the user.
C.Assign a Microsoft Entra ID P2 license to the user.
D.Reset the user's password.
AnswerA

Azure PowerShell may not support MFA, so adjust policy.

Why this answer

The sign-in failure is likely caused by a Conditional Access policy that blocks legacy authentication protocols like Azure PowerShell, which do not support MFA natively. Option A is correct because modifying the policy to exclude Azure PowerShell or to require MFA for that client app allows the sign-in while still enforcing MFA for other protocols. This ensures the user can authenticate using a modern authentication flow that supports MFA.

Exam trap

The trap here is that candidates may think resetting the password or disabling MFA is the quick fix, but the core issue is that the Conditional Access policy is blocking a client that cannot perform MFA, not that the user's credentials or license are invalid.

How to eliminate wrong answers

Option B is wrong because disabling MFA for the user removes the security requirement entirely, contradicting the admin's goal to still enforce MFA. Option C is wrong because assigning a Microsoft Entra ID P2 license provides advanced features like Identity Protection and Privileged Identity Management, but it does not directly resolve a sign-in failure caused by a Conditional Access policy blocking a non-MFA-capable client. Option D is wrong because resetting the user's password does not address the underlying policy that blocks the sign-in; the failure is due to the client app not supporting MFA, not due to incorrect credentials.

245
MCQhard

Your organization is using Microsoft Entra ID and has deployed Microsoft Intune for mobile device management. You need to ensure that only devices that are compliant with Intune policies can access corporate email via Microsoft Outlook for iOS and Android. Additionally, you need to prevent users from copying corporate data to personal apps on the same device. Which two Microsoft Entra features should you combine?

A.Conditional Access policy requiring hybrid Azure AD joined device, and Windows Autopilot.
B.Conditional Access policy requiring MFA, and Windows Hello for Business.
C.Conditional Access policy requiring approved client app, and Azure AD Application Proxy.
D.Conditional Access policy requiring compliant device, and Microsoft Intune app protection policy (MAM) to prevent data copy/paste to unmanaged apps.
AnswerD

Correct: Conditional Access enforces device compliance, and MAM protects corporate data.

Why this answer

Option A is correct because Conditional Access can require compliant devices, and app protection policies (MAM) can prevent data transfer to unprotected apps. Option B is wrong because Autopilot is for device provisioning. Option C is wrong because Windows Hello for Business is for passwordless sign-in.

Option D is wrong because Azure AD Application Proxy is for on-premises app access.

246
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID Governance?

Select 2 answers
A.Entitlement Management
B.Identity Protection
C.Conditional Access
D.Self-Service Password Reset
E.Access Reviews
AnswersA, E

Manages access packages and requests.

Why this answer

Entitlement Management is a core capability of Microsoft Entra ID Governance because it enables organizations to manage the lifecycle of access for internal and external users through access packages, catalogs, and policies. It automates the request, approval, and assignment of access to groups, apps, and SharePoint sites, ensuring governance over who gets what and for how long. Access Reviews is also a key governance feature because it allows administrators to periodically review and certify user access, automatically removing stale or inappropriate permissions to maintain compliance.

Exam trap

The trap here is that candidates often confuse Identity Protection or Conditional Access with governance because they involve security controls, but Microsoft Entra ID Governance specifically focuses on the lifecycle management and periodic review of access rights, not on risk detection or policy enforcement at sign-in.

247
MCQmedium

You are the identity architect for a global organization with 100,000 users across 50 countries. The company uses Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps. Recently, the security team identified that several compromised user accounts were used to exfiltrate data from a cloud storage app. The CISO wants to implement a solution that detects anomalous behavior (e.g., impossible travel, mass download) and automatically blocks the user session when such behavior is detected. The solution must also provide the ability to investigate and remediate after the fact. Which Microsoft Entra feature should you use in conjunction with Defender for Cloud Apps to meet these requirements?

A.Microsoft Entra Conditional Access session controls with Defender for Cloud Apps integration
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra access reviews
AnswerA

Session controls allow real-time monitoring and blocking of user sessions based on behavior.

Why this answer

Microsoft Entra Conditional Access session controls integrate directly with Defender for Cloud Apps to enable real-time session monitoring and blocking. When anomalous behaviors like impossible travel or mass downloads are detected by Defender for Cloud Apps, the session control can automatically block the user session, while also providing full investigation and remediation capabilities through the Defender for Cloud Apps portal. This meets the CISO's requirement for both automated blocking and post-incident analysis.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access policies (which block sign-ins at the authentication level) with the session-level controls needed for real-time monitoring and blocking within an already-established cloud app session.

How to eliminate wrong answers

Option B (Microsoft Entra Identity Protection) is wrong because it focuses on risk-based detection and automated remediation of identities (e.g., requiring password reset or blocking sign-in), but it does not provide session-level controls or integration with Defender for Cloud Apps for real-time session blocking and investigation of cloud app activities. Option C (Microsoft Entra Privileged Identity Management) is wrong because it is designed for managing, controlling, and monitoring privileged role assignments and just-in-time access, not for detecting anomalous user behavior or blocking sessions in cloud apps. Option D (Microsoft Entra access reviews) is wrong because it is a governance tool for periodically reviewing group memberships, application access, and role assignments, not a real-time detection or session control mechanism.

248
MCQmedium

A company wants to provide external consultants with access to a specific application using their LinkedIn or Google accounts. Which Microsoft Entra feature allows this?

A.Microsoft Entra Conditional Access
B.Microsoft Entra External ID
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Protection
AnswerB

Supports social identity providers for external collaboration.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) is the correct feature because it enables external users—such as consultants—to sign in using their own identity providers (IdPs) like LinkedIn or Google via federation. This allows the company to grant access to a specific application without creating separate Microsoft Entra accounts for each consultant, leveraging social identity providers through OpenID Connect or OAuth 2.0 protocols.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access after authentication) with the ability to authenticate external users, or they mistakenly think PIM or Identity Protection can directly enable social identity provider sign-in.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access is a policy engine that enforces access controls (e.g., MFA, location) after authentication, but it does not enable external identity providers like LinkedIn or Google for sign-in. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access reviews for internal users, not external authentication with social IdPs. Option D is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not provide the federation capability to allow external consultants to authenticate via LinkedIn or Google.

249
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to ensure that when a user leaves the company, all their access to critical applications is automatically removed. Which feature should you use?

A.Access Reviews with automatic removal
B.Privileged Identity Management
C.Identity Protection
D.Entitlement Management
AnswerA

Access Reviews can automatically remove access when a user leaves.

Why this answer

Access Reviews with automatic removal is the correct feature because it allows administrators to define recurring reviews of user access to critical applications and, upon completion, automatically remove access for users who are no longer approved. This directly addresses the requirement of removing all access when a user leaves the company, as the review process can be triggered by the user's departure or scheduled to run regularly, ensuring that stale access is revoked without manual intervention.

Exam trap

The trap here is that candidates often confuse Entitlement Management (which handles access packages and provisioning) with the actual removal mechanism, forgetting that Access Reviews provide the specific 'automatic removal' trigger based on reviewer decisions, while Entitlement Management alone does not enforce removal without a review or lifecycle workflow.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because it focuses on just-in-time activation and oversight of privileged roles (e.g., Global Administrator), not on removing all access to critical applications for departing users. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like compromised accounts or sign-ins from unusual locations, not on lifecycle-based access removal. Option D (Entitlement Management) is wrong because it manages access packages and catalogs for provisioning access, but it does not inherently include the automated removal of access upon user departure unless combined with Access Reviews or a separate lifecycle workflow.

250
MCQeasy

A user reports that they cannot sign in to Microsoft Entra ID because they forgot their password. Which Microsoft Entra ID feature allows them to reset their password without contacting IT support?

A.Microsoft Entra ID Connect
B.Microsoft Entra ID Protection
C.Microsoft Entra ID Domain Services
D.Self-Service Password Reset (SSPR)
AnswerD

Enables users to reset passwords using registered methods.

Why this answer

Self-Service Password Reset (SSPR) is the Microsoft Entra ID feature that allows users to reset their own forgotten passwords without needing to contact IT support. It works by verifying the user's identity through pre-configured authentication methods (e.g., phone, email, security questions) before permitting the password change. This directly addresses the user's inability to sign in due to a forgotten password.

Exam trap

The trap here is that candidates may confuse Microsoft Entra ID Protection (which deals with risk detection) with SSPR, because both involve security and user authentication, but only SSPR enables the user to directly reset their own password without IT intervention.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Connect is a tool used to synchronize on-premises Active Directory identities to Microsoft Entra ID, not a password reset feature. Option B is wrong because Microsoft Entra ID Protection is a security service that detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), but it does not provide a mechanism for users to reset their own passwords. Option C is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., Kerberos, LDAP) for Azure VMs, not self-service password reset capabilities.

251
MCQmedium

Your organization uses Microsoft Entra ID. You need to grant external partners limited access to a SharePoint site for 30 days. After 30 days, access should automatically expire. Which Microsoft Entra feature should you use?

A.Microsoft Entra access reviews
B.Microsoft Entra B2B guest user accounts
C.Microsoft Entra entitlement management
D.Microsoft Entra Conditional Access
AnswerC

Entitlement management allows creating access packages with expiration dates for external users.

Why this answer

Microsoft Entra entitlement management allows you to create access packages that grant external users time-limited access to resources like SharePoint sites. By configuring an access package with a 30-day expiration policy, access is automatically revoked when the policy expires, meeting the requirement exactly.

Exam trap

The trap here is that candidates confuse entitlement management (which handles time-bound resource access) with access reviews (which handle periodic recertification) or B2B guest accounts (which provide identity but not automatic expiration).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra access reviews are used for periodic attestation of existing access, not for automatically expiring access after a fixed duration. Option B is wrong because Microsoft Entra B2B guest user accounts provide the identity for external users but do not include built-in time-limited access policies; expiration must be managed separately. Option D is wrong because Microsoft Entra Conditional Access enforces access controls based on conditions like location or device state, not for granting or expiring access to specific resources on a schedule.

252
MCQmedium

Your company uses Microsoft Entra ID. You need to enforce that all users accessing the HR application must have a device that is compliant with company security policies. The device compliance is managed by Microsoft Intune. Which feature should you use to enforce this requirement?

A.Microsoft Intune device compliance policies
B.Microsoft Entra Conditional Access
C.Microsoft Entra Multifactor Authentication
D.Microsoft Entra device registration
AnswerB

Conditional Access policies can require that devices be marked as compliant to grant access.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it allows you to create policies that evaluate conditions such as device compliance before granting access to applications. By integrating with Microsoft Intune, Conditional Access can check the device compliance status reported by Intune and block or allow access to the HR application accordingly. This enforces the requirement that only compliant devices can access the app, without requiring users to authenticate differently.

Exam trap

The trap here is that candidates confuse the creation of compliance policies (Intune) with the enforcement of those policies (Conditional Access), assuming that simply defining compliance rules automatically restricts access to applications.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune device compliance policies define the compliance rules (e.g., encryption, OS version) but do not enforce access control to applications; they only mark devices as compliant or non-compliant. Option C is wrong because Microsoft Entra Multifactor Authentication adds an extra authentication factor but does not evaluate device compliance or enforce device-based access restrictions. Option D is wrong because Microsoft Entra device registration is the process of joining a device to the directory, which is a prerequisite for compliance but does not itself enforce access policies based on compliance status.

253
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that when users access the HR portal from an unmanaged personal device, they are prompted to sign a terms of use agreement and also required to perform multifactor authentication (MFA). Which Conditional Access control should they configure to enforce both requirements?

A.Session control - Use app enforced restrictions
B.Grant - Require MFA and Require terms of use
C.Grant - Require approved client app
D.Session control - Sign-in frequency
AnswerB

This grant control combination enforces both multifactor authentication and terms of use acceptance before access is granted, meeting the requirements.

Why this answer

The Grant control in Conditional Access allows you to require multiple conditions to be satisfied before granting access. By selecting both 'Require MFA' and 'Require terms of use' under Grant, the policy enforces that the user must complete both MFA and accept the terms of use when accessing the HR portal from an unmanaged device. This directly meets the requirement for both authentication and consent.

Exam trap

The trap here is that candidates often confuse Session controls (which manage behavior after access is granted) with Grant controls (which enforce requirements before access is granted), leading them to pick a session-based option like 'Sign-in frequency' instead of the correct Grant combination.

How to eliminate wrong answers

Option A is wrong because Session controls (like 'Use app enforced restrictions') only apply additional restrictions during an active session, such as blocking downloads, but they do not enforce pre-access requirements like MFA or terms of use acceptance. Option C is wrong because 'Require approved client app' restricts access to specific client applications (e.g., Microsoft apps) and does not enforce MFA or terms of use. Option D is wrong because 'Sign-in frequency' is a session control that re-prompts for authentication after a set time, but it does not enforce MFA or terms of use as a one-time requirement.

254
Multi-Selecteasy

Which TWO capabilities are provided by Microsoft Entra ID?

Select 2 answers
A.Multifactor authentication
B.Device management
C.Security incident detection
D.Single sign-on
E.Data classification
AnswersA, D

MFA is a built-in feature of Entra ID.

Why this answer

Options A and D are correct. Microsoft Entra ID provides single sign-on and multifactor authentication. Option B is incorrect because Azure Information Protection is a Microsoft Purview feature.

Option C is incorrect because Microsoft Intune is device management. Option E is incorrect because Microsoft Sentinel is a SIEM.

255
MCQmedium

A company uses Microsoft Entra ID. The IT department needs to ensure that membership in the 'Global Administrator' role is regularly reviewed. Every quarter, the designated reviewers (e.g., senior managers) receive an email asking them to confirm whether each user in the role should keep their assignment. After the review deadline, any member not approved is automatically removed. Which Microsoft Entra ID feature should they configure?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerA

Access Reviews allow administrators to create recurring reviews of membership in Entra ID roles or groups. Designated reviewers approve or deny each member, and after the review period ends, non-approved members are automatically removed.

Why this answer

Access Reviews in Microsoft Entra ID are specifically designed for periodic attestation of group memberships, application access, and role assignments. The scenario describes a quarterly review where designated reviewers receive email notifications and unapproved members are automatically removed after the deadline, which is the exact workflow that Access Reviews automate. This feature ensures compliance by requiring explicit confirmation for each user in the Global Administrator role.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Access Reviews because both deal with privileged roles, but PIM handles activation and approval, while Access Reviews handle periodic attestation and removal of stale assignments.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time activation, approval workflows, and time-bound role assignments, not on periodic attestation reviews with automatic removal of unapproved members. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like leaked credentials or sign-ins from anonymous IP addresses, not role membership reviews. Option D (Conditional Access) is wrong because it enforces access control policies based on signals like user location or device compliance, not on reviewing and attesting existing role assignments.

256
MCQmedium

A company wants to block all sign-ins using legacy authentication protocols because these protocols do not support multi-factor authentication (MFA). Which component of a Microsoft Entra ID Conditional Access policy should be configured to achieve this?

A.Cloud apps or actions
B.Conditions (Client apps)
C.Grant
D.Session
AnswerB

The Conditions section includes a Client apps filter that can block legacy authentication protocols, effectively enforcing the use of modern authenticating clients.

Why this answer

To block legacy authentication protocols, you configure the 'Client apps' condition in a Conditional Access policy. This setting allows you to target specific authentication clients, such as Exchange ActiveSync, POP3, IMAP, and SMTP, which do not support MFA. By selecting 'Exchange ActiveSync clients' and 'Other clients' under the Client apps condition, you can enforce a block on all sign-ins using these legacy protocols.

Exam trap

The trap here is that candidates often confuse 'Client apps' with 'Cloud apps or actions', thinking they need to select the specific legacy app (like Exchange Online) rather than the authentication client type, which is the correct way to block the protocol itself.

How to eliminate wrong answers

Option A is wrong because 'Cloud apps or actions' is used to specify which applications or user actions the policy applies to, not to filter by authentication protocol. Option C is wrong because 'Grant' controls access by requiring MFA, compliant device, or other controls, but it cannot directly block legacy authentication protocols; it only adds requirements after the protocol is used. Option D is wrong because 'Session' controls session-level policies like app-enforced restrictions or sign-in frequency, not the initial authentication protocol used.

257
MCQhard

Refer to the exhibit. You are evaluating a Conditional Access policy in JSON format. The policy is assigned to a test user group. A user in that group tries to access Outlook Web App (OWA) from a browser. What is the effect of this policy?

A.Access is blocked because Exchange ActiveSync is included.
B.Access is blocked because the policy targets Office 365.
C.Access is allowed but MFA is required.
D.Access is allowed because the policy only blocks legacy authentication protocols.
AnswerD

Browser access to OWA uses modern authentication (HTTPS), not legacy, so it is not blocked.

Why this answer

The policy in the exhibit targets 'Office 365 Exchange Online' and includes a condition for 'Client apps: Exchange ActiveSync, Other clients'. However, the user is accessing Outlook Web App (OWA) from a browser, which uses modern authentication (HTTPS). The policy explicitly blocks legacy authentication protocols (Exchange ActiveSync and other clients that do not support modern auth).

Since OWA uses modern authentication, it is not affected by this policy, so access is allowed. Option D correctly identifies that the policy only blocks legacy authentication protocols, not modern browser-based access.

Exam trap

The trap here is that candidates mistakenly think any policy including 'Exchange ActiveSync' or 'Office 365' will block all access to Exchange Online, ignoring that the policy's effect depends on the client app type (legacy vs. modern) and the specific access method (browser vs. mobile app).

How to eliminate wrong answers

Option A is wrong because Exchange ActiveSync is included as a target, but the user is accessing OWA via a browser, not using Exchange ActiveSync; the policy blocks legacy protocols, but OWA uses modern authentication and is not blocked. Option B is wrong because the policy targets 'Office 365 Exchange Online' (a specific cloud app), not the entire 'Office 365' suite; the policy does not block all Office 365 apps, only legacy authentication for Exchange Online. Option C is wrong because the policy does not grant access with MFA; it is configured to block access for the specified client apps, not to require MFA.

The grant control is set to 'Block', not 'Require multifactor authentication'.

258
MCQhard

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to ensure that only managed compliant devices can access corporate email via Outlook mobile app. What is the most efficient approach?

A.Create an app protection policy in Microsoft Intune for Outlook and assign it to all users
B.Enforce device compliance policies in Intune and create a Conditional Access policy that requires compliant device
C.Create a Conditional Access policy that requires MFA for the Outlook app
D.Create a Conditional Access policy that requires a compliant device and create an app protection policy for Outlook
AnswerD

Combining device compliance and app protection ensures only managed devices with data protection can access email.

Why this answer

Option D is correct because a Conditional Access policy requiring compliant device combined with an app protection policy provides both device management and data protection. Option A is wrong because device compliance alone does not protect data. Option B is wrong because MFA does not enforce device management.

Option C is wrong because only requiring app protection might allow unmanaged devices.

259
MCQmedium

A company uses Microsoft Entra ID. They want to enforce a policy that requires members of the 'Finance' group to use multi-factor authentication and sign in from a compliant device when accessing the financial reporting application. However, they want to exclude members of the 'Finance Admins' group from these requirements. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Entitlement Management
AnswerB

Conditional Access policies enable you to define conditions (including user/group, app, device) and enforce controls like MFA and device compliance. Exclusions are supported.

Why this answer

Conditional Access is the correct feature because it allows administrators to define policies that enforce specific access requirements, such as multi-factor authentication and compliant device usage, based on conditions like group membership. In this scenario, the policy targets the 'Finance' group while excluding the 'Finance Admins' group, which is a core capability of Conditional Access policies in Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, thinking PIM can enforce MFA or device compliance, when in fact PIM only manages role activation and does not control sign-in conditions for specific applications.

How to eliminate wrong answers

Option A is wrong because Identity Protection is focused on detecting and responding to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IP addresses) and does not directly enforce MFA or device compliance based on group membership. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not general access policies for applications like the financial reporting app. Option D is wrong because Entitlement Management handles access packages and automated user lifecycle management for external and internal users, not conditional enforcement of MFA or device compliance.

260
MCQhard

An organization uses Microsoft Entra ID Protection. A user's sign-in is flagged with a risk level of 'High' because of an anonymous IP address. The administrator wants to automatically block the sign-in while allowing the user to self-remediate. Which should be configured?

A.A Conditional Access policy requiring MFA for high-risk sign-ins
B.A user risk policy configured to require a password change
C.A sign-in risk policy configured to block access
D.An MFA registration policy for all users
AnswerC

Sign-in risk policies in Identity Protection can block sign-ins based on risk level (e.g., High). The user can later remediate their account via a user risk policy.

Why this answer

A sign-in risk policy in Microsoft Entra ID Protection can be configured to automatically block access when a sign-in is detected as high risk (e.g., from an anonymous IP address). This policy operates at the sign-in level, allowing the administrator to block the sign-in while still enabling the user to self-remediate (e.g., by signing in again after the risk is mitigated). Option C directly matches this requirement.

Exam trap

The trap here is confusing sign-in risk policies (which block or challenge at the sign-in event) with user risk policies (which require password changes after a compromise), leading candidates to choose a user risk policy when the scenario explicitly describes a sign-in-level risk from an anonymous IP.

How to eliminate wrong answers

Option A is wrong because requiring MFA for high-risk sign-ins does not block the sign-in; it only adds an authentication step, which does not prevent the initial high-risk sign-in from proceeding. Option B is wrong because a user risk policy requiring a password change addresses user-level risk (e.g., compromised credentials), not sign-in-level risk like an anonymous IP address, and it does not block the sign-in. Option D is wrong because an MFA registration policy ensures users register for MFA but does not block or remediate sign-in risks; it is a prerequisite, not a response to a detected risk.

261
MCQhard

You are deploying Microsoft Entra Verified ID to issue verifiable credentials for employee onboarding. Which component is required to issue credentials?

A.A public key infrastructure (PKI) certificate
B.A custom application registered in Microsoft Entra ID
C.A decentralized identifier (DID) for your organization
D.A blockchain node for the decentralized ledger
AnswerC

The DID acts as the issuer identifier.

Why this answer

Microsoft Entra Verified ID requires a decentralized identifier (DID) for your organization to issue verifiable credentials. The DID serves as the cryptographic anchor that proves your organization's authority to issue credentials, as it is registered on a decentralized ledger (ION) and linked to your public keys. Without a DID, the verifiable credentials cannot be cryptographically signed and verified by relying parties.

Exam trap

The trap here is that candidates often confuse the need for a custom app registration (Option B) as the core requirement, but the DID is the mandatory cryptographic identity anchor without which no credentials can be issued.

How to eliminate wrong answers

Option A is wrong because a public key infrastructure (PKI) certificate is not required; Entra Verified ID uses decentralized public key infrastructure (DPKI) based on DIDs and Verifiable Credentials (VCs), not traditional X.509 PKI certificates. Option B is wrong because while a custom application registered in Microsoft Entra ID is used to interact with the Verified ID API, it is not the component required to issue credentials—the DID is the foundational identity anchor. Option D is wrong because a blockchain node is not required; Microsoft uses the ION (Identity Overlay Network) as a Sidetree-based decentralized ledger, but the organization does not need to run a node—the DID is resolved via the ION network without direct node management.

262
MCQmedium

A user reports that they are repeatedly prompted for multifactor authentication when accessing Microsoft 365 apps from the same trusted device. What should you do to reduce the number of prompts?

A.Disable MFA for the user
B.Change the user's MFA method to text message
C.Configure 'Remember MFA' settings in Conditional Access
D.Reset the user's MFA registration
AnswerC

Remember MFA allows trusted sessions for a set period.

Why this answer

Option C is correct because the 'Remember MFA' setting in Conditional Access allows administrators to configure the session lifetime for MFA prompts on trusted devices. By extending the 'MFA reauthentication frequency' or enabling 'Remember Multifactor Authentication' for a longer period (e.g., 30 days), users will not be repeatedly challenged on the same device, reducing friction while maintaining security.

Exam trap

The trap here is that candidates often confuse 'changing the MFA method' (Option B) with reducing prompt frequency, not realizing that the method type has no impact on how often the prompt appears—only the session persistence settings control that.

How to eliminate wrong answers

Option A is wrong because disabling MFA entirely removes the security control, which violates the principle of least privilege and exposes the account to credential theft. Option B is wrong because changing the MFA method to text message does not affect the frequency of prompts; it only changes the delivery mechanism, and the user would still be prompted repeatedly on the same device. Option D is wrong because resetting the user's MFA registration would force them to re-register all authentication methods, which does not address the prompt frequency issue and could actually increase prompts until the new methods are verified.

263
Multi-Selectmedium

Your organization uses Microsoft Entra ID. Which TWO capabilities are provided by Microsoft Entra ID Governance?

Select 2 answers
A.Entitlement management
B.Privileged Identity Management
C.Identity Protection
D.Access reviews
E.Conditional Access
AnswersA, D

Entitlement management is a key capability of Entra ID Governance for managing access packages.

Why this answer

Entitlement management is a core capability of Microsoft Entra ID Governance that enables organizations to manage the identity and access lifecycle at scale. It allows administrators to create and manage access packages, automate access requests, and enforce policies for internal and external users, ensuring the right people have the right access to the right resources.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with governance because both involve access control, but PIM is specifically for privileged roles (e.g., Global Administrator) while governance covers the broader lifecycle for all users and resources.

264
MCQeasy

Your organization wants to allow employees to use their personal mobile devices to access corporate resources, but you need to ensure that corporate data is protected if the device is lost or stolen. You also need to enforce a PIN policy on the device. Which combination of Microsoft Entra and Microsoft Intune features should you use?

A.Use Windows Autopilot to configure devices and then apply a device restriction policy.
B.Implement a Conditional Access policy requiring multi-factor authentication and trusted locations.
C.Enroll devices in Microsoft Intune MDM, create a device compliance policy requiring PIN, and configure a Conditional Access policy to allow only compliant devices.
D.Use Microsoft Intune app protection policies (MAM) without device enrollment, requiring PIN for managed apps.
AnswerC

Correct: MDM enrollment enables compliance policies and remote wipe of corporate data.

Why this answer

Option A is correct because MDM enrollment with compliance policies enforces PIN and allows selective wipe of corporate data. Option B is wrong because MAM without enrollment can enforce PIN but selective wipe is limited. Option C is wrong because Conditional Access alone does not enforce device policies.

Option D is wrong because Autopilot is for provisioning, not protection.

265
MCQhard

An organization has deployed Microsoft Entra ID Governance and wants to automate the process of revoking access to a critical application when an employee leaves the company. Which feature should they configure?

A.Microsoft Entra ID Governance Lifecycle Workflows
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Access Reviews
D.Microsoft Entra Terms of Use
AnswerA

Automatically remove access based on HR events.

Why this answer

Microsoft Entra ID Governance Lifecycle Workflows enable automated workflows triggered by HR events like employee termination. When an employee leaves, a lifecycle workflow can be configured to automatically remove the user from the application's access group or disable their account, ensuring immediate revocation of access without manual intervention.

Exam trap

The trap here is confusing automated offboarding (Lifecycle Workflows) with periodic access review (Access Reviews) or privileged role management (PIM), as candidates often think any governance feature can handle termination-based revocation.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval, not automated offboarding workflows for standard application access. Option C is wrong because Access Reviews are periodic attestation processes that require manual or scheduled review decisions, not automated revocation triggered by a lifecycle event like termination. Option D is wrong because Terms of Use present acceptance policies to users but do not enforce any automated access revocation actions.

266
MCQmedium

A company uses Microsoft Entra ID and wants to ensure that guest users who are inactive for 90 days have their access to internal resources automatically revoked. Additionally, a manager must review all guest accounts annually. Which Microsoft Entra feature should be used to implement these requirements?

A.Microsoft Entra Identity Governance Access Reviews
B.Conditional Access policies
C.Privileged Identity Management (PIM)
D.Self-Service Password Reset (SSPR)
AnswerA

Access reviews allow managers to periodically certify guest accounts, and can be configured to automatically remove guests who are not re-approved or have been inactive.

Why this answer

Microsoft Entra Identity Governance Access Reviews enables administrators to create recurring reviews of guest user access and automatically remove access for inactive users. By configuring an access review with a duration of 90 days and enabling automatic revocation, guest users who have not signed in for that period will have their access removed. Additionally, the annual manager review requirement is met by scheduling a recurring review for all guest accounts, ensuring compliance with governance policies.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with identity governance features, mistakenly thinking that Conditional Access can enforce inactivity-based revocation, when in fact it only controls access at sign-in time and cannot perform periodic reviews or automatic removal of stale accounts.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce real-time access controls based on conditions like location or device state, but they cannot automatically revoke access based on inactivity duration or schedule periodic manager reviews. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval for privileged roles, not guest user access reviews or inactivity-based revocation. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not provide any mechanism for reviewing or revoking guest access based on inactivity.

267
Multi-Selecthard

Which THREE of the following are identity protection features in Microsoft Entra ID Protection?

Select 3 answers
A.Self-service password reset
B.Risk detections such as leaked credentials and anonymous IP address
C.Conditional access policies
D.Investigation and remediation of risk incidents
E.Risk policies for user risk and sign-in risk
AnswersB, D, E

These are types of risk detections.

Why this answer

Option B is correct because Microsoft Entra ID Protection uses risk detections, such as leaked credentials and anonymous IP addresses, to identify potential identity compromises. Leaked credentials are detected by comparing user credentials against known breach databases, while anonymous IP addresses (e.g., Tor exit nodes) are flagged as risky sign-in attributes. These detections are foundational to the service's ability to assess sign-in and user risk levels.

Exam trap

The trap here is that candidates often confuse conditional access policies (option C) as a feature of ID Protection, when in fact ID Protection provides risk detections and risk policies that can be used as conditions within conditional access, but the policies themselves are not a feature of ID Protection.

268
MCQmedium

A company uses Microsoft Entra ID. They want to require multi-factor authentication (MFA) for users who sign in from locations with a high risk score, as determined by Microsoft's analysis of the sign-in's IP address and other behavioral signals. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Privileged Identity Management
D.Entitlement Management
AnswerA

Identity Protection includes sign-in risk policies that can automatically require MFA based on risk level detected during sign-in.

Why this answer

Identity Protection is the correct feature because it provides risk-based detection and remediation, including the ability to automatically enforce MFA when a sign-in is flagged with a high risk score. It uses machine learning models to analyze signals such as anonymized IP addresses, atypical travel, and leaked credentials to assign a risk level. This directly matches the requirement to require MFA based on Microsoft's analysis of the sign-in's IP address and behavioral signals.

Exam trap

The trap here is that candidates often confuse Conditional Access as the feature that evaluates risk, when in fact Conditional Access is the policy engine that enforces controls, but Identity Protection is the service that generates the risk scores used as conditions.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because while it can enforce MFA based on conditions like location or device, it does not natively evaluate Microsoft's risk score; it requires integration with Identity Protection policies to use risk as a condition. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and access reviews, not on risk-based MFA enforcement for all users. Option D (Entitlement Management) is wrong because it manages access packages and approval workflows for external users and groups, not sign-in risk detection or MFA enforcement.

269
Multi-Selecthard

Which THREE capabilities are part of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Privileged Identity Management (PIM)
B.Passwordless authentication
C.Entitlement management
D.Identity lifecycle management
E.Access reviews
AnswersC, D, E

Manages access packages and assignments.

Why this answer

Entitlement management is a core capability of Microsoft Entra ID Governance that enables organizations to manage access to applications, groups, and SharePoint sites through automated access request workflows, approval processes, and periodic reviews. It directly supports the governance principle of ensuring users have only the access they need, when they need it.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) as a separate governance capability rather than recognizing it as a component within the broader identity lifecycle management and access review workflows, leading them to select it alongside the three correct answers.

270
Multi-Selectmedium

Which TWO conditions can be used in a Microsoft Entra Conditional Access policy? (Choose two.)

Select 2 answers
A.MFA registration status
B.Password complexity
C.Device platform
D.User risk level
E.Login frequency
AnswersC, D

Device platform is a condition.

Why this answer

Option C is correct because Device platform is a standard condition in Microsoft Entra Conditional Access policies, allowing administrators to target policies based on the operating system (e.g., Windows, iOS, Android). Option D is correct because User risk level is a condition derived from Microsoft Entra ID Protection, reflecting the probability that a user's identity has been compromised, and can be used to trigger step-up authentication or block access.

Exam trap

The trap here is that candidates confuse conditions (e.g., device platform, user risk) with grant controls (e.g., require MFA, sign-in frequency) or configuration settings (e.g., password complexity), leading them to select options that are not valid conditions in the Conditional Access policy editor.

271
MCQmedium

A company's security team discovers that several recent account compromises originated from attackers using legacy mail protocols (POP3, IMAP) which do not support multi-factor authentication. The team wants to immediately prevent any sign-in attempts using these protocols. Which Microsoft Entra ID feature should they configure to enforce this restriction?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Microsoft Entra Password Protection
AnswerA

Conditional Access policies allow administrators to block legacy authentication by targeting client apps that use legacy protocols. This is the correct feature to enforce the restriction.

Why this answer

Conditional Access in Microsoft Entra ID allows administrators to create policies that control access based on conditions such as client apps. By configuring a policy to block authentication requests from legacy authentication protocols (POP3, IMAP, SMTP, etc.), the security team can immediately prevent sign-in attempts that do not support multi-factor authentication, effectively mitigating the risk of account compromise via these outdated protocols.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based policies with the ability to block legacy protocols, but Identity Protection only triggers MFA or block based on risk scores, not on the protocol type itself.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because Identity Protection is a risk-based detection and remediation tool that identifies suspicious sign-ins and user risks, but it does not directly block specific authentication protocols like POP3 or IMAP. Option C (Privileged Identity Management (PIM)) is wrong because PIM is designed for just-in-time privileged role activation and access governance, not for controlling which authentication protocols can be used. Option D (Microsoft Entra Password Protection) is wrong because it enforces password policies (e.g., banning weak passwords) but does not block legacy authentication protocols or require MFA.

272
Multi-Selectmedium

Which TWO features are part of Microsoft Entra ID Governance? (Choose two.)

Select 2 answers
A.Entitlement Management
B.Access Reviews
C.Conditional Access
D.Self-Service Password Reset
E.Identity Protection
AnswersA, B

Manages access packages and requests.

Why this answer

Entitlement Management is a core feature of Microsoft Entra ID Governance that enables organizations to manage the lifecycle of access rights across internal and external users. It automates access requests, approvals, and assignments through configurable access packages, ensuring that users have the right access for the right duration. This directly supports governance by enforcing policies for who gets access, for how long, and under what conditions.

Exam trap

The trap here is that candidates often confuse security features (Conditional Access, Identity Protection) with governance features, but Entra ID Governance specifically focuses on managing the lifecycle of access—who gets access, for how long, and with periodic review—not on enforcing security controls or mitigating threats.

273
Matchingmedium

Match each Microsoft Defender product to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect on-premises Active Directory

Secure email and collaboration tools

Protect cloud workloads and resources

Secure Internet of Things devices

SaaS application security

Why these pairings

These are specialized Defender products for different environments.

274
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Entra Identity Protection? (Choose three.)

Select 3 answers
A.Detect leaked credentials
B.Enable risk-based conditional access policies
C.Allow users to reset their own passwords
D.Provide just-in-time privileged access
E.Provide a risk investigation report
AnswersA, B, E

Identity Protection detects leaked credentials.

Why this answer

Option A is correct because Microsoft Entra Identity Protection continuously monitors user authentication patterns and compares password hashes against a database of known leaked credentials from public breach sources. When a match is detected, it flags the user or sign-in as risky, enabling automated remediation or blocking.

Exam trap

The trap here is that candidates confuse the risk-based Conditional Access integration (which is part of Identity Protection) with the password reset and JIT access features that belong to separate Microsoft Entra services like SSPR and PIM.

275
MCQmedium

An organization wants to allow users to reset their own passwords without help desk intervention. They also need to enforce multifactor authentication during the reset process. Which Microsoft Entra feature should they configure?

A.Microsoft Entra Self-Service Password Reset
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Multifactor Authentication
AnswerA

Enables users to reset passwords and can enforce MFA.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) allows users to reset their own passwords without help desk intervention. By integrating with Microsoft Entra Multifactor Authentication, SSPR can enforce MFA during the reset process, satisfying both requirements.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Multifactor Authentication as a standalone solution for password reset, when in fact it is only a component that must be integrated with SSPR to achieve both self-service reset and MFA enforcement.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Identity Protection is a risk-based detection and remediation tool that can trigger automated responses like requiring MFA or blocking sign-ins, but it does not directly provide self-service password reset capabilities. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged access and role activation, not general user password reset workflows. Option D is wrong because Microsoft Entra Multifactor Authentication is an authentication method that can be used as part of SSPR, but by itself it does not provide the self-service password reset functionality; it must be combined with SSPR to meet both requirements.

276
MCQmedium

A company uses Microsoft Entra ID. The IT team wants to provide remote employees with secure, single sign-on (SSO) access to a critical on-premises web application that uses password-based authentication, without requiring a VPN connection. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Connect
C.Microsoft Entra Domain Services
D.Microsoft Entra ID P2 license
AnswerA

Correct. Application Proxy provides secure remote access and SSO for on-premises web apps without needing a VPN.

Why this answer

Microsoft Entra Application Proxy enables secure remote access to on-premises web applications by publishing them through an external endpoint, without requiring a VPN. It supports password-based SSO by securely storing and replaying credentials to the legacy application, allowing users to authenticate once via Entra ID. This makes it the correct choice for providing SSO to a password-based on-premises app without a VPN.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (a sync tool) with Application Proxy, mistakenly thinking that syncing identities alone provides remote access and SSO to on-premises apps.

How to eliminate wrong answers

Option B (Microsoft Entra Connect) is wrong because it is a synchronization tool that syncs on-premises directory objects to Entra ID, not a proxy for publishing applications or enabling remote SSO. Option C (Microsoft Entra Domain Services) is wrong because it provides managed domain services like LDAP and Kerberos for cloud-based VMs, not remote access to on-premises web apps. Option D (Microsoft Entra ID P2 license) is wrong because it is a licensing tier that adds Identity Protection and Privileged Identity Management, not a feature that directly enables remote access or SSO to on-premises apps.

277
MCQmedium

A company wants to offer a secure sign-in experience for external customers who may use personal accounts from Facebook, Google, or any OpenID Connect provider. They also need to customize the sign-in pages with their company logo and colors. Which Microsoft Entra capability should they use?

A.Microsoft Entra ID (formerly Microsoft Entra ID) — free edition
B.Microsoft Entra External ID (formerly Microsoft Entra ID B2C)
C.Microsoft Entra Domain Services
D.Microsoft Entra Permissions Management
AnswerB

External ID is purpose-built for customer identity and access management, supporting multiple social identity providers and customizable sign-in pages.

Why this answer

Microsoft Entra External ID (formerly Azure AD B2C) is the correct choice because it is specifically designed for customer-facing identity scenarios, supporting social identity providers (Facebook, Google) and any OpenID Connect provider. It also provides full customization of sign-in pages, including company branding like logos and colors, which is not available in the free edition of Microsoft Entra ID.

Exam trap

The trap here is that candidates often confuse Microsoft Entra External ID with the free edition of Microsoft Entra ID, assuming that 'free' includes external identity support, but the free edition is strictly for internal users and lacks social identity federation and UI customization capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID (free edition) is intended for internal organizational users and does not support external customer identities with social or OpenID Connect providers, nor does it allow customization of sign-in pages for external users. Option C is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., Kerberos, NTLM) for legacy applications, not identity federation or customer sign-in customization. Option D is wrong because Microsoft Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) tool for managing permissions across multi-cloud environments, unrelated to customer authentication or branding.

278
MCQeasy

Your organization wants to use Microsoft Entra Verified ID to issue digital credentials to employees. Which Microsoft Entra service provides the ability to issue and verify verifiable credentials?

A.Microsoft Entra Entitlement Management
B.Microsoft Entra Verified ID
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerB

Verified ID is the service for decentralized identity and verifiable credentials.

Why this answer

Microsoft Entra Verified ID is the specific service designed to issue and verify verifiable credentials based on decentralized identity standards such as W3C Verifiable Credentials and Decentralized Identifiers (DIDs). It enables organizations to create, issue, and cryptographically verify digital credentials without relying on a central authority, aligning with the scenario described.

Exam trap

The trap here is that candidates may confuse 'Verified ID' with other identity governance or security services like Entitlement Management or Identity Protection, but only Verified ID directly handles the issuance and verification of verifiable credentials using decentralized identity standards.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Entitlement Management focuses on automating access reviews, access packages, and lifecycle management for applications and groups, not on issuing or verifying verifiable credentials. Option C is wrong because Microsoft Entra Identity Protection is a security tool that detects identity-based risks like compromised accounts and sign-in anomalies, not a credential issuance or verification service. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and access approvals, not the creation or verification of digital credentials.

279
MCQhard

Your organization, Contoso, uses Microsoft Entra ID P2. You have a Microsoft Entra tenant with several privileged roles including Global Administrator, Exchange Administrator, and SharePoint Administrator. The security team wants to enforce just-in-time (JIT) access for these roles, requiring users to request activation and get approval before they can use the role. Additionally, all activations must be logged and reviewed monthly. What should you configure?

A.Configure Microsoft Entra Privileged Identity Management (PIM) to require approval for role activation and enable access reviews.
B.Configure Conditional Access policies to require MFA for privileged roles.
C.Use Microsoft Entra Entitlement Management to create access packages for roles.
D.Create an Identity Protection risk policy to block risky sign-ins for privileged users.
AnswerA

PIM provides JIT activation with approval and reviews.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by requiring users to activate their role assignments with approval from designated approvers. It also includes access reviews that can be scheduled to audit and confirm active role assignments, meeting the logging and monthly review requirements. This directly addresses the need for activation approval and periodic review of privileged role usage.

Exam trap

The trap here is confusing Conditional Access policies (which control sign-in conditions) with PIM (which controls role activation and approval workflows), leading candidates to select MFA enforcement instead of the JIT and review capabilities unique to PIM.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies enforce authentication requirements (like MFA) during sign-in but do not provide JIT activation workflows, approval processes, or scheduled access reviews for privileged roles. Option C is wrong because Entitlement Management manages access packages for resource access (e.g., groups, apps, sites) but does not handle role activation approval or time-bound JIT elevation for Entra ID administrative roles. Option D is wrong because Identity Protection risk policies block or require MFA for risky sign-ins, but they do not control role activation, require approval, or log/review privileged role usage.

280
MCQhard

Refer to the exhibit. A Microsoft Graph PowerShell script is shown. What is the purpose of this script?

A.Register a phone authentication method for users.
B.Configure self-service password reset settings.
C.Reset passwords for all users named John.
D.Enable multifactor authentication for the users.
AnswerA

The script adds a phone authentication method.

Why this answer

The script uses the `New-MgUserAuthenticationPhoneMethod` cmdlet to register a phone number as an authentication method for a user in Microsoft Entra ID. This cmdlet specifically creates a phone authentication method, which can be used for multifactor authentication or self-service password reset, but its direct purpose is to register the phone method itself.

Exam trap

The trap here is that candidates confuse registering a phone authentication method with enabling MFA or configuring SSPR, because the phone method is a common component of both, but the cmdlet's specific purpose is only to register the method, not to enable the broader feature.

How to eliminate wrong answers

Option B is wrong because configuring self-service password reset (SSPR) settings requires cmdlets like `Update-MgPolicyAuthenticationMethodPolicy` or `Set-MgUserAuthenticationMethodPolicy`, not `New-MgUserAuthenticationPhoneMethod`. Option C is wrong because the script does not perform any password reset operation; it only registers a phone method, and it targets a single user by UserPrincipalName, not all users named John. Option D is wrong because enabling multifactor authentication (MFA) for users is done via Conditional Access policies or per-user MFA settings, not by registering a phone method; the cmdlet only adds a phone as an authentication method, which is a prerequisite but not the act of enabling MFA.

281
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in JSON format. What is the effect of this policy?

A.All users are blocked from accessing resources from untrusted locations.
B.All users must use MFA and accept terms of use when accessing from trusted locations.
C.All users must use MFA from all locations.
D.Guests must accept terms of use and use MFA from all locations.
AnswerB

The policy conditions include trusted locations and grant controls require MFA and terms of use.

Why this answer

The policy grants access only when the conditions of 'trusted locations' AND 'multifactor authentication' AND 'accept terms of use' are all met. Since the policy is configured to 'Grant access' with these three controls required, any user (including guests) attempting to access from a trusted location must satisfy all three requirements. Option B correctly captures this combination.

Exam trap

The trap here is that candidates often misinterpret the 'Grant' block as a block action, or assume the policy applies to all locations when the location condition explicitly scopes it to trusted locations only.

How to eliminate wrong answers

Option A is wrong because the policy does not block access from untrusted locations; it only defines the requirements for granting access, and if the location is not trusted, the policy simply does not apply (no explicit block action is set). Option C is wrong because the policy specifically restricts the MFA requirement to 'trusted locations' only, not all locations. Option D is wrong because the policy applies to 'All users', not just guests, and the terms of use and MFA are only required when accessing from trusted locations, not from all locations.

282
MCQeasy

Your organization uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) for all users. Which policy should you create?

A.Conditional Access policy
B.Identity Protection policy
C.Security defaults
D.Privileged Identity Management
AnswerA

Conditional Access policies can enforce MFA for all users.

Why this answer

Conditional Access policies are the correct mechanism to enforce MFA for all users because they allow granular, policy-driven access controls based on signals like user, location, device, and application. By creating a Conditional Access policy that requires MFA for all cloud apps, you can target all users and enforce MFA at authentication time, providing a flexible and scalable solution.

Exam trap

The trap here is that candidates confuse Security defaults (a simple, pre-configured baseline) with a customizable policy, but Security defaults is not a policy you 'create'—it is an all-or-nothing toggle that cannot be scoped or modified, whereas Conditional Access policies are the correct, granular tool for enforcing MFA.

How to eliminate wrong answers

Option B is wrong because Identity Protection policies are designed to detect and respond to risks (e.g., leaked credentials, sign-ins from anonymous IPs) and can automatically trigger MFA based on risk level, but they cannot enforce MFA for all users unconditionally. Option C is wrong because Security defaults is a baseline set of security configurations that includes enforcing MFA for all users, but it is a tenant-wide setting that cannot be customized or scoped; it is not a policy you 'create' but rather enable or disable. Option D is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and approval workflows for roles, not MFA enforcement for all users; it manages role activation, not authentication requirements.

283
MCQmedium

An administrator notices that some users are being prompted for MFA even though they are inside the corporate network. The Conditional Access policy includes a condition for 'All locations' except trusted IPs. What is the most likely cause?

A.The corporate network's public IP address is not added to the trusted IPs list
B.The users have not registered for MFA
C.The users are not assigned to the policy but are in a nested group
D.The Conditional Access policy has session controls enabled
AnswerA

Without trusted IPs, the location is considered untrusted and MFA is required.

Why this answer

If the corporate network's public IP is not added to the trusted IPs list, users inside the network will be prompted for MFA because the location is not recognized as trusted. Option A is correct. Option B is wrong because if the IP is correctly configured, it should work.

Option C is wrong because MFA registration status doesn't affect the prompt if policy requires it. Option D is wrong because session control doesn't bypass MFA.

284
MCQmedium

A company has discovered that many account compromise attacks are using legacy authentication protocols (e.g., IMAP, POP3, SMTP) which do not support multi-factor authentication. They want to block all sign-ins that use these protocols to reduce risk. Which Microsoft Entra ID feature should they use to enforce this block?

A.Conditional Access
B.Identity Protection
C.Azure AD Application Proxy
D.Privileged Identity Management (PIM)
AnswerA

Correct. A Conditional Access policy can be configured to block all sign-ins from legacy authentication protocols by targeting the 'Other clients' app type and setting the access control to block.

Why this answer

Conditional Access policies in Microsoft Entra ID can be configured to block access from legacy authentication protocols (such as IMAP, POP3, and SMTP) by targeting the 'Client apps' condition. Since these protocols do not support modern authentication methods like MFA, blocking them directly reduces the attack surface for account compromise. This is the correct feature to enforce the block.

Exam trap

The trap here is that candidates may confuse Identity Protection's risk-based policies with Conditional Access's protocol-level controls, assuming that blocking legacy authentication is a risk-detection feature rather than a conditional access rule.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it is designed to detect and respond to risky sign-ins and users (e.g., leaked credentials, anonymous IP addresses), not to block specific authentication protocols. Option C (Azure AD Application Proxy) is wrong because it provides secure remote access to on-premises web applications, not control over authentication protocols. Option D (Privileged Identity Management) is wrong because it manages just-in-time privileged access and role activation, not the blocking of legacy authentication protocols.

285
MCQhard

The exhibit shows a Conditional Access policy named 'Block Legacy Auth'. The admin notices that the policy is not blocking legacy authentication as intended. Based on the output, what is the most likely reason?

A.The policy name is incorrect.
B.The policy does not have any client app types configured to block.
C.The policy is assigned to no users.
D.The policy is disabled.
AnswerB

ClientAppTypes is empty, so the policy does not target any client apps.

Why this answer

The policy is not blocking legacy authentication because it lacks configured client app types. Conditional Access policies require explicit selection of client apps (e.g., Exchange ActiveSync, other clients) to target legacy authentication protocols like POP3, IMAP, and SMTP. Without this configuration, the policy has no conditions to enforce, so it cannot block any authentication attempts.

Exam trap

The trap here is that candidates assume a Conditional Access policy with 'Block access' grant will automatically block all authentication, but they overlook the critical requirement to explicitly configure client app types to cover legacy protocols.

How to eliminate wrong answers

Option A is wrong because the policy name is irrelevant to its functionality; Conditional Access policies enforce based on conditions and controls, not names. Option C is wrong because the policy is assigned to 'All users' as shown in the exhibit, so user assignment is not the issue. Option D is wrong because the policy is enabled (status 'On' in the exhibit), so a disabled state is not the reason for failure.

286
Multi-Selectmedium

Which THREE components are part of Microsoft Entra Permissions Management (CIEM)?

Select 3 answers
A.Activity trail
B.Audit trail
C.Identity Protection
D.Access reviews
E.Permissions Analytics Report
AnswersA, B, E

Tracks user and resource activity.

Why this answer

Activity trail (A) is correct because Microsoft Entra Permissions Management (CIEM) captures a detailed log of all user actions and resource access events across multi-cloud environments (AWS, Azure, GCP). This trail is essential for forensic analysis and identifying anomalous behavior, directly supporting the CIEM goal of providing visibility into permissions usage.

Exam trap

The trap here is that candidates confuse the CIEM components (Activity trail, Audit trail, Permissions Analytics Report) with broader Microsoft Entra features like Identity Protection or Access reviews, which serve different governance and security functions.

287
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Entra Identity Protection?

Select 2 answers
A.Enforcing session timeouts for applications
B.Self-service password reset
C.Detecting sign-in risks such as anonymous IP addresses
D.Automatically remediating risk by blocking sign-ins
E.Managing privileged role assignments
AnswersC, D

Identity Protection detects various sign-in risks.

Why this answer

Microsoft Entra Identity Protection provides risk detection capabilities, including the ability to detect sign-in risks such as sign-ins from anonymous IP addresses (e.g., Tor browser). This is a core feature that allows organizations to identify potentially compromised credentials or malicious sign-in attempts based on real-time signals.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk detection and automated remediation with other Entra features like Conditional Access (session controls) or Privileged Identity Management (role assignments), leading them to select options that describe those separate services.

288
MCQeasy

Your organization uses Microsoft Entra ID to manage user identities. A new employee named John joins the company and needs access to Microsoft 365 apps. You want to ensure John's identity is verified using a phone call. Which authentication method should you configure?

A.Time-based one-time password (TOTP)
B.Email one-time passcode
C.Text message (SMS)
D.Phone call (voice call)
E.FIDO2 security key
AnswerD

Phone call is a supported authentication method for user verification.

Why this answer

The question explicitly requires verification using a phone call. The Phone call (voice call) authentication method in Microsoft Entra ID delivers an automated voice call to the user's registered phone number, prompting them to press a key to confirm their identity. This directly matches the requirement, making D the correct choice.

Exam trap

The trap here is that candidates may confuse 'phone call' with 'text message (SMS)' because both involve a phone, but the question explicitly specifies 'phone call (voice call)', not a text-based code delivery.

How to eliminate wrong answers

Option A is wrong because Time-based one-time password (TOTP) uses a software or hardware token to generate a code, not a phone call. Option B is wrong because Email one-time passcode sends a code via email, which is not a phone-based voice call. Option C is wrong because Text message (SMS) delivers a code via text, not a voice call.

Option E is wrong because FIDO2 security key is a hardware-based passwordless authentication method that uses public-key cryptography, not a phone call.

289
MCQmedium

Your organization uses Microsoft Entra ID P2 and wants to reduce the risk of identity compromise by requiring multifactor authentication (MFA) for all users, but excluding users when they are on the corporate network. Which policy type should you configure?

A.Conditional Access policy
B.Self-service password reset (SSPR) policy
C.Identity Protection risk policy
D.Privileged Identity Management (PIM) activation policy
AnswerA

Conditional Access can require MFA for all users except when from trusted IPs (corporate network).

Why this answer

Conditional Access policies allow you to enforce MFA based on network location, user, and device conditions. Option D is correct because the policy can target all users and exclude trusted IPs. Option A is wrong because Identity Protection detects risk but does not directly enforce MFA by location.

Option B is wrong because Privileged Identity Management (PIM) manages just-in-time access for privileged roles, not general MFA. Option C is wrong because self-service password reset (SSPR) does not enforce MFA.

290
MCQmedium

You are a consultant helping a client migrate from on-premises Active Directory to Microsoft Entra ID. The client has a large number of user accounts and wants to synchronize identities while allowing users to use their existing on-premises passwords. Which tool should you recommend?

A.Microsoft Entra Connect Sync (older version)
B.Microsoft Graph API with custom sync script
C.Microsoft Entra Connect with password hash synchronization
D.Microsoft Entra Connect Provisioning Agent
AnswerC

This tool synchronizes identities and hashes passwords, allowing seamless use of on-premises passwords.

Why this answer

Microsoft Entra Connect with password hash synchronization (PHS) is the correct tool because it synchronizes user identities from on-premises Active Directory to Microsoft Entra ID and allows users to keep their existing on-premises passwords by hashing and syncing password hashes to the cloud. This meets the client's requirement for identity synchronization without requiring password changes or additional infrastructure.

Exam trap

The trap here is that candidates often confuse the Microsoft Entra Connect Provisioning Agent (Option D) with the full Microsoft Entra Connect tool, mistakenly thinking the Provisioning Agent supports password hash synchronization, when in fact it only supports cloud sync without password writeback or PHS.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect Sync (older version) is the previous name for the tool, but the question specifies the 'older version' which lacks the integrated password hash synchronization feature and is deprecated; the current recommended tool is Microsoft Entra Connect with PHS. Option B is wrong because Microsoft Graph API with a custom sync script would require significant development effort, lacks built-in password hash synchronization, and does not natively support the seamless password sync required for users to keep their existing on-premises passwords. Option D is wrong because the Microsoft Entra Connect Provisioning Agent is designed for cloud sync scenarios (e.g., syncing from disconnected forests or lightweight scenarios) and does not support password hash synchronization, which is essential for allowing users to use their existing on-premises passwords.

291
MCQmedium

A company has several on-premises web-based applications that need to be securely accessed by remote employees without requiring a VPN. The IT team wants to provide single sign-on (SSO) using Microsoft Entra ID. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Self-Service Password Reset (SSPR)
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Identity Protection
AnswerA

Correct. Microsoft Entra Application Proxy publishes on-premises web apps externally and provides secure remote access with single sign-on, eliminating the need for a VPN.

Why this answer

Microsoft Entra Application Proxy enables secure remote access to on-premises web applications without a VPN by acting as a reverse proxy. It integrates with Microsoft Entra ID to provide single sign-on (SSO) for users, leveraging pre-authentication and conditional access policies. This directly meets the requirement for VPN-less, SSO-enabled access.

Exam trap

The trap here is that candidates often confuse Application Proxy with a VPN solution or think SSPR or PIM can provide remote access, but only Application Proxy specifically proxies on-premises web apps with SSO integration.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Self-Service Password Reset (SSPR) is a password management feature that allows users to reset their own passwords, not a solution for remote application access or SSO. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) is used for managing, controlling, and monitoring access to privileged roles, not for proxying on-premises applications. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats, not a remote access or SSO mechanism.

292
MCQmedium

A company uses Microsoft Entra ID (Azure AD). The IT team has created a security group named 'SalesTeam' that contains all sales department users. They want to ensure that only members of this group can access the company's CRM application, which is registered as an enterprise application in Entra ID. What should the IT team configure?

A.A Conditional Access policy that requires group membership
B.Self-service group management settings
C.Enterprise application user and group assignment
D.Application registration settings
AnswerC

Assigning the 'SalesTeam' group to the CRM enterprise application ensures that only members of that group can sign in and access that application.

Why this answer

Enterprise applications in Microsoft Entra ID can be configured to require user or group assignment, which restricts access to only assigned users or groups. By assigning the 'SalesTeam' security group to the CRM enterprise application, the IT team ensures that only members of that group can authenticate and access the application. This is the standard method for controlling access to gallery or custom enterprise applications in Entra ID.

Exam trap

The trap here is confusing Conditional Access (which controls conditions and grants during authentication) with user/group assignment (which controls the fundamental ability to authenticate to the application), leading candidates to select A when C is the direct and correct configuration for restricting access.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy can enforce group membership as a condition, but it does not by itself restrict access to the application; it only applies additional controls (like MFA or device compliance) after the user is already allowed to authenticate. Option B is wrong because self-service group management settings control how users can create or join groups, not how access to an enterprise application is restricted. Option D is wrong because application registration settings define the application's authentication configuration (e.g., redirect URIs, API permissions), not which users or groups can access the application.

293
MCQmedium

A company is using Microsoft Entra ID to manage identities for a multi-tenant SaaS application. They want to allow users from partner organizations to access the application using their own corporate credentials, without needing to manage separate accounts. Which solution should they implement?

A.Microsoft Entra B2C
B.Microsoft Entra federation with the partner's identity provider
C.Microsoft Entra B2B collaboration
D.Microsoft Entra provisioning service
AnswerC

B2B collaboration allows partner users to access apps using their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct solution because it enables partner users to access the company's multi-tenant SaaS application using their own corporate credentials, without requiring separate accounts. B2B collaboration supports cross-tenant access by creating lightweight guest user objects in the resource tenant, which can authenticate via their home tenant's identity provider. This aligns with the requirement to allow partner organizations to use their existing credentials while avoiding account management overhead.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, mistakenly thinking both handle external users, but B2C is for customer identities (social/local accounts) while B2B is for partner identities (corporate credentials).

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C is designed for customer-facing identity management, allowing external users (e.g., consumers) to sign up and sign in with social or local accounts, not for partner organizations using their own corporate credentials. Option B is wrong because federation with a partner's identity provider typically establishes a trust between two organizations' identity systems, but it requires complex configuration and often involves setting up a federation trust (e.g., using SAML or WS-Federation) for the entire domain, which is overkill for simple guest access and does not natively support the lightweight, invitation-based model of B2B collaboration. Option D is wrong because the Microsoft Entra provisioning service automates the creation, update, and deletion of user accounts in SaaS applications (e.g., via SCIM), but it does not enable external users to authenticate with their own credentials; it manages identity lifecycle, not cross-tenant authentication.

294
MCQmedium

A company has many guest users in Microsoft Entra ID who collaborate on a project in a specific SharePoint site. The compliance team needs to periodically verify that these guest users still require access to the site. If a reviewer does not respond within 30 days, the guest's access should be automatically removed. Additionally, the company wants to ensure that once access is removed, the guest user object is eventually deleted from the directory after 90 days. Which Microsoft Entra Identity Governance features should they use together?

A.Access Reviews configured to auto-apply results and delete guest users after a specified number of days
B.Entitlement Management access packages with an expiration policy
C.Lifecycle Workflows to schedule a periodic task
D.Privileged Identity Management (PIM) for guest roles
AnswerA

Access Reviews can automatically apply results (remove access) if no response, and the 'Delete users' setting within the review automatically removes guest objects after the configured days.

Why this answer

Access Reviews in Microsoft Entra ID can be configured to automatically apply results, removing guest access when a reviewer does not respond within a specified period (e.g., 30 days). Additionally, the 'Delete guest users not reviewed within' setting allows automatic deletion of the guest user object from the directory after a configurable number of days (e.g., 90 days). This directly meets both requirements: periodic verification of access and eventual cleanup of the directory object.

Exam trap

The trap here is that candidates confuse 'removing access' (which many features can do) with 'deleting the user object from the directory' (which only Access Reviews with the specific deletion setting can do), leading them to choose Entitlement Management or Lifecycle Workflows.

How to eliminate wrong answers

Option B is wrong because Entitlement Management access packages with an expiration policy can remove a user's assignment to a resource (like the SharePoint site) but do not automatically delete the guest user object from the directory after a specified number of days; they only expire the package assignment. Option C is wrong because Lifecycle Workflows are designed for automating joiner, mover, and leaver processes for employees, not for periodic guest access reviews or automatic deletion of guest objects. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time activation and approval for privileged roles, not periodic access reviews or automatic removal of guest user objects from the directory.

295
MCQmedium

You are configuring Microsoft Entra ID Governance for your organization. You need to ensure that when a user's employment status changes to 'Terminated' in the HR system, their access to critical applications is automatically revoked within 24 hours. Additionally, managers must be able to request temporary access for a terminated user if needed. What should you implement?

A.Configure Microsoft Entra entitlement management with access packages for external users.
B.Use Microsoft Entra Privileged Identity Management (PIM) for all user accounts.
C.Create an access package with automatic assignment policies based on HR attributes and enable access reviews.
D.Implement Microsoft Entra ID Governance lifecycle workflows.
AnswerC

Automatic assignment can revoke access when HR attribute changes, and access reviews allow managers to request extensions.

Why this answer

Option C is correct because access packages in Microsoft Entra entitlement management can include automatic assignment policies that evaluate HR attributes (like employment status) to grant or revoke access. When a user's status changes to 'Terminated', the policy automatically removes their membership in the access package, revoking access to critical applications within the configured time frame (e.g., 24 hours). Additionally, access reviews allow managers to request temporary access for terminated users if needed, fulfilling both requirements.

Exam trap

The trap here is confusing lifecycle workflows (which handle account lifecycle events like creation and deletion) with entitlement management access packages (which handle resource access lifecycle and support manager-initiated temporary access requests).

How to eliminate wrong answers

Option A is wrong because configuring access packages for external users addresses guest access scenarios, not automated revocation based on HR attribute changes for internal employees. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for automating access revocation based on HR lifecycle events. Option D is wrong because lifecycle workflows handle user provisioning and deprovisioning tasks (like disabling accounts) but do not natively support manager-initiated temporary access requests for terminated users; that capability is specific to entitlement management access packages with access reviews.

296
MCQhard

A company is implementing a Microsoft Entra ID tenant for a new subsidiary. They require that all users authenticate using passwordless methods, specifically the Microsoft Authenticator app. What is the minimum configuration required to enforce this?

A.Enable Microsoft Entra ID Protection and configure MFA registration policy
B.Turn on Security defaults
C.Configure Microsoft Entra Hybrid Join for all devices
D.Create a Conditional Access policy targeting all users that requires 'Require authentication strength' and select the 'Passwordless MFA' authentication strength
AnswerD

Conditional Access with authentication strength can enforce passwordless MFA, blocking password-based sign-ins.

Why this answer

Option D is correct because a Conditional Access policy with the 'Require authentication strength' setting allows you to select the 'Passwordless MFA' authentication strength, which enforces passwordless methods like the Microsoft Authenticator app. This is the minimum configuration that directly targets all users and mandates passwordless authentication, as opposed to broader or less specific settings.

Exam trap

The trap here is that candidates often confuse 'MFA registration' or 'Security defaults' with enforcing a specific authentication method, but neither restricts the method to passwordless only, which is the key requirement in the question.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection and MFA registration policy only enforce that users register for MFA, not that they use passwordless methods specifically. Option B is wrong because Security defaults enforce MFA using any method (including passwords), not exclusively passwordless authentication. Option C is wrong because Microsoft Entra Hybrid Join is a device state requirement for scenarios like Windows Hello for Business, but it does not enforce passwordless authentication via the Authenticator app and is not the minimum configuration for this requirement.

297
MCQmedium

A company runs a consumer-facing e-commerce website and wants to allow customers to sign in using their existing social media accounts such as Google, Facebook, or LinkedIn. Which Microsoft Entra ID solution should they implement?

A.Microsoft Entra External ID (B2C)
B.Microsoft Entra External ID (B2B)
C.Microsoft Entra Identity Protection
D.Microsoft Entra Conditional Access
AnswerA

Correct. Azure AD B2C (now part of Microsoft Entra External ID) is designed for customer-facing apps and supports social identity providers such as Google, Facebook, and LinkedIn.

Why this answer

Microsoft Entra External ID (B2C) is the correct solution because it is specifically designed for consumer-facing applications, allowing customers to sign in using social identity providers (IdPs) like Google, Facebook, and LinkedIn via OAuth 2.0 and OpenID Connect protocols. It provides a customizable authentication experience for external users, distinct from B2B which targets organizational collaboration.

Exam trap

The trap here is that candidates confuse B2B with B2C, assuming 'External ID' covers all external users, but B2B strictly targets organizational partners (e.g., using their work accounts) while B2C is for consumer social logins.

How to eliminate wrong answers

Option B (Microsoft Entra External ID (B2B)) is wrong because B2B is designed for business-to-business collaboration, enabling external partners and employees from other organizations to access corporate resources using their own Entra ID or SAML/WS-Fed IdPs, not for consumer social logins. Option C (Microsoft Entra Identity Protection) is wrong because it is a risk-based security tool that detects compromised identities and suspicious sign-ins, not an authentication solution for social identity providers. Option D (Microsoft Entra Conditional Access) is wrong because it is a policy engine that enforces access controls (e.g., MFA, location) after authentication, not a mechanism to federate with social IdPs.

298
Multi-Selecthard

A company uses Microsoft Entra ID (Azure AD). The security team wants to create a Conditional Access policy that meets the following requirements: - Require multi-factor authentication (MFA) when users access a sensitive financial application from an untrusted network. - Additionally, require that the device accessing the app is compliant with company policies (e.g., encryption enabled). Which two conditions should the team configure in the Conditional Access policy? (Choose two.)

Select 2 answers
A.Location
B.Device state
C.Sign-in risk
D.Application
AnswersA, B

Location condition allows you to include or exclude access attempts based on IP address ranges (e.g., trusted vs untrusted).

Why this answer

Option A (Location) is correct because the policy requires MFA when users access the sensitive financial application from an untrusted network. In Microsoft Entra ID Conditional Access, the Location condition uses named locations (such as trusted IP ranges or countries) to determine whether a network is trusted or untrusted, enabling the policy to trigger MFA only when access originates from an untrusted location.

Exam trap

The trap here is that candidates often confuse the Application assignment (which defines the target app) with a condition, leading them to select Application as a condition instead of recognizing that Location and Device state are the two conditions that enforce the specific requirements.

299
MCQhard

Your organization uses Microsoft Entra ID. You need to ensure that when a user is terminated, all access to SaaS applications is automatically revoked. What should you configure?

A.Configure a conditional access policy to block access for disabled users.
B.Use Privileged Identity Management to remove role assignments.
C.Schedule an access review for quarterly review of access.
D.Configure Microsoft Entra lifecycle workflows to disable the user and remove group memberships upon termination.
AnswerD

Lifecycle workflows automate user lifecycle events including offboarding tasks.

Why this answer

Option D is correct because Microsoft Entra lifecycle workflows automate the user offboarding process by disabling the user account and removing group memberships upon termination. This ensures that the user loses access to all SaaS applications that rely on Entra ID for authentication, as group membership removal revokes access tokens and disables sign-in.

Exam trap

The trap here is that candidates often confuse conditional access policies (which control sign-in conditions) with automated lifecycle actions, mistakenly thinking a policy can proactively revoke access upon termination without the underlying user state change.

How to eliminate wrong answers

Option A is wrong because a conditional access policy that blocks access for disabled users is reactive and does not automatically trigger upon termination; it only enforces a block if the user is already disabled, but does not handle the removal of group memberships or provisioning. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and does not revoke access to SaaS applications for non-privileged users or remove group memberships. Option C is wrong because scheduling an access review for quarterly review only provides periodic auditing and does not automatically revoke access upon termination; it is a manual or scheduled review process, not an immediate revocation mechanism.

300
MCQeasy

Your company wants to provide a single sign-on experience for all cloud applications. Which Microsoft Entra ID feature should you implement?

A.B2B collaboration
B.Identity Protection
C.App registration and SSO configuration
D.Conditional Access
AnswerC

App registration allows apps to use Entra ID for authentication, enabling SSO.

Why this answer

App registration and SSO configuration in Microsoft Entra ID enables single sign-on (SSO) by registering each cloud application as an enterprise application and configuring federation protocols such as SAML 2.0, OpenID Connect, or OAuth 2.0. This allows users to authenticate once with their Entra ID credentials and access all configured cloud applications without repeated logins.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy enforcement tool) with SSO configuration, or they mistakenly think B2B collaboration is needed for internal app SSO, when in fact App registration and SSO configuration is the correct feature for enabling a unified sign-on experience.

How to eliminate wrong answers

Option A is wrong because B2B collaboration is designed for inviting external users (guests) from other organizations, not for providing SSO across cloud applications for internal users. Option B is wrong because Identity Protection is a security feature that detects and remediates identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs), not a mechanism for SSO. Option D is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) after authentication, but it does not configure or enable SSO itself.

← PreviousPage 4 of 5 · 373 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft Entra questions.