CCNA Describe the capabilities of Microsoft Entra Questions

73 of 373 questions · Page 5/5 · Describe the capabilities of Microsoft Entra · Answers revealed

301
MCQmedium

A company has an on-premises web-based expense report application. The IT team wants to make this application accessible to remote employees over the internet without requiring a VPN. They need to use Microsoft Entra ID for authentication and apply Conditional Access policies such as requiring multi-factor authentication. Which Microsoft Entra ID feature should they implement?

A.Azure AD Application Proxy
B.Self-service password reset (SSPR)
C.Azure AD B2B collaboration
D.Azure AD Domain Services
AnswerA

Application Proxy publishes on-premises apps through the cloud, allowing remote users to access them securely with Entra ID authentication and Conditional Access.

Why this answer

Azure AD Application Proxy allows on-premises web applications to be published for remote access without a VPN. It integrates with Microsoft Entra ID for authentication and supports Conditional Access policies, including multi-factor authentication, by acting as a reverse proxy that forwards authenticated requests to the internal application.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy with a VPN solution or think that Azure AD Domain Services is needed for authentication, but the key is that Application Proxy specifically publishes on-premises web apps with Entra ID authentication and Conditional Access support without requiring a VPN.

How to eliminate wrong answers

Option B is wrong because Self-service password reset (SSPR) is a feature for users to reset their own passwords, not for publishing on-premises applications or enabling remote access without a VPN. Option C is wrong because Azure AD B2B collaboration is designed for sharing applications and resources with external guest users from partner organizations, not for providing remote access to internal employees for an on-premises app. Option D is wrong because Azure AD Domain Services provides managed domain services like LDAP and Kerberos for Azure VMs, not a reverse proxy solution for web application access.

302
MCQmedium

A company uses Microsoft Entra ID and Intune for device management. They want to ensure that only devices marked as compliant (e.g., updated, encrypted) can access the corporate HR portal. Which Conditional Access assignment condition should the administrator configure?

A.Locations
B.Device state
C.Client apps
D.Sign-in risk
AnswerB

Device state condition can be set to require a device to be compliant (as defined in Intune) or hybrid Microsoft Entra ID joined. This is the correct condition to enforce access based on device compliance.

Why this answer

The 'Device state' condition in Conditional Access allows administrators to require that only devices marked as compliant (via Intune compliance policies) can access resources. By configuring this condition, the HR portal will block access from non-compliant devices, enforcing security requirements like encryption and updates before granting access.

Exam trap

The trap here is that candidates may confuse 'Device state' with 'Sign-in risk' or 'Client apps', thinking device compliance is tied to user risk or application type, but Microsoft specifically separates device health from user risk and app context in Conditional Access.

How to eliminate wrong answers

Option A is wrong because 'Locations' controls access based on IP address ranges or geographic regions, not device compliance status. Option C is wrong because 'Client apps' filters access by application type (e.g., browser, mobile app), not device health or compliance. Option D is wrong because 'Sign-in risk' is part of Identity Protection and evaluates user authentication risk (e.g., leaked credentials), not device compliance.

303
Multi-Selecteasy

Which TWO of the following are capabilities of Microsoft Entra ID?

Select 2 answers
A.Email filtering and anti-malware protection.
B.Identity and access management for cloud applications.
C.Single sign-on to SaaS applications.
D.Encryption of data at rest in Azure Storage.
E.Network firewall management.
AnswersB, C

Entra ID provides IAM for cloud apps.

Why this answer

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management (IAM) service. It provides authentication and authorization for cloud applications, including support for single sign-on (SSO) to thousands of pre-integrated SaaS applications like Salesforce, Office 365, and Workday. These are core IAM capabilities, not security functions like email filtering or network firewall management.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID's identity management role with broader security services like email protection or network security, leading them to select options that belong to other Azure or Microsoft 365 security products.

304
MCQeasy

A company uses Microsoft Entra ID and wants to enable employees to reset their own passwords without needing to contact the help desk. They want to enforce multifactor authentication when the employee performs the reset. Which Microsoft Entra feature should they enable?

A.Microsoft Entra Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Federation
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerA

Correct. SSPR enables users to reset their passwords without admin intervention, and can be configured to require MFA.

Why this answer

Microsoft Entra Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without help desk intervention, and it can be configured to require multifactor authentication (MFA) during the reset process. This aligns directly with the scenario of enabling self-service password changes while enforcing MFA for security.

Exam trap

The trap here is that candidates often confuse Identity Protection (which detects risky password changes) with SSPR (which enables the actual password reset), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Federation is used to establish trust between an on-premises identity provider (e.g., AD FS) and Entra ID for single sign-on, not for self-service password reset with MFA enforcement. Option C is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., risky sign-ins or leaked credentials), but it does not provide a self-service password reset capability. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password reset functionality.

305
MCQhard

A company wants to allow external customers to sign in to their custom web application using their own social identities, such as Google or Facebook. They also need to support self-service registration and custom branding for the sign-in pages. Which Microsoft Entra External ID solution should they use?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID guest accounts
D.Managed identities
AnswerB

Microsoft Entra ID B2C is designed for customer-facing applications. It supports social identity providers and custom policies for registration and branding.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct solution because it is specifically designed for external customer identity and access management, supporting social identity providers (Google, Facebook, etc.) via OAuth 2.0 and OpenID Connect, self-service registration, and full customization of sign-in pages (branding, HTML, CSS). This aligns exactly with the requirements for a customer-facing web application with social sign-in and custom branding.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for external partners) with B2C (for external customers), mistakenly thinking B2B can handle social identities and self-service registration, but B2B lacks those capabilities and is designed for federated business accounts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B collaboration is intended for business-to-business scenarios, allowing external partners to sign in with their own work or school accounts, not social identities like Google or Facebook, and it does not support self-service registration or custom branding for sign-in pages. Option C is wrong because Microsoft Entra ID guest accounts are a feature of B2B collaboration, used for inviting external users (typically with work/school accounts) to access resources in the tenant, lacking social identity provider support and self-service registration. Option D is wrong because managed identities are an Azure resource authentication mechanism for Azure services to authenticate to other Azure services without storing credentials, not a solution for external customer sign-in or identity management.

306
MCQhard

Your organization is using Microsoft Entra Permissions Management (CIEM). You need to identify overprivileged identities in AWS. Which capability should you use?

A.Audit trail
B.Permissions Analytics Report
C.Identity governance
D.Activity trail
AnswerB

This report analyzes permissions and identifies overprivileged identities.

Why this answer

Permissions Analytics Report is the correct capability because it specifically analyzes permissions across AWS, Azure, and GCP to identify overprivileged identities, unused permissions, and risky actions. It generates a detailed report that highlights identities with excessive permissions, enabling remediation to enforce least privilege. This aligns directly with the CIEM (Cloud Infrastructure Entitlement Management) goal of reducing privilege risks.

Exam trap

The trap here is that candidates confuse 'Permissions Analytics Report' with generic auditing features like Audit trail or Activity trail, assuming any logging tool can identify overprivileged identities, but only the report performs the specific analysis of permissions versus usage.

How to eliminate wrong answers

Option A is wrong because Audit trail in Microsoft Entra Permissions Management records historical changes to permissions and configurations, but it does not analyze or identify overprivileged identities; it is a logging feature. Option C is wrong because Identity governance in Microsoft Entra ID focuses on access reviews, entitlement management, and lifecycle workflows for users and groups, not on analyzing cloud infrastructure permissions across AWS. Option D is wrong because Activity trail tracks user actions and API calls in real-time or historically, but it does not assess permission levels or detect overprivileged identities; it is an auditing feature.

307
MCQhard

A company uses Microsoft Entra ID with a custom line-of-business application that only supports SAML 2.0. They want to enable single sign-on for users. What should they configure in Microsoft Entra ID?

A.Kerberos delegation
B.OpenID Connect authentication
C.SCIM-based user provisioning
D.SAML-based single sign-on
AnswerD

SAML 2.0 is supported for enterprise applications.

Why this answer

D is correct because the custom line-of-business application explicitly supports SAML 2.0, and Microsoft Entra ID can be configured as an identity provider (IdP) to enable SAML-based single sign-on. This allows users to authenticate once in Entra ID and then access the application without re-entering credentials, using SAML assertions to pass authentication and authorization data.

Exam trap

The trap here is that candidates may confuse SCIM provisioning (Option C) with SSO, or assume OpenID Connect (Option B) is universally compatible, but the question explicitly states the application only supports SAML 2.0, making SAML-based SSO the only correct choice.

How to eliminate wrong answers

Option A is wrong because Kerberos delegation is used for Windows-integrated authentication (e.g., on-premises Active Directory) and requires Kerberos protocol support, which is not compatible with a SAML 2.0-only application. Option B is wrong because OpenID Connect (OIDC) is built on OAuth 2.0 and uses JSON Web Tokens (JWTs), not SAML 2.0; the application only supports SAML 2.0, so OIDC cannot be used. Option C is wrong because SCIM (System for Cross-domain Identity Management) is a provisioning protocol for automating user and group lifecycle management, not an authentication or SSO protocol; it does not enable single sign-on.

308
Multi-Selecthard

Which THREE are valid authentication methods in Microsoft Entra ID?

Select 3 answers
A.FIDO2 security keys
B.Password
C.Smart card (physical)
D.SMS-based verification
E.Microsoft Authenticator app
AnswersA, B, E

Passwordless authentication method.

Why this answer

FIDO2 security keys are a valid authentication method in Microsoft Entra ID because they provide passwordless, phishing-resistant authentication using public-key cryptography. Users register a hardware key that generates a key pair, and the private key never leaves the device, meeting strong authentication requirements for modern security.

Exam trap

The trap here is that candidates often confuse 'supported authentication methods' with 'secondary verification methods'—SMS is only a secondary factor, not a primary sign-in method, and smart cards require external federation, making them invalid as native Entra ID methods.

309
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that when a user's on-premises account is disabled, their cloud account is automatically disabled within 5 minutes. Which configuration should you use?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra Conditional Access with session controls
C.Microsoft Entra Connect with directory sync configured for 5-minute sync interval
D.Microsoft Entra Connect Health
AnswerC

By default, sync runs every 30 minutes, but you can configure it to sync every 5 minutes using the scheduler.

Why this answer

Option C is correct because Microsoft Entra Connect with directory synchronization configured for a 5-minute sync interval ensures that changes made to on-premises Active Directory (such as disabling a user account) are replicated to Microsoft Entra ID within that interval. This meets the requirement of automatically disabling the cloud account within 5 minutes of the on-premises change.

Exam trap

The trap here is confusing identity synchronization (Entra Connect) with identity governance or access control tools like PIM or Conditional Access, which do not handle the propagation of on-premises account status changes to the cloud.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time access and role activation, not the synchronization of user account status changes. Option B is wrong because Microsoft Entra Conditional Access with session controls enforces access policies based on conditions like location or device state, but it does not synchronize account disabled status from on-premises to the cloud. Option D is wrong because Microsoft Entra Connect Health monitors the health and performance of the sync infrastructure but does not control the sync interval or propagate account status changes.

310
MCQmedium

A company uses Microsoft Entra ID. The compliance team requires that membership in highly privileged roles, such as Global Administrator, is reviewed quarterly. The review must be automated: role owners are sent an email notification with a list of current members to approve or deny. If a member does not respond within 30 days, their access should be automatically revoked. Which Microsoft Entra ID feature should the team use to set up this periodic review and automatic removal?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Identity Protection
AnswerA

Correct: Microsoft Entra Access Reviews allow organizations to schedule recurring reviews of role memberships and automatically remove access for users who are not approved or who do not respond.

Why this answer

Access Reviews in Microsoft Entra ID is the correct feature because it is specifically designed for periodic, automated attestation of group or role memberships. It sends email notifications to designated reviewers, tracks responses, and can automatically remove users who do not respond within a defined period (e.g., 30 days). This directly meets the compliance requirement for quarterly reviews of Global Administrator membership with automatic revocation.

Exam trap

The trap here is confusing Privileged Identity Management (PIM) with Access Reviews, as both involve role management, but PIM handles activation and approval while Access Reviews handle periodic attestation and automatic removal.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM focuses on just-in-time activation and approval workflows for privileged roles, not on periodic attestation reviews with automatic removal of non-responding members. Option C (Conditional Access) is wrong because it enforces access policies based on signals like location or device state, not on scheduled membership reviews or revocation. Option D (Identity Protection) is wrong because it detects and remediates identity-based risks (e.g., leaked credentials), not role membership governance or periodic attestation.

311
MCQmedium

A company uses Microsoft Entra ID. They frequently collaborate with an external partner organization. The IT team wants to allow the partner's users to access the company's internal SharePoint site using their existing corporate credentials from their own Microsoft Entra tenant. The partner users should not have to create separate guest accounts or remember another password. Which Microsoft Entra feature should the IT team configure?

A.Microsoft Entra B2C
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Domain Services
D.Microsoft Entra Application Proxy
AnswerB

Correct. B2B collaboration lets external partners use their own work or school accounts to access your resources, enabling seamless collaboration without additional credentials.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it enables external users from a partner organization to access the company's internal SharePoint site using their own corporate credentials from their Microsoft Entra tenant. B2B collaboration creates a guest user object in the resource tenant without requiring separate guest accounts or additional passwords, leveraging cross-tenant trust and SAML/WS-Federation for authentication.

Exam trap

The trap here is that candidates often confuse B2B collaboration with B2C, thinking both are for external users, but B2C is for consumers with self-service sign-up, while B2B is for business partners using their existing corporate identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C (Business-to-Consumer) is designed for customer-facing applications with self-service sign-up and social identity providers, not for granting external business partners access to internal resources using their existing corporate credentials. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP and Kerberos for legacy applications, not cross-tenant collaboration or external user access. Option D is wrong because Microsoft Entra Application Proxy enables secure remote access to on-premises web applications for internal users, not for external partner users from another tenant.

312
MCQeasy

Your organization uses Microsoft Entra ID to manage identities for employees and external partners. You need to ensure that external partners can access only specific applications and that their access expires automatically after 60 days. Which Microsoft Entra feature should you use?

A.Microsoft Entra B2B collaboration.
B.Conditional Access policies.
C.Microsoft Entra Identity Protection.
D.Microsoft Entra entitlement management.
AnswerD

Entitlement management with access packages can assign access and enforce expiration.

Why this answer

Microsoft Entra entitlement management allows you to create access packages that govern external partner access to specific applications, groups, and sites, with built-in time-limited access that automatically expires after a defined period (e.g., 60 days). This feature directly addresses the requirement to scope access to only specific applications and enforce automatic expiration, which is not natively handled by other Entra ID features.

Exam trap

The trap here is that candidates often confuse the invitation and authentication capabilities of B2B collaboration (Option A) with the full lifecycle and access governance provided by entitlement management, assuming B2B alone can enforce time-bound application access.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration enables external user invitation and authentication but does not provide granular control over which specific applications they can access or enforce automatic time-bound expiration policies on its own. Option B is wrong because Conditional Access policies enforce access controls based on conditions (e.g., location, device state) but cannot automatically expire access after a fixed duration like 60 days; they are real-time evaluation rules, not time-limited access management. Option C is wrong because Microsoft Entra Identity Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, suspicious sign-ins) and does not manage application-specific access or automatic expiration schedules.

313
MCQmedium

A company uses Microsoft Entra ID and wants to automate the lifecycle of guest users. When a contractor's project ends, the guest account should be automatically blocked and then removed after 30 days. Which Microsoft Entra capability should they configure to manage this process?

A.Conditional Access
B.Entitlement Management
C.Privileged Identity Management
D.Identity Governance
AnswerB

Entitlement Management automates access requests, approvals, and lifecycle management, including automatic removal of guest accounts when access expires.

Why this answer

Entitlement Management in Microsoft Entra ID Governance allows organizations to automate the lifecycle of external identities, including guest users. By configuring an access package with a specific expiration policy (e.g., 30 days after project end), the system can automatically block and then remove the guest account when the entitlement expires, without manual intervention.

Exam trap

The trap here is that candidates confuse the broad category 'Identity Governance' (Option D) with the specific feature 'Entitlement Management' (Option B), but the question asks for the capability that directly configures the automated lifecycle, which is Entitlement Management.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access controls based on signals like location or device compliance, but it does not automate the lifecycle or removal of guest accounts. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments and approvals, not the lifecycle of guest users or their automatic removal. Option D is wrong because Identity Governance is the overarching category that includes Entitlement Management, but it is not the specific capability that directly configures automated guest lifecycle policies; Entitlement Management is the precise tool within Identity Governance for this task.

314
MCQmedium

An organization has Microsoft Sentinel and Microsoft Defender XDR. They want to automatically block a user's sign-in if a high-risk alert is triggered. Which Microsoft Entra feature integrates with these products to enforce access controls?

A.Conditional Access with Identity Protection integration
B.Microsoft Entra Access Reviews
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access can block sign-ins based on risk.

Why this answer

Option A is correct because Conditional Access with Identity Protection integration allows organizations to create policies that automatically block sign-ins when Microsoft Sentinel or Microsoft Defender XDR triggers a high-risk alert. This integration leverages risk signals from Identity Protection to enforce real-time access controls, such as blocking authentication, without manual intervention.

Exam trap

The trap here is that candidates confuse Microsoft Entra Identity Protection (which only detects and reports risk) with Conditional Access (which enforces the actual block), leading them to select Identity Protection alone instead of the integrated Conditional Access solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Access Reviews are used for periodic attestation of group memberships, application access, and role assignments, not for real-time automated blocking based on risk alerts. Option C is wrong because Microsoft Entra Identity Protection alone detects and reports risk signals (e.g., leaked credentials, anonymous IP addresses) but does not enforce access controls; it requires integration with Conditional Access to take blocking actions. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not automated sign-in blocking based on security alerts.

315
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to allow external partners to access a specific SharePoint Online site without requiring them to have a Microsoft Entra ID account in your tenant. Which feature should you use?

A.Use Microsoft Entra B2B collaboration to invite partners as guest users.
B.Set up identity protection to allow external access.
C.Configure Microsoft Entra B2C for the partners.
D.Create guest user accounts for each partner.
AnswerA

B2B collaboration enables external partners to access resources using their own identities.

Why this answer

Microsoft Entra B2B collaboration is the correct feature because it allows you to invite external partners as guest users who can access resources like SharePoint Online using their own identity (e.g., a Microsoft account or a corporate account from another identity provider) without requiring a separate Microsoft Entra ID account in your tenant. This leverages the B2B collaboration protocol, which uses SAML/WS-Federation or OIDC for federation, enabling seamless access while maintaining centralized access control.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, assuming both are for external users, but B2C is for customer-facing apps with self-service sign-up, while B2B is for granting access to business partners with existing identities.

How to eliminate wrong answers

Option B is wrong because Identity Protection is a security tool for detecting and responding to identity-based risks (e.g., compromised credentials, anomalous sign-ins) and does not provide a mechanism to grant external users access to resources. Option C is wrong because Microsoft Entra B2C is designed for customer-facing applications where users sign up and sign in with social or local accounts, not for granting external business partners access to internal resources like SharePoint Online. Option D is wrong because creating guest user accounts manually for each partner is inefficient and not a feature name; the correct feature is Microsoft Entra B2B collaboration, which automates the invitation and lifecycle management of guest users.

316
MCQeasy

A user is unable to access a cloud app and receives a message that their sign-in was blocked by a Conditional Access policy. The admin wants to allow the user to self-remediate by meeting policy requirements. What should the admin enable?

A.Self-Service Password Reset
B.Multifactor Authentication registration
C.Identity Protection risk policies
D.Conditional Access policy feedback
AnswerD

Informs users why access was blocked and how to fix.

Why this answer

Option D is correct because enabling Conditional Access policy feedback allows users to receive guidance on why their sign-in was blocked and how to meet the policy requirements, such as using a compliant device or accessing from a trusted location. This feature provides actionable messages that enable self-remediation without admin intervention, directly addressing the scenario where the user needs to unblock themselves by satisfying the policy conditions.

Exam trap

The trap here is that candidates often confuse 'Conditional Access policy feedback' with other self-service features like SSPR or MFA registration, but the question specifically asks for the mechanism that provides users with actionable guidance on why they were blocked and how to meet the policy requirements, which is unique to policy feedback.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, but it does not address Conditional Access policy blocks that are unrelated to password issues, such as device compliance or location requirements. Option B is wrong because Multifactor Authentication (MFA) registration enables users to set up MFA, but the sign-in was blocked by a Conditional Access policy that may require additional conditions (e.g., compliant device, trusted IP) beyond MFA; enabling MFA registration alone does not guarantee the user can meet all policy requirements. Option C is wrong because Identity Protection risk policies are a separate feature that detects and responds to risky sign-ins (e.g., leaked credentials), but they do not provide the user with specific feedback on why a Conditional Access policy blocked them or how to self-remediate; risk policies automatically block or require MFA based on risk level, not user-driven feedback.

317
MCQmedium

Your company is using Microsoft Entra ID to manage identities. You want to allow users to reset their own passwords without help desk intervention, but only if they have registered for self-service password reset (SSPR). What should you configure?

A.Require all users to register for Microsoft Entra MFA.
B.Configure Microsoft Entra password protection.
C.Implement Privileged Identity Management (PIM).
D.Enable Self-Service Password Reset (SSPR) in Microsoft Entra ID.
AnswerD

SSPR allows users to reset passwords after registration.

Why this answer

Enabling Self-Service Password Reset (SSPR) in Microsoft Entra ID allows users to reset their own passwords without help desk intervention, provided they have registered for the feature. This directly meets the requirement of allowing password resets only for registered users, as SSPR requires prior registration to verify identity before a reset is permitted.

Exam trap

The trap here is that candidates often confuse enabling SSPR with requiring MFA registration, but MFA registration alone does not grant password reset capabilities—SSPR must be explicitly enabled and configured.

How to eliminate wrong answers

Option A is wrong because requiring all users to register for Microsoft Entra MFA is a separate security feature that adds multi-factor authentication but does not enable password reset functionality; MFA can be used as part of SSPR registration but is not sufficient alone. Option B is wrong because Microsoft Entra password protection is a feature that blocks weak passwords and common password attacks, but it does not provide self-service password reset capabilities. Option C is wrong because Privileged Identity Management (PIM) is designed for managing, controlling, and monitoring access to privileged roles, not for enabling end-user password self-service.

318
MCQmedium

You are an identity consultant for a mid-sized company with 5,000 employees. They use Microsoft Entra ID P1 and Microsoft Intune for device management. The company wants to implement passwordless authentication for all employees to improve security and user experience. Currently, users sign in with username and password plus MFA via the Microsoft Authenticator app. The company has a mix of Windows 10/11 devices (both domain-joined and Microsoft Entra joined) and iOS/Android mobile devices. They want to support passwordless sign-in on all platforms. The CTO is concerned about cost and wants to minimize additional licensing. Which passwordless method should you recommend?

A.Enable Windows Hello for Business for all devices
B.Deploy FIDO2 security keys to all employees
C.Implement SMS-based one-time passcodes
D.Use the Microsoft Authenticator app for passwordless sign-in
AnswerD

Authenticator app is free with existing licenses and supports all platforms.

Why this answer

The Microsoft Authenticator app supports passwordless sign-in using phone-based authentication, which works on both iOS and Android devices and can be used to sign into Windows 10/11 devices via the 'Sign in with phone' feature. This method leverages existing Microsoft Entra ID P1 licensing without requiring additional costs, as it is included with the current P1 license. It provides a seamless user experience by eliminating the need for hardware tokens or additional infrastructure, aligning with the CTO's cost-minimization goal.

Exam trap

The trap here is that candidates often assume Windows Hello for Business is the only Microsoft passwordless solution for Windows devices, overlooking that the Microsoft Authenticator app can provide passwordless sign-in across all platforms (Windows, iOS, Android) without additional licensing or hardware costs.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires either a domain-joined device with on-premises Active Directory or a Microsoft Entra joined device, and it does not support iOS/Android mobile devices, so it cannot cover all platforms as required. Option B is wrong because deploying FIDO2 security keys to 5,000 employees would incur significant hardware procurement and management costs, contradicting the CTO's directive to minimize additional licensing and expenses. Option C is wrong because SMS-based one-time passcodes are not a passwordless method; they still require a password as the primary authentication factor and are considered a form of MFA, not passwordless authentication.

319
MCQhard

Refer to the exhibit. A user accesses a web app from a device that is Microsoft Entra joined but not Intune compliant. Which condition will be satisfied?

A.Domain joined
B.Neither condition
C.Compliant device
D.Both conditions
AnswerB

Microsoft Entra join is not domain join.

Why this answer

The device is Microsoft Entra joined, which satisfies the 'Domain joined' condition for Conditional Access, but it is not Intune compliant, so the 'Compliant device' condition is not met. Since the question asks which condition will be satisfied, and the device only meets one of the two, the correct answer is 'Neither condition' because the user is accessing a web app and the conditions are evaluated together as a single requirement (e.g., requiring both domain join and compliance). In Conditional Access, if a policy requires both conditions, the device must satisfy both to be granted access; here, it fails the compliance check, so neither condition is fully satisfied for the policy's intent.

Exam trap

The trap here is that candidates assume 'Domain joined' is satisfied because the device is Entra joined, but they overlook that the question implies both conditions are required, so neither is fully satisfied in the context of the policy evaluation.

How to eliminate wrong answers

Option A is wrong because 'Domain joined' alone is not the condition being evaluated; the device is Entra joined, which is a form of domain join, but the question's context implies both conditions are required, so satisfying only one does not make it the correct answer. Option C is wrong because the device is explicitly stated as 'not Intune compliant,' so the 'Compliant device' condition is not satisfied. Option D is wrong because the device does not satisfy both conditions; it is not Intune compliant, so 'Both conditions' cannot be true.

320
MCQhard

Your organization implements a Microsoft Entra ID tenant with a custom domain (contoso.com). You need to ensure that all users are assigned a unique user principal name (UPN) based on their email address. What should you do?

A.Configure the user naming attribute to use the email address as the UPN
B.Verify the custom domain in Microsoft Entra ID
C.Enable Microsoft Entra ID Domain Services
D.Use Microsoft Entra ID Connect to sync UPNs from on-premises
AnswerA

Setting the UPN to email ensures each user has a unique UPN based on email.

Why this answer

Option A is correct because configuring the user naming attribute to use the email address as the UPN directly assigns each user a unique UPN that matches their email address. This setting is available in the Microsoft Entra ID tenant under 'User settings' and ensures that the UPN suffix (the domain part) aligns with the verified custom domain (contoso.com). This approach satisfies the requirement without requiring additional synchronization or domain services.

Exam trap

The trap here is that candidates often confuse verifying a custom domain (Option B) with automatically assigning UPNs based on email addresses, but verification alone does not change how UPNs are generated; it only enables the domain to be used as a suffix.

How to eliminate wrong answers

Option B is wrong because verifying the custom domain in Microsoft Entra ID is a prerequisite for using that domain in UPNs, but it does not automatically assign UPNs based on email addresses; it only confirms domain ownership. Option C is wrong because enabling Microsoft Entra ID Domain Services provides managed domain services (e.g., LDAP, Kerberos) for legacy applications, but it does not affect UPN assignment for users. Option D is wrong because using Microsoft Entra ID Connect to sync UPNs from on-premises would only work if the on-premises UPNs already match email addresses; it does not configure the cloud tenant to automatically assign UPNs based on email addresses for cloud-only users.

321
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Select TWO.)

Select 2 answers
A.Mobile device management.
B.Self-service password reset.
C.Identity and access management for cloud applications.
D.Threat protection for endpoints.
E.Data loss prevention for documents.
AnswersB, C

SSPR is a feature of Microsoft Entra ID.

Why this answer

Microsoft Entra ID is a cloud-based identity and access management service. Self-service password reset (SSPR) is a built-in feature that allows users to reset their own passwords without administrator intervention, provided they meet configured authentication requirements. This capability is a core part of Entra ID's identity governance and security features.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID with broader Microsoft 365 or security suites, incorrectly attributing endpoint management (Intune), endpoint protection (Defender), or compliance features (Purview) to Entra ID, when Entra ID is strictly focused on identity and access management.

322
Multi-Selecthard

Which THREE are features of Microsoft Entra ID Governance? (Choose three.)

Select 3 answers
A.Privileged Identity Management (PIM)
B.Conditional Access
C.Entitlement management
D.Lifecycle workflows
E.Access reviews
AnswersC, D, E

Entitlement management enables access package creation and management.

Why this answer

Entitlement management is a core feature of Microsoft Entra ID Governance that enables organizations to manage the identity and access lifecycle at scale. It allows administrators to create and manage access packages, which automate the process of requesting, approving, and assigning access to groups, applications, and SharePoint Online sites. This directly supports governance by ensuring users have the right access for the right duration.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) as a separate governance feature when it is actually a component of Entra ID Governance, but the exam specifically expects Entitlement management, Lifecycle workflows, and Access reviews as the three distinct features listed in the question.

323
MCQmedium

A company uses Microsoft Entra ID. The IT department wants to automatically assign a Microsoft 365 E5 license to all users in the Sales department based on their department attribute. Which Microsoft Entra ID feature should they use?

A.Dynamic Groups
B.Administrative Units
C.Identity Protection
D.Access Reviews
AnswerA

Correct. Dynamic groups use rules based on user attributes (like department) to automatically add or remove members. Combined with group-based licensing, this automates license assignment.

Why this answer

Dynamic Groups in Microsoft Entra ID allow automatic user membership based on user attributes, such as the department attribute. By creating a dynamic group rule like `user.department -eq "Sales"`, the system automatically assigns the group membership and can then apply a Microsoft 365 E5 license via group-based licensing.

Exam trap

The trap here is that candidates may confuse Administrative Units with Dynamic Groups, thinking that delegating admin control over a department also handles license assignment, but Administrative Units only manage administrative boundaries, not automated provisioning.

How to eliminate wrong answers

Option B is wrong because Administrative Units are used to delegate administrative scope over specific subsets of users, groups, or devices, not for automatic license assignment based on attributes. Option C is wrong because Identity Protection is a security feature that detects and responds to identity-based risks, such as compromised credentials or suspicious sign-ins, and does not handle license provisioning. Option D is wrong because Access Reviews are used to periodically review and certify user access to resources, ensuring compliance, not for automatic license assignment.

324
MCQeasy

A company wants to allow employees to use their corporate Microsoft Entra ID credentials to sign in to third-party SaaS applications like Salesforce and ServiceNow. Which feature provides this capability?

A.Microsoft Entra federation with SaaS applications
B.Microsoft Entra B2B collaboration
C.Microsoft Entra Identity Protection
D.Microsoft Entra Privileged Identity Management
AnswerA

Federation allows users to sign in to third-party SaaS apps using their Entra ID credentials.

Why this answer

Microsoft Entra federation with SaaS applications (Option A) enables single sign-on (SSO) by establishing a trust relationship between Microsoft Entra ID and third-party SaaS apps like Salesforce and ServiceNow. This allows users to authenticate using their corporate Entra ID credentials via federation protocols such as SAML 2.0 or OpenID Connect, eliminating the need for separate credentials.

Exam trap

The trap here is that candidates often confuse B2B collaboration (external user access) with federation (corporate user SSO to external apps), leading them to select Option B instead of A.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra B2B collaboration is designed for inviting external users (e.g., partners or vendors) to access your organization's resources, not for enabling corporate users to sign in to third-party SaaS apps. Option C is wrong because Microsoft Entra Identity Protection is a security tool that detects and responds to identity-based risks (e.g., leaked credentials or anomalous sign-ins), not a feature for federated authentication. Option D is wrong because Microsoft Entra Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within Azure AD and Azure resources, not for federating with external SaaS applications.

325
MCQmedium

Your company is implementing a hybrid identity solution with Microsoft Entra ID. You need to ensure that password changes on-premises are synchronized to the cloud within minutes. Which feature should you enable?

A.Password Hash Synchronization
B.Pass-through Authentication
C.Seamless Single Sign-On
D.Password Writeback
AnswerD

Password Writeback synchronizes password changes from on-premises to cloud within minutes.

Why this answer

Password Writeback (D) is the correct feature because it enables password changes made on-premises in Active Directory to be written back to Microsoft Entra ID in near real-time, typically within minutes. This ensures that the cloud password hash is updated promptly, maintaining synchronization for hybrid identity scenarios. The other options do not handle the synchronization of password changes from on-premises to the cloud.

Exam trap

The trap here is that candidates often confuse Password Writeback (which syncs on-premises changes to the cloud) with Password Hash Synchronization (which syncs cloud changes to on-premises or provides one-way sync), leading them to select PHS when the question specifically asks for on-premises-to-cloud synchronization of password changes.

How to eliminate wrong answers

Option A is wrong because Password Hash Synchronization (PHS) syncs password hashes from on-premises to the cloud but does not write back changes made on-premises; it is a one-way sync that occurs every few minutes by default, not triggered by individual password changes. Option B is wrong because Pass-through Authentication (PTA) validates passwords against on-premises Active Directory without storing password hashes in the cloud, so it does not synchronize password changes to the cloud. Option C is wrong because Seamless Single Sign-On (SSO) provides automatic sign-in for domain-joined devices but does not handle password synchronization or writeback.

326
MCQmedium

Your company uses Microsoft Entra ID and wants to allow external partners to sign in using their own Google or Facebook accounts. Which feature should you enable?

A.Azure Active Directory Domain Services
B.Microsoft Entra B2C
C.Microsoft Entra B2B collaboration
D.External Identities (social identity providers)
AnswerD

External Identities allow federation with Google, Facebook, etc.

Why this answer

Option D is correct because External Identities (social identity providers) in Microsoft Entra ID allows you to configure Google and Facebook as identity providers for external users. This enables partners to sign in using their existing social accounts without needing a separate Microsoft account, leveraging OAuth 2.0 and OpenID Connect protocols for authentication.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2B collaboration (which handles external organizational accounts) with External Identities (which includes social identity providers), leading them to incorrectly select B2B when the question explicitly mentions Google or Facebook accounts.

How to eliminate wrong answers

Option A is wrong because Azure Active Directory Domain Services (Azure AD DS) provides managed domain services like LDAP and Kerberos for legacy applications, not social identity federation. Option B is wrong because Microsoft Entra B2C is designed for customer-facing applications with extensive customization of sign-up and sign-in flows, not for simple partner access using existing social accounts. Option C is wrong because Microsoft Entra B2B collaboration enables external users to sign in with their own organizational accounts (e.g., Azure AD, Microsoft account) but does not natively support social identity providers like Google or Facebook without additional configuration through External Identities.

327
MCQmedium

A company uses Microsoft Entra ID. The security team needs to ensure that when users sign in to a critical financial application from an untrusted network, they must first complete multi-factor authentication (MFA). Additionally, the team wants to block the sign-in if the device is not marked as compliant by Microsoft Intune. Which conditional access grant control should they configure to meet both requirements?

A.Require multi-factor authentication AND Require device to be marked as compliant
B.Require multi-factor authentication only
C.Require one of the selected controls
D.Require device to be marked as compliant only
AnswerA

Conditional Access allows adding multiple grant controls; all must be satisfied for access to be allowed. This enforces both MFA and device compliance.

Why this answer

Option A is correct because Conditional Access grant controls allow you to require multiple conditions to be met simultaneously. By selecting 'Require multi-factor authentication' AND 'Require device to be marked as compliant', the policy ensures that both MFA and device compliance are enforced for the sign-in, meeting the security team's requirements.

Exam trap

The trap here is that candidates often confuse 'AND' (all controls required) with 'OR' (one of the selected controls), leading them to choose Option C, which would not enforce both MFA and device compliance simultaneously.

How to eliminate wrong answers

Option B is wrong because it only requires MFA, ignoring the device compliance requirement, so untrusted devices that are not compliant would still be allowed to sign in after MFA. Option C is wrong because 'Require one of the selected controls' would allow either MFA or device compliance, not both, which fails to block non-compliant devices. Option D is wrong because it only requires device compliance, missing the MFA requirement for untrusted networks, leaving the application vulnerable if a compliant device is used from an untrusted network without MFA.

328
MCQeasy

Your organization wants to ensure that users cannot install applications from the Microsoft Store on their company-managed Windows devices. Which Microsoft Entra ID feature should you combine with Microsoft Intune to enforce this?

A.Conditional Access
B.Privileged Identity Management
C.Multifactor authentication
D.Identity Protection
AnswerA

Conditional Access can require devices to be compliant (via Intune) before granting access, and Intune policies can block app installations.

Why this answer

Option D is correct because Conditional Access can enforce device compliance policies managed by Intune, which can restrict app installations. Option A is wrong because identity protection is about risk. Option B is wrong because MFA is for authentication.

Option C is wrong because privileged identity management is for admin roles.

329
MCQeasy

A company wants to provide employees with single sign-on access to both Microsoft 365 and a third-party SaaS application. Which feature of Microsoft Entra ID should they use?

A.Identity Protection
B.Conditional Access
C.Federation
D.Privileged Identity Management
AnswerC

Federation enables SSO across multiple applications.

Why this answer

Option B is correct. Microsoft Entra ID's federation capabilities allow SSO across multiple applications, including third-party SaaS apps. Option A is wrong because Conditional Access controls access based on conditions, not SSO.

Option C is wrong because Privileged Identity Management manages admin roles, not SSO. Option D is wrong because Identity Protection detects risks, not SSO.

330
MCQmedium

A company uses Microsoft Entra ID and wants to enforce multi-factor authentication (MFA) only for external guest users, while allowing internal employees to sign in without MFA. Which Conditional Access setting should be configured?

A.Require MFA for all users
B.Exclude internal users by group
C.Target the 'Guest or external users' identity type
D.Use Identity Protection's user risk policy
AnswerC

Conditional Access policies allow targeting specific identity types, including 'Guest or external users'. This ensures the MFA requirement applies only to external users.

Why this answer

Option C is correct because Conditional Access allows targeting the 'Guest or external users' identity type, which enables MFA enforcement exclusively for external guest users without affecting internal employees. This setting leverages the user type attribute in Microsoft Entra ID to differentiate between internal and external identities, providing granular control over authentication requirements.

Exam trap

The trap here is that candidates often confuse exclusion-based approaches (like excluding internal users by group) with direct targeting of guest identity types, leading them to choose Option B instead of the more precise and scalable Option C.

How to eliminate wrong answers

Option A is wrong because requiring MFA for all users would enforce MFA on both internal employees and external guests, which does not meet the requirement to restrict MFA only to guest users. Option B is wrong because excluding internal users by group would require manual group management and could miss dynamic membership changes, whereas the requirement is to target guest users specifically by their identity type, not by exclusion. Option D is wrong because Identity Protection's user risk policy is designed to respond to sign-in risk based on detected anomalies, not to enforce MFA based on user type (guest vs. internal), and it would not selectively apply MFA only to external guests.

331
MCQeasy

A user is locked out of their account due to multiple failed sign-in attempts. Which Microsoft Entra ID feature can automatically block suspicious sign-in attempts based on risk?

A.Self-Service Password Reset (SSPR)
B.Microsoft Entra ID Governance
C.Microsoft Entra ID Protection
D.Conditional Access
AnswerC

Automatically blocks sign-ins when risk level is high.

Why this answer

Microsoft Entra ID Protection uses machine learning and heuristic algorithms to detect and automatically block suspicious sign-in attempts based on risk signals such as anonymous IP addresses, atypical travel, or leaked credentials. When a user is locked out due to multiple failed attempts, Entra ID Protection can evaluate the sign-in risk and enforce a block or require multi-factor authentication before allowing access.

Exam trap

The trap here is that candidates often confuse Conditional Access with risk-based blocking, but Conditional Access is the policy engine that enforces the block, while Entra ID Protection is the service that actually detects and assesses the risk to trigger the automatic block.

How to eliminate wrong answers

Option A is wrong because Self-Service Password Reset (SSPR) allows users to unlock their accounts or reset passwords after being locked out, but it does not proactively block suspicious sign-in attempts based on risk. Option B is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycles, access reviews, and entitlement management, not on detecting or blocking risky sign-in events. Option D is wrong because Conditional Access enforces policies based on conditions like location or device compliance after a sign-in attempt is made, but it does not inherently analyze risk signals to automatically block suspicious attempts; it typically relies on risk assessments from Entra ID Protection.

332
MCQeasy

Your company wants to allow partners to use their own corporate credentials to access a specific SharePoint site. Which Microsoft Entra ID feature supports this?

A.App Registrations
B.B2C collaboration
C.Device Registration
D.B2B collaboration
AnswerD

B2B collaboration enables partners to use their own credentials.

Why this answer

Microsoft Entra ID B2B (business-to-business) collaboration allows you to invite external users from partner organizations to access your company's resources, such as SharePoint sites, using their own corporate credentials. This feature supports identity federation with the partner's Azure AD or other identity providers, enabling seamless single sign-on (SSO) without requiring the partner users to create new accounts in your tenant.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for partner organizations with existing corporate identities) with B2C collaboration (for consumers using social or local accounts), leading them to select the wrong option when the question specifies 'partners' and 'corporate credentials'.

How to eliminate wrong answers

Option A is wrong because App Registrations are used to register and configure applications that integrate with Microsoft Entra ID for authentication and authorization, not to grant external users access to resources like SharePoint. Option B is wrong because B2C collaboration (Azure AD B2C) is designed for customer-facing applications where users sign up with social or local identities, not for partner organizations using their corporate credentials. Option C is wrong because Device Registration is used to register devices (e.g., Windows, iOS, Android) for management and conditional access policies, not to enable external user access to SharePoint.

333
MCQmedium

A company uses Microsoft Entra ID and Intune to manage devices. They want to enforce a policy that allows access to financial data from SharePoint Online only when the user's device is compliant (e.g., encrypted, patched) AND the user authenticates from a trusted IP address range. Additionally, if the sign-in risk is assessed as medium or high by Identity Protection, the user must also perform multifactor authentication (MFA). Which Conditional Access components should the administrator configure?

A.Configure conditions for sign-in risk and locations, and use Grant controls to require MFA and device compliance.
B.Configure a session control to require device compliance and an assignment for sign-in risk to trigger MFA.
C.Use Microsoft Entra ID Protection to automatically enforce MFA and device compliance for all users regardless of location.
D.Configure a compliance policy in Intune and link it directly to SharePoint Online to block non-compliant devices.
AnswerA

This correctly identifies that conditions (sign-in risk and locations) are used to define when the policy applies, and Grant controls enforce the requirements. The Grant control 'Require all the selected controls' can combine device compliance and MFA.

Why this answer

Option A is correct because Conditional Access in Microsoft Entra ID allows combining multiple conditions (sign-in risk, locations) with grant controls (require MFA, require device compliance) to enforce the described policy. The administrator configures conditions for sign-in risk (medium/high) and locations (trusted IP range), then uses Grant controls to require MFA and device compliance, ensuring access is allowed only when all requirements are met.

Exam trap

The trap here is confusing session controls with grant controls, leading candidates to incorrectly select Option B, which misassigns device compliance as a session control instead of a grant control.

How to eliminate wrong answers

Option B is wrong because session controls (e.g., app enforced restrictions) cannot require device compliance; device compliance is a grant control, not a session control, and sign-in risk is a condition, not an assignment. Option C is wrong because Microsoft Entra ID Protection does not automatically enforce MFA and device compliance for all users regardless of location; it provides risk detection but relies on Conditional Access policies to apply controls. Option D is wrong because Intune compliance policies cannot be linked directly to SharePoint Online to block non-compliant devices; they require Conditional Access to enforce access restrictions based on compliance status.

334
MCQeasy

A company wants to allow employees to access corporate resources such as email and internal apps using their personal smartphones. The IT team does not want to fully manage or domain-join these devices but needs each device to have a simple identity that links the user's work account to the device. Which Microsoft Entra ID device identity option should they implement?

A.Microsoft Entra ID Registered
B.Microsoft Entra ID Joined
C.Hybrid Microsoft Entra ID Joined
D.Active Directory Joined
AnswerA

Microsoft Entra ID Registered is the appropriate option for personal devices that need a simple identity to access corporate resources without being fully managed.

Why this answer

Microsoft Entra ID supports three device identity options: Registered, Joined, and Hybrid Joined. Microsoft Entra ID Registered is designed for 'bring your own device' (BYOD) scenarios. A registered device is known to Azure AD but not fully managed; it simply links the user's work account to the device, often enabling single sign-on and conditional access.

Microsoft Entra ID Joined is for corporate-owned devices that are managed by MDM. Hybrid Joined requires an on-premises Active Directory. Active Directory Joined is a traditional on-premises domain join, not a cloud identity option.

335
MCQeasy

A company wants to allow external customers to sign in to a custom web application using their existing Google or Facebook accounts. Which Microsoft Entra ID feature should they use?

A.Microsoft Entra ID B2B collaboration
B.Microsoft Entra ID B2C
C.Microsoft Entra ID Identity Protection
D.Microsoft Entra ID Conditional Access
AnswerB

B2C is specifically designed for consumer identities and supports multiple identity providers including social accounts like Google and Facebook.

Why this answer

Microsoft Entra ID B2C (Business-to-Consumer) is the correct feature because it is specifically designed for customer-facing applications that need to support external identity providers like Google and Facebook. It allows users to sign in with their existing social accounts via OAuth 2.0 and OpenID Connect protocols, while providing customizable user journeys and branding. This is distinct from B2B collaboration, which is intended for business partner access to enterprise resources.

Exam trap

The trap here is that candidates often confuse B2B collaboration (for business partners) with B2C (for consumers), mistakenly thinking B2B can also support social identity providers like Google or Facebook, but B2B only supports enterprise identity providers (e.g., SAML/WS-Fed) and Microsoft accounts, not consumer social accounts.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID B2B collaboration is designed for external business partners to access enterprise applications and resources, not for consumer-facing social identity providers like Google or Facebook. Option C is wrong because Microsoft Entra ID Identity Protection is a risk-based security tool that detects and responds to identity threats, not a feature for enabling external authentication with social identity providers. Option D is wrong because Microsoft Entra ID Conditional Access is a policy engine that enforces access controls based on signals like user location or device state, but it does not provide the ability to federate with external social identity providers.

336
MCQmedium

An organization uses Microsoft Entra ID. The security team wants to require multi-factor authentication (MFA) for all users accessing sensitive data from outside the corporate network. Which Microsoft Entra capability should they configure?

A.Conditional Access
B.B2B Collaboration
C.Privileged Identity Management
D.Identity Protection
AnswerA

Conditional Access policies can require MFA based on location.

Why this answer

Conditional Access is the correct capability because it allows administrators to define policies that enforce MFA based on specific conditions, such as network location. By configuring a policy that targets all users and applies the 'Require multi-factor authentication' grant control when the location is outside the corporate network, the security team can precisely meet the requirement. This policy evaluates the user's IP address against named locations defined in Entra ID before granting access to sensitive data.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA trigger with the ability to enforce MFA based on a static network location, but Identity Protection only responds to risk events and does not allow direct configuration of location-based conditions.

How to eliminate wrong answers

Option B (B2B Collaboration) is wrong because it is designed for inviting external users (guests) from partner organizations, not for enforcing MFA on internal users based on network location. Option C (Privileged Identity Management) is wrong because it focuses on just-in-time privileged role activation and approval workflows, not on location-based MFA enforcement for all users. Option D (Identity Protection) is wrong because it detects and remediates risks like leaked credentials or sign-ins from anonymous IPs, but it does not directly enforce MFA based on a static network boundary; it can trigger MFA via Conditional Access policies but is not the capability that configures the location condition itself.

337
MCQmedium

A company has an on-premises Active Directory and wants to synchronize user accounts to Microsoft Entra ID. They also need to enable password hash synchronization so users can sign in to cloud resources with the same password. Which Microsoft tool should they use?

A.Microsoft Entra Connect
B.Microsoft Entra ID Application Proxy
C.Microsoft Identity Manager
D.Microsoft Entra Domain Services
AnswerA

Microsoft Entra Connect is the correct tool for identity synchronization and supports password hash synchronization by default.

Why this answer

Microsoft Entra Connect is the correct tool because it is specifically designed to synchronize on-premises Active Directory user accounts to Microsoft Entra ID and supports password hash synchronization (PHS). PHS enables users to sign in to cloud resources using the same password as their on-premises environment by synchronizing a hash of the password hash to Entra ID.

Exam trap

The trap here is that candidates may confuse Microsoft Entra Connect with Microsoft Identity Manager (MIM), but MIM is a legacy tool for on-premises identity management and does not natively support password hash synchronization to Microsoft Entra ID.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Application Proxy provides secure remote access to on-premises web applications, not directory synchronization or password hash sync. Option C is wrong because Microsoft Identity Manager (MIM) is an on-premises identity management solution for managing identities across heterogeneous directories, but it is not the primary tool for synchronizing to Microsoft Entra ID and does not natively enable password hash synchronization to Entra ID. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., Kerberos, LDAP) for cloud VMs, not user account synchronization or password hash sync from on-premises Active Directory.

338
MCQmedium

A company needs to grant IT administrators temporary and time-limited access to privileged roles in Microsoft Entra ID (Azure AD). The access must require approval from a manager and be automatically revoked after the task is completed. Which Microsoft Entra ID feature should be used?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Entitlement Management
AnswerC

PIM provides just-in-time privileged access with time‑bound activation, approval workflows, and automatic expiration, fulfilling the requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access by allowing administrators to activate eligible role assignments for a limited duration. It supports approval workflows (e.g., manager approval) and automatically deactivates the role when the activation time expires or the task is completed, meeting the requirement for temporary, time-limited, approved, and auto-revoked access.

Exam trap

The trap here is confusing Entitlement Management (which manages access packages for non-privileged resources) with PIM (which specifically handles time-limited privileged role activation with approval), leading candidates to choose D because they see 'approval' and 'temporary access' without recognizing the privileged role context.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies (e.g., MFA, location) at sign-in but does not provide time-limited role activation or approval workflows for privileged roles. Option B is wrong because Identity Protection detects and remediates identity risks (e.g., leaked credentials) but does not manage privileged role assignments or temporary access. Option D is wrong because Entitlement Management governs access packages and resource access for users (e.g., group memberships) but is not designed for temporary, approval-based activation of privileged directory roles.

339
MCQhard

You are the identity administrator for Contoso Ltd., a global company with over 10,000 employees. The company uses Microsoft Entra ID P2 and Microsoft Intune. Employees use both company-owned and personal devices. The security team requires that all access to corporate applications be protected with multifactor authentication (MFA). However, to minimize user friction, they want to exempt MFA for users who are on the corporate network and using compliant devices. Additionally, for users with privileged roles (e.g., Global Administrator), MFA must always be required regardless of location or device. You need to configure a Conditional Access policy to meet these requirements. Which of the following approaches should you take?

A.Create two Conditional Access policies: Policy 1 targets all users except privileged roles, requires MFA, and excludes trusted locations and compliant devices. Policy 2 targets privileged roles and requires MFA with no exclusions.
B.Create one Conditional Access policy that targets all users and requires MFA. Create a second policy that targets privileged roles and excludes trusted locations.
C.Create one Conditional Access policy that targets all users, requires MFA, and excludes trusted locations and compliant devices. Do not create any additional policies.
D.Create one Conditional Access policy that targets all users and requires MFA. Use Microsoft Intune compliance policies to exempt compliant devices from MFA.
AnswerA

This meets all requirements.

Why this answer

Option A is correct because it uses two separate Conditional Access policies to handle the two distinct user groups. Policy 1 targets all users except privileged roles, requires MFA, and excludes trusted locations and compliant devices, which satisfies the requirement to minimize friction for users on the corporate network with compliant devices. Policy 2 targets privileged roles and requires MFA with no exclusions, ensuring that Global Administrators and other privileged role members always must perform MFA regardless of location or device compliance.

Exam trap

The trap here is that candidates often think a single policy with exclusions can handle all users, forgetting that privileged roles require unconditional MFA, which necessitates a separate policy with no exclusions to override the more permissive exclusions applied to regular users.

How to eliminate wrong answers

Option B is wrong because it creates a second policy that targets privileged roles and excludes trusted locations, which would exempt privileged role users from MFA when they are on the corporate network, violating the requirement that MFA must always be required for privileged roles. Option C is wrong because it creates only one policy targeting all users with exclusions for trusted locations and compliant devices, which would incorrectly exempt privileged role users from MFA when they meet those conditions. Option D is wrong because Intune compliance policies cannot be used to exempt devices from MFA in a Conditional Access policy; MFA enforcement is controlled by Conditional Access policies, not by compliance policies.

340
MCQmedium

An organization needs to grant its IT administrators temporary access to the Global Administrator role. The access should require a separate approval from a designated manager before activation, and the permissions should automatically expire after 4 hours. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerC

PIM is designed for just-in-time privileged access, supporting approval-based activation with configurable time limits and automatic expiration.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access, allowing IT administrators to activate the Global Administrator role for a limited time (e.g., 4 hours) only after receiving approval from a designated manager. This directly meets the requirement for temporary, approval-based, and auto-expiring permissions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, mistakenly thinking that Conditional Access can enforce time-limited role activation, when in fact PIM is the only feature that provides just-in-time privileged access with approval and automatic expiration.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces policies based on signals like location or device state to control access to resources, but it does not provide time-limited role activation or require separate manager approval for role elevation. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials) but does not manage privileged role activation or approval workflows. Option D is wrong because Access Reviews allow administrators to periodically review and certify group memberships or role assignments, but they do not provide temporary, approval-based activation with automatic expiration.

341
MCQmedium

Refer to the exhibit. You are reviewing Microsoft Entra role assignments for a user. The first assignment has a roleDefinitionId of '62e90394-69f5-4237-9190-012177145e10' at scope '/'. The second assignment has a roleDefinitionId of '194ae4cb-b126-40b2-bd5b-6091b380977d' at a subscription scope. What can you infer?

A.The user has the Global Administrator role at the tenant level.
B.The user can only read Azure AD objects.
C.The second role is assigned at the subscription scope.
D.The user is a Global Administrator with full access to all Azure AD and Azure resources.
AnswerA

Role ID 62e90394... is the Global Administrator role, assigned at tenant scope.

Why this answer

The roleDefinitionId '62e90394-69f5-4237-9190-012177145e10' corresponds to the Global Administrator role in Microsoft Entra ID. The scope '/' indicates the tenant root scope, meaning the assignment applies to the entire tenant. Therefore, the user is a Global Administrator at the tenant level, which grants them broad administrative access across all Azure AD and Azure resources.

Exam trap

The trap here is that candidates often assume the Global Administrator role automatically grants full access to all Azure resources, but in reality, Azure AD roles and Azure RBAC roles are separate authorization systems, and a Global Administrator must be explicitly assigned an Azure RBAC role (like Contributor or Owner) to manage Azure resources.

How to eliminate wrong answers

Option B is wrong because the Global Administrator role provides full read and write access to Azure AD objects, not just read-only. Option C is wrong because while the second assignment is indeed at a subscription scope, this is a true statement but does not address the question's inference about the user's overall role; the key inference is the Global Administrator role from the first assignment. Option D is wrong because although Global Administrators have full access to Azure AD, they do not automatically have full access to all Azure resources; access to Azure resources requires additional role assignments (e.g., Owner or Contributor) at the subscription or resource scope.

342
MCQeasy

A company wants to provide secure external access to a partner application without creating user accounts manually. They need to allow partners to authenticate using their existing corporate identities (e.g., from other organizations) and configure policies for access. Which Microsoft Entra feature should they use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra External ID (B2B collaboration)
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Domain Services
AnswerB

This feature enables partners to use their own identities to sign in, and you can apply policies to manage access.

Why this answer

Microsoft Entra External ID (B2B collaboration) allows organizations to securely share applications and resources with external partners by letting them authenticate using their own corporate identities (e.g., from other Azure AD tenants, Microsoft accounts, or social identity providers). It eliminates the need to manually create and manage user accounts for partners, while enabling you to apply conditional access policies for granular control over external access.

Exam trap

The trap here is that candidates often confuse B2B collaboration (External ID) with B2C (External Identities for customer-facing apps) or think that Privileged Identity Management is needed for external access, but the question specifically asks about allowing partners to use their existing corporate identities without manual account creation, which is the core purpose of B2B collaboration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies) for users within your tenant, not a feature for inviting external partners or federating with their existing identities. Option C is wrong because Microsoft Entra Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles within your own directory (e.g., just-in-time admin access), not for enabling external partner authentication or collaboration. Option D is wrong because Microsoft Entra Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy on-premises applications in the cloud, not for external identity federation or B2B guest access.

343
MCQmedium

Your company uses Microsoft Entra ID. Security policy requires that all external guest users must be reviewed and their access approved by their sponsor every 90 days. If not approved, access should be automatically removed. Which feature should you use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra B2B collaboration settings
C.Microsoft Entra entitlement management
D.Microsoft Entra access reviews
AnswerD

Access reviews allow scheduling periodic reviews and can automatically remove access if not approved.

Why this answer

Microsoft Entra access reviews (Option D) allow you to configure recurring reviews of guest users' access, with automatic removal of access if not approved. This directly meets the requirement for a 90-day review cycle with automatic enforcement, as access reviews can be scoped to guest users and integrated with entitlement management or groups.

Exam trap

The trap here is that candidates confuse entitlement management (which creates access packages) with the actual review and removal mechanism, but access reviews are the specific feature that enforces periodic attestation and automatic cleanup.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access controls access based on conditions like location or device state, but it does not provide periodic review or automatic removal of access based on approval. Option B is wrong because Microsoft Entra B2B collaboration settings manage invitation policies and external user properties, but they lack the recurring review and auto-removal workflow. Option C is wrong because Microsoft Entra entitlement management manages access packages and catalogs, but the actual review and removal process is implemented through access reviews, not entitlement management alone.

344
MCQmedium

A company uses Microsoft Entra ID and wants to enforce multifactor authentication (MFA) for all users accessing a sensitive customer relationship management (CRM) application, but only when the access request originates from outside the corporate network. Which component of a Conditional Access policy should the administrator configure to specify this location-based requirement?

A.Assignments
B.Conditions
C.Grant controls
D.Session controls
AnswerB

Conditions include sign-in risk, device platforms, locations, client apps, and other context. The location condition is used to target access based on network location.

Why this answer

The 'Conditions' section of a Conditional Access policy allows administrators to define the circumstances under which the policy is applied, including the location from which an access request originates. By configuring a location condition, you can specify that MFA is enforced only when users access the CRM application from outside the corporate network, using named locations or IP ranges. This is the correct component to enforce the location-based requirement.

Exam trap

The trap here is that candidates often confuse 'Assignments' (who/what) with 'Conditions' (when/where), mistakenly selecting Assignments because they think location is part of the user or app assignment, whereas Conditions specifically handle environmental factors like location, device state, and risk.

How to eliminate wrong answers

Option A is wrong because 'Assignments' define which users, groups, or applications the policy applies to, not the conditions under which it is triggered. Option C is wrong because 'Grant controls' specify what actions to take (e.g., require MFA, require compliant device) after the policy conditions are met, not the location condition itself. Option D is wrong because 'Session controls' manage session-level behaviors like app-enforced restrictions or sign-in frequency, not the location-based trigger for MFA enforcement.

345
MCQeasy

A company uses Microsoft Entra ID. Employees often forget their passwords and contact the IT helpdesk to reset them. The company wants to reduce helpdesk costs by allowing users to reset their own passwords using a verified mobile phone number or email address. Which Microsoft Entra ID feature should the administrator enable?

A.Microsoft Entra ID Identity Protection
B.Self-Service Password Reset (SSPR)
C.Privileged Identity Management (PIM)
D.Conditional Access
AnswerB

SSPR enables users to reset their passwords using configured authentication methods like phone or email.

Why this answer

Self-Service Password Reset (SSPR) is the correct feature because it allows users to reset their own passwords without helpdesk intervention, using a verified mobile phone number or email address as authentication methods. This directly reduces helpdesk costs by shifting password reset responsibility to the user, while maintaining security through verification of registered contact methods.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with self-service password reset, because both involve 'management' of identities, but PIM is strictly for privileged role activation, not end-user password changes.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Identity Protection is a risk-based security tool that detects potential identity vulnerabilities and automated remediation, but it does not provide self-service password reset capabilities. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password resets. Option D is wrong because Conditional Access enforces access policies based on signals like user location or device state, but it does not enable users to reset their own passwords.

346
MCQmedium

A company uses Microsoft Entra ID to manage identities. They want to enforce access policies based on user location, device compliance, and application sensitivity. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra ID Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Microsoft Entra Connect Sync
AnswerB

Conditional Access allows administrators to create policies that evaluate conditions such as user group, location, device state, and application sensitivity to grant or deny access, enforce MFA, or block access.

Why this answer

Conditional Access is the correct capability because it allows administrators to create policies that enforce access controls based on conditions such as user location, device compliance, and application sensitivity. These policies evaluate signals at sign-in time and can require multi-factor authentication, block access, or grant limited access based on the defined conditions.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID Protection (which deals with risk detection) with Conditional Access (which enforces policies based on conditions like location and device compliance), but ID Protection does not directly enforce location- or device-based access rules.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection focuses on detecting and remediating identity-based risks (e.g., leaked credentials, anonymous IP addresses) and does not directly enforce policies based on device compliance or application sensitivity. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged access and role activation workflows, not location- or device-based access policies. Option D is wrong because Microsoft Entra Connect Sync is a tool for synchronizing on-premises directory objects to Entra ID and has no role in enforcing access policies.

347
MCQhard

You are analyzing a PIM activation request. The roleDefinitionId corresponds to the Global Administrator role. What is the duration of the activation?

A.4 hours
B.8 hours
C.8 minutes
D.8 days
AnswerB

PT8H is ISO 8601 for 8 hours.

Why this answer

By default, the maximum activation duration for a Global Administrator role in Privileged Identity Management (PIM) is 8 hours. This is the longest allowed activation period for highly privileged roles like Global Administrator, ensuring elevated access is time-limited to reduce security risk.

Exam trap

The trap here is that candidates confuse the default activation duration for Global Administrator (8 hours) with the 4-hour default for other roles or the 8-minute activation window for temporary access passes, leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because 4 hours is not the default maximum activation duration for Global Administrator; it is a possible custom duration but not the default. Option C is wrong because 8 minutes is far too short for a Global Administrator activation; PIM allows durations in hours, not minutes, for such roles. Option D is wrong because 8 days would violate the principle of just-in-time access; PIM enforces a maximum of 8 hours for Global Administrator to prevent persistent elevation.

348
MCQeasy

A company wants to grant temporary, time-limited access to a critical Azure resource for an external consultant. Which Microsoft Entra feature should they use?

A.Entra Verified ID
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerB

PIM provides just-in-time privileged access with expiration.

Why this answer

Privileged Identity Management (PIM) is the correct choice because it provides just-in-time (JIT) privileged access to Azure resources, allowing administrators to grant time-bound, temporary access that automatically expires. This aligns directly with the requirement for temporary, time-limited access for an external consultant, as PIM supports activation windows, approval workflows, and audit logging for such scenarios.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with Conditional Access, thinking that Conditional Access can enforce time-limited access, but Conditional Access only controls sign-in conditions, not the duration of privileged role assignments.

How to eliminate wrong answers

Option A is wrong because Entra Verified ID is a decentralized identity verification solution using verifiable credentials (based on W3C standards) and does not provide time-limited access management to Azure resources. Option C is wrong because Identity Protection is a risk-detection and remediation service that identifies compromised identities or risky sign-ins, not a tool for granting or managing temporary access. Option D is wrong because Conditional Access enforces policies based on conditions like location or device state at sign-in time, but it does not grant or schedule time-limited privileged access to specific resources.

349
MCQhard

Your organization uses Microsoft Entra ID Governance. You need to ensure that access to a critical application is reviewed every 90 days by the application owner. If the review is not completed, access should be revoked automatically. Which feature should you configure?

A.Terms of use
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
AnswerB

Access reviews can be configured for recurring reviews with auto-revocation if not completed.

Why this answer

Access reviews in Microsoft Entra ID Governance allow you to create recurring reviews of group memberships or application assignments, with automatic revocation of access if the review is not completed. By configuring a review every 90 days and setting the 'Auto apply' action to 'Remove access', you ensure that the application owner must certify access or it is automatically revoked.

Exam trap

The trap here is that candidates confuse Entitlement management (which handles access packages and lifecycle) with Access reviews (which specifically handle recurring attestation and automatic revocation), leading them to pick D instead of B.

How to eliminate wrong answers

Option A is wrong because Terms of use are used to present legal or policy documents that users must accept before accessing applications, not to schedule recurring access reviews with automatic revocation. Option C is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and approval workflows, not for recurring attestation of access to a critical application. Option D is wrong because Entitlement management handles access packages and automated provisioning/deprovisioning based on policies, but it does not provide the recurring review cycle with automatic revocation if the review is not completed; that is the specific function of Access reviews.

350
MCQhard

A multinational company uses Microsoft Entra ID. They want to ensure that users from a specific country only access a sensitive application from compliant devices. Additionally, they want to block access if the sign-in risk is medium or high. Which combination of policies should they create?

A.A Conditional Access session policy to enforce sign-in frequency
B.A device compliance policy in Microsoft Intune
C.A Conditional Access policy requiring MFA from that country
D.A Conditional Access policy with conditions for location, device compliance, and sign-in risk
AnswerD

Conditional Access can combine multiple conditions including location, device compliance, and risk.

Why this answer

Option D is correct because a single Conditional Access policy can combine multiple conditions—such as location (country), device compliance (via integration with Intune), and sign-in risk—to enforce granular access controls. This allows the company to require compliant devices and block access when sign-in risk is medium or high, all within one policy.

Exam trap

The trap here is that candidates think they need separate policies for each condition (location, device compliance, risk), but Microsoft Entra ID allows combining all three conditions into a single Conditional Access policy, which is more efficient and aligns with the scenario's requirements.

How to eliminate wrong answers

Option A is wrong because sign-in frequency is a session control that re-prompts for authentication after a set time, not a condition to restrict access by location, device compliance, or risk. Option B is wrong because a device compliance policy in Intune defines compliance rules (e.g., encryption, OS version) but does not enforce access decisions or block based on sign-in risk; it only marks devices as compliant or non-compliant. Option C is wrong because requiring MFA from that country does not address device compliance or sign-in risk; it only adds an authentication step, not a block for medium/high risk or non-compliant devices.

351
Multi-Selectmedium

Which THREE of the following are features of Microsoft Entra ID Protection?

Select 3 answers
A.Automatically notify users when their password is about to expire.
B.Ability to define risk-based Conditional Access policies.
C.Automated remediation of risky users by blocking sign-in.
D.Just-in-time privileged role activation.
E.Detection of sign-in risks from anonymous IP addresses.
AnswersB, C, E

Risk-based policies are a key feature.

Why this answer

Option B is correct because Microsoft Entra ID Protection provides risk detection signals that can be integrated into Conditional Access policies, enabling administrators to automatically enforce controls such as requiring multi-factor authentication or blocking access based on user or sign-in risk levels. This allows organizations to respond dynamically to detected threats without manual intervention.

Exam trap

The trap here is that candidates confuse the distinct Microsoft Entra services—Entra ID Protection (risk detection and remediation), Privileged Identity Management (PIM) for just-in-time access, and general password policy settings—leading them to select options that belong to other services.

352
MCQmedium

Your company uses Microsoft Entra ID. You need to enable users to sign in to third-party SaaS applications using their corporate credentials without storing passwords in those apps. Which Microsoft Entra feature should you configure?

A.Configure single sign-on (SSO) using federation
B.Deploy Microsoft Entra Self-Service Password Reset
C.Configure conditional access policies with MFA
D.Enable Microsoft Entra Identity Protection
AnswerA

SSO with federation allows users to sign in once and access apps without password storage.

Why this answer

Option A is correct because configuring single sign-on (SSO) using federation allows users to authenticate against Microsoft Entra ID (their corporate identity provider) and then pass a security token to third-party SaaS applications. This eliminates the need for the SaaS app to store or manage user passwords, as authentication happens via standards like SAML 2.0 or WS-Federation, and the app trusts the token issued by Entra ID.

Exam trap

The trap here is that candidates often confuse Conditional Access or Identity Protection with the core mechanism for passwordless federation, not realizing that SSO via federation is the specific feature that removes password storage in the third-party app.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Self-Service Password Reset (SSPR) enables users to reset their own passwords, but it does not provide a mechanism to sign in to third-party SaaS apps without storing passwords in those apps. Option C is wrong because Conditional Access policies with MFA enforce additional security controls (like requiring multi-factor authentication) during sign-in, but they do not eliminate the need for password storage in the SaaS app itself. Option D is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, anomalous sign-ins), but it does not enable passwordless or federated authentication to third-party applications.

353
MCQeasy

A company has a hybrid identity environment with Active Directory synchronizing to Microsoft Entra ID. They want users to be able to reset their own on-premises passwords via the cloud SSPR portal. What is the minimum license required for this capability?

A.Microsoft Entra ID Free
B.Microsoft Entra ID P1
C.Microsoft Entra ID P2
D.Microsoft 365 Business Basic
AnswerB

P1 includes all features needed for SSPR with password writeback in hybrid environments.

Why this answer

Microsoft Entra ID P1 is the minimum license required for password writeback, which enables users to reset their on-premises Active Directory passwords via the cloud SSPR portal. This feature requires Microsoft Entra ID P1 or higher because it involves synchronizing password changes back to on-premises AD using Microsoft Entra Connect.

Exam trap

The trap here is that candidates often assume Microsoft Entra ID Free or a basic Microsoft 365 license is sufficient for SSPR, forgetting that password writeback to on-premises AD is a premium feature requiring at least P1.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Free does not include password writeback; it only supports cloud-only SSPR without on-premises writeback. Option C is wrong because Microsoft Entra ID P2 includes P1 features plus Identity Protection and Privileged Identity Management, but P1 already provides password writeback, so P2 is not the minimum. Option D is wrong because Microsoft 365 Business Basic includes Microsoft Entra ID Free, not P1, and thus lacks password writeback capability.

354
MCQmedium

Your organization requires that all external guest users must sign in using Microsoft Authenticator for MFA. What should you configure?

A.Conditional Access policy
B.Microsoft Entra B2B collaboration settings
C.Access reviews
D.ID Protection policies
AnswerA

Conditional Access can require MFA for guest users.

Why this answer

A Conditional Access policy is the correct choice because it allows you to enforce MFA requirements for specific users, including external guest users, based on conditions such as sign-in risk, location, or device state. By targeting the 'Guest or external users' directory role in a Conditional Access policy, you can require Microsoft Authenticator as the MFA method, overriding default settings. This provides granular control over authentication behavior for B2B collaboration guests.

Exam trap

The trap here is that candidates confuse the high-level B2B collaboration settings (which only control trust of MFA from the home tenant) with the ability to enforce a specific MFA method directly on guest users, which requires a Conditional Access policy.

How to eliminate wrong answers

Option B (Microsoft Entra B2B collaboration settings) is wrong because these settings control invitation, redemption, and cross-tenant access policies, but they do not directly enforce MFA methods like Microsoft Authenticator; they only set trust settings for MFA from the guest's home tenant. Option C (Access reviews) is wrong because access reviews are used to periodically review and recertify user access, not to enforce authentication methods or MFA requirements. Option D (ID Protection policies) is wrong because ID Protection policies focus on risk-based conditional access (e.g., sign-in risk, user risk) and can trigger MFA, but they do not allow you to specify a particular MFA method like Microsoft Authenticator; that is done via Conditional Access grant controls.

355
MCQmedium

A company uses Microsoft Entra ID. The security team needs to block all sign-in attempts from a list of known malicious IP addresses. They also want to block sign-ins that originate from anonymous proxy services. Which Microsoft Entra capability should they configure to meet these requirements?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Access Reviews
AnswerA

Conditional Access can use named locations to block sign-ins from specific IP ranges and also block access from anonymous IP addresses using the 'Anonymous IP' location condition.

Why this answer

Conditional Access policies in Microsoft Entra ID allow administrators to define conditions under which sign-ins are blocked or allowed. By configuring a policy that includes 'Locations' as a condition, you can specify a list of known malicious IP addresses and also enable the 'Anonymous IP address' risk detection to block sign-ins from anonymous proxy services. This directly meets the requirement to block sign-ins from both specific IPs and anonymous proxies.

Exam trap

The trap here is that candidates often confuse Identity Protection’s risk detection capabilities with the enforcement mechanism, mistakenly thinking Identity Protection alone can block sign-ins, when in fact it only identifies risks and requires Conditional Access to enforce the block.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because Identity Protection is a risk-based detection and remediation service that identifies suspicious sign-ins (e.g., from anonymous IPs) but does not itself enforce blocking; it relies on Conditional Access policies to take action. Option C (Privileged Identity Management) is wrong because PIM focuses on just-in-time privileged role activation and access governance, not on blocking sign-ins based on IP address or proxy services. Option D (Access Reviews) is wrong because Access Reviews are used to periodically audit and certify user access to resources, not to block sign-ins in real time based on location or network characteristics.

356
Multi-Selecthard

Which THREE of the following are valid components of Microsoft Entra Conditional Access? (Select THREE.)

Select 3 answers
A.Users and groups
B.Session
C.Conditions (e.g., locations, device platforms)
D.Cloud apps or actions
E.Grant
AnswersA, C, D

A condition that specifies who the policy applies to.

Why this answer

Option A is correct because 'Users and groups' is a fundamental assignment component in Microsoft Entra Conditional Access policies. It specifies which identities the policy applies to, such as specific users, groups, directory roles, or all users. Without this assignment, the policy cannot target any identities, making it a mandatory building block for any Conditional Access rule.

Exam trap

The trap here is that candidates often confuse 'Grant' and 'Session' as top-level components when they are actually sub-options under 'Access controls', leading them to select them instead of the correct assignment components like 'Users and groups', 'Conditions', and 'Cloud apps or actions'.

357
Multi-Selecthard

Which TWO authentication methods in Microsoft Entra ID support passwordless sign-in?

Select 2 answers
A.Certificate-based authentication
B.Windows Hello for Business
C.FIDO2 security keys
D.SMS-based verification
E.Time-based one-time password (TOTP)
AnswersB, C

Uses biometrics or PIN for passwordless sign-in.

Why this answer

Windows Hello for Business is a passwordless authentication method in Microsoft Entra ID that uses biometric or PIN-based credentials tied to a user's device, leveraging asymmetric key pairs to authenticate without transmitting a password. It is considered passwordless because the user signs in with a gesture (e.g., fingerprint or PIN) that unlocks a private key stored in hardware, eliminating the need for a shared secret.

Exam trap

The trap here is that candidates often confuse multi-factor authentication methods (like SMS or TOTP) with passwordless authentication, failing to recognize that passwordless methods eliminate the password entirely as the first factor, whereas MFA methods still require a password as the primary credential.

358
MCQmedium

A user reports that they cannot access the corporate portal after a password reset. The user can access other cloud apps. You verify that the user account is enabled and not locked. What should you check next?

A.Disable and re-enable the user account
B.Verify the user's registered authentication methods
C.Reinstall the corporate portal application
D.Check if the user is assigned a Microsoft Entra ID P2 license
AnswerB

Password reset may require re-registration of MFA methods.

Why this answer

The user can access other cloud apps, which rules out a global authentication or network issue. Since the account is enabled and not locked, the most likely cause is that the user's registered authentication methods (e.g., phone, authenticator app, or email) are missing, outdated, or not configured for the password reset flow. Microsoft Entra ID requires verified authentication methods to complete a password reset and subsequent sign-in, especially when the user is prompted for multifactor authentication or self-service password reset (SSPR) verification.

Exam trap

The trap here is that candidates often assume a password reset always works seamlessly, but the SC-900 exam tests the understanding that authentication methods must be registered and up-to-date for the reset to succeed, especially when the user is prompted for additional verification.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling the account would not resolve a missing or misconfigured authentication method; it only toggles the account status, which is already enabled. Option C is wrong because reinstalling the corporate portal application addresses client-side corruption, not an identity or authentication method issue that prevents access after a password reset. Option D is wrong because a Microsoft Entra ID P2 license is not required for basic password reset or authentication method registration; P2 adds advanced features like Identity Protection and Privileged Identity Management, but the core SSPR and MFA registration work with P1 or even free tier licenses.

359
Multi-Selecthard

A company uses Microsoft Entra ID. They want to implement two security baseline requirements: (1) Users must register for multifactor authentication (MFA) before they can use self-service password reset (SSPR). (2) Administrators must have just-in-time (JIT) access to Azure resources with approval required. Which two Microsoft Entra features should they use? (Choose two.)

Select 2 answers
A.Identity Protection
B.Conditional Access
C.Privileged Identity Management (PIM)
D.Combined registration for SSPR and MFA
AnswersC, D

PIM enables just-in-time administrative access with approval workflows, meeting requirement (2).

Why this answer

Privileged Identity Management (PIM) is the correct feature for requirement (2) because it provides just-in-time (JIT) access to Azure resources, requiring approval for role activation. PIM allows administrators to request time-bound, approved elevation of privileges, meeting the JIT and approval requirement exactly.

Exam trap

The trap here is that candidates confuse Conditional Access (which enforces MFA registration via policy) with the specific combined registration feature that directly ties SSPR and MFA enrollment into a single user experience, and they may overlook that PIM is the only feature that provides JIT access with approval for Azure resources.

360
MCQmedium

A company uses Microsoft Entra ID. They want to require users to perform multifactor authentication (MFA) every 90 days on trusted devices, but force MFA for every sign-in on untrusted devices. Which Conditional Access session control must they configure to meet this requirement?

A.Sign-in frequency
B.Application enforced restrictions
C.Use app enforced restrictions
D.Persistent browser session
AnswerA

Sign-in frequency is a session control that determines how often a user must provide authentication credentials again, such as after a set number of days or hours. It can be configured differently for trusted and untrusted devices.

Why this answer

Sign-in frequency is the Conditional Access session control that allows administrators to define the time interval after which a user must re-authenticate, even on a trusted device. By setting the sign-in frequency to 90 days for trusted devices and requiring re-authentication for every sign-in on untrusted devices (by setting the frequency to 0 or 1), the requirement is met. This control directly manages the re-prompt interval for MFA, independent of the session token lifetime.

Exam trap

The trap here is that candidates confuse 'Persistent browser session' (which controls session persistence across browser closes) with 'Sign-in frequency' (which controls the re-authentication interval), leading them to choose the wrong option for MFA frequency requirements.

How to eliminate wrong answers

Option B is wrong because 'Application enforced restrictions' is not a valid Conditional Access session control; it is a generic term that does not exist in the Microsoft Entra Conditional Access policy settings. Option C is wrong because 'Use app enforced restrictions' is also not a valid session control; it is a misnomer and does not correspond to any configurable setting in Conditional Access. Option D is wrong because 'Persistent browser session' controls whether the browser session cookie persists after the browser is closed, not the frequency of MFA prompts; it affects session lifetime but not the re-authentication interval for MFA.

361
Drag & Dropmedium

Arrange the steps to investigate a user compromise using Azure AD Identity Protection.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identity Protection investigation involves accessing the portal, reviewing risks, selecting a user, analyzing events, and taking action.

362
MCQmedium

A company wants to improve password security across its Microsoft Entra ID tenant. The security team wants to prevent users from setting passwords that appear on Microsoft's global banned password list, which includes commonly compromised passwords. Additionally, they need to add a custom banned password containing the company name so that users cannot use variations of it. Which Microsoft Entra ID feature should they configure to enforce these password policies?

A.Conditional Access
B.Identity Protection
C.Password Protection
D.Multi-factor authentication (MFA)
AnswerC

Password Protection is the Entra ID feature that enforces both global and custom banned password lists. It prevents users from setting weak or easily guessable passwords, thereby reducing the risk of password-based attacks.

Why this answer

Password Protection in Microsoft Entra ID is the feature specifically designed to enforce both global and custom banned password lists. It prevents users from using commonly compromised passwords from Microsoft's global list and allows administrators to add custom terms, such as the company name, to block variations. This directly addresses the requirement to improve password security by blocking weak and organization-specific passwords.

Exam trap

The trap here is that candidates may confuse Identity Protection's 'leaked credentials' detection with the ability to block password creation, but Identity Protection only detects credentials that have already been compromised, not prevents users from setting weak passwords in the first place.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on signals like user location or device compliance, not password content or banned password lists. Option B is wrong because Identity Protection focuses on detecting and remediating identity-based risks, such as leaked credentials or suspicious sign-ins, not on preventing users from setting specific passwords. Option D is wrong because Multi-factor authentication (MFA) adds a second verification step during sign-in but does not control or validate the password content that users set.

363
MCQhard

Refer to the exhibit. You run the cmdlet and get a list of risk detections. What does this cmdlet retrieve?

A.Users who have been flagged for risky sign-ins
B.All risk detections in the tenant
C.All sign-in logs with unfamiliar properties
D.Risk detections for the unfamiliar sign-in properties risk event type
AnswerD

The filter specifies riskEventType eq 'unfamiliarSignInProperties'.

Why this answer

The cmdlet `Get-MgRiskDetection` retrieves all risk detections in the tenant, but when combined with the `-Filter` parameter for `riskEventType eq 'unfamiliarSigninProperties'`, it specifically returns only those risk detections that match the unfamiliar sign-in properties risk event type. This is because the cmdlet supports filtering by the `riskEventType` property, which corresponds to the type of risk detection as defined by Microsoft Entra ID Protection.

Exam trap

The trap here is that candidates confuse retrieving risk detections (which are events) with retrieving risky users or sign-in logs, and they overlook the `-Filter` parameter that narrows the scope to a specific risk event type, leading them to choose the overly broad 'All risk detections' option.

How to eliminate wrong answers

Option A is wrong because `Get-MgRiskDetection` retrieves risk detection objects, not user objects; users flagged for risky sign-ins are retrieved using `Get-MgRiskyUser` or `Get-MgRiskDetection` with a different filter. Option B is wrong because the cmdlet in the exhibit includes a `-Filter` parameter that limits the results to a specific risk event type, not all risk detections in the tenant. Option C is wrong because sign-in logs with unfamiliar properties are a subset of risk detections, but the cmdlet retrieves risk detection objects (which include metadata like risk level, risk state, and detection timing), not raw sign-in logs; sign-in logs are retrieved via `Get-MgAuditLogSignIn`.

364
MCQmedium

An organization uses Microsoft Entra ID. The security team wants to require multi-factor authentication (MFA) for users who sign in from sessions that Microsoft Entra ID Protection determines to have medium or high sign-in risk. Users signing in from low-risk sessions should not be prompted for MFA. Which feature should the security team configure?

A.Configure a Conditional Access policy with Sign-in risk as a condition and MFA as a grant control
B.Configure a user risk policy in Microsoft Entra ID Protection
C.Assign the Global Administrator role with Privileged Identity Management (PIM) activation requiring MFA
D.Create an access review in Microsoft Entra ID Governance
AnswerA

Conditional Access policies can evaluate sign-in risk from Identity Protection and require MFA only when the risk level matches the configured condition.

Why this answer

Option A is correct because a Conditional Access policy can use Sign-in risk (a condition from Microsoft Entra ID Protection) to require MFA as a grant control. This allows the security team to enforce MFA only for sessions with medium or high sign-in risk, while low-risk sessions are not prompted, exactly matching the requirement.

Exam trap

The trap here is confusing sign-in risk (session-level) with user risk (user-level), leading candidates to choose the user risk policy (Option B) instead of the Conditional Access policy with sign-in risk condition.

How to eliminate wrong answers

Option B is wrong because a user risk policy in Microsoft Entra ID Protection targets user-level risk (e.g., compromised credentials) and typically forces a password change, not MFA based on sign-in session risk. Option C is wrong because assigning the Global Administrator role with PIM activation requiring MFA only applies to privileged role activation, not to all user sign-ins based on sign-in risk. Option D is wrong because an access review in Microsoft Entra ID Governance is used for periodic review of group memberships or role assignments, not for real-time MFA enforcement based on sign-in risk.

365
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID Governance?

Select 2 answers
A.Privileged Identity Management
B.Access Reviews
C.Entitlement Management
D.Conditional Access
E.Identity Protection
AnswersB, C

Access Reviews are a core ID Governance feature.

Why this answer

Access Reviews (B) are a core capability of Microsoft Entra ID Governance, enabling administrators to automate periodic reviews of group memberships, application access, and role assignments to ensure only the right people have access. Entitlement Management (C) is also a key governance feature, allowing organizations to manage the identity and access lifecycle at scale through access packages and policies. Both directly support identity governance by enforcing access controls and compliance requirements.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) as a standalone governance capability, but PIM is actually a subset of Entitlement Management and Access Reviews within Entra ID Governance, and the question specifically asks for the two capabilities that are directly governance-focused, not security or risk-based features.

366
MCQmedium

A company uses Microsoft Entra ID. The security team wants to enforce a policy that prevents users from choosing commonly used weak passwords like 'Winter2024!' or 'Password@123', and also blocks customized variants based on organizational context (e.g., company name). Users must create passwords that meet standard complexity requirements. Which Microsoft Entra ID feature should they enable?

A.Password hash synchronization
B.Microsoft Entra ID Password Protection
C.Self-Service Password Reset
D.Conditional Access
AnswerB

Correct. Microsoft Entra ID Password Protection blocks weak passwords and their common variants, including custom banned lists. It is the appropriate feature for enforcing strong password choices beyond default complexity.

Why this answer

Microsoft Entra ID Password Protection (B) is the correct feature because it specifically enforces custom banned password lists that block weak passwords like 'Winter2024!' and organizational variants such as the company name. It works alongside standard password complexity requirements to prevent users from choosing passwords that appear on a global banned list or a tenant-specific custom list. This directly addresses the security team's need to block commonly used weak passwords and context-based variants.

Exam trap

The trap here is that candidates often confuse Self-Service Password Reset (SSPR) with password policy enforcement, but SSPR only facilitates password changes and does not block weak passwords; the actual blocking is done by Password Protection, which is a separate feature.

How to eliminate wrong answers

Option A is wrong because Password hash synchronization is a feature that syncs user password hashes from on-premises Active Directory to Microsoft Entra ID for hybrid identity scenarios; it does not enforce password policies or block weak passwords. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords but does not define or enforce password content restrictions like banned password lists. Option D is wrong because Conditional Access is a policy engine that controls access based on signals like user location, device state, or risk level; it does not validate password strength or block weak passwords during creation or change.

367
MCQmedium

An organization uses Microsoft Entra ID for identity management and wants to allow external partners to access their resources using their own corporate credentials. Which feature should they enable?

A.Entra External ID
B.Identity Protection
C.Conditional Access
D.Privileged Identity Management
AnswerA

Entra External ID enables B2B collaboration with external identities.

Why this answer

Entra External ID (formerly Azure AD B2B) enables organizations to invite external partners to access resources using their own corporate credentials. This feature leverages federation protocols such as SAML, WS-Fed, or OpenID Connect to authenticate the partner's identity in their home tenant, eliminating the need for separate local accounts.

Exam trap

The trap here is that candidates often confuse Conditional Access (a policy engine) with the ability to invite external identities, mistakenly thinking policies alone can grant external access without a federation mechanism.

How to eliminate wrong answers

Option B is wrong because Identity Protection is a risk-detection service that monitors sign-in anomalies and user risk, not a feature for inviting external users with their own credentials. Option C is wrong because Conditional Access enforces policy-based access controls (e.g., MFA, location) after authentication, but does not itself enable external identity federation. Option D is wrong because Privileged Identity Management manages just-in-time privileged role activation and access reviews for internal users, not external partner authentication.

368
MCQmedium

A company uses Microsoft Entra ID. The security team wants to enforce multifactor authentication (MFA) only when users sign in from devices that are not compliant with company security policies. They also want to block sign-ins from unknown geographic locations. Which Microsoft Entra feature should they configure?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Conditional Access
D.Self-Service Password Reset (SSPR)
AnswerC

Conditional Access enables granular access policies based on conditions like device compliance, location, and risk, meeting the requirements.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that evaluate signals such as device compliance and geographic location before granting access. By configuring a policy that requires MFA for non-compliant devices and blocks sign-ins from unknown locations, the security team can enforce these specific conditions. This granular control is unique to Conditional Access, which integrates with Microsoft Entra ID to enforce access decisions based on real-time risk and context.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access with the broader Conditional Access feature, not realizing that Identity Protection only provides risk signals and requires Conditional Access to enforce the actual MFA or block action.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anonymous IP addresses) but does not natively enforce MFA based on device compliance or block sign-ins from unknown geographic locations; it can trigger Conditional Access policies but is not the feature to configure the rules themselves. Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and access reviews, not for enforcing MFA or location-based blocking for regular user sign-ins. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not provide any mechanism to enforce MFA or block sign-ins based on device compliance or geographic location.

369
Multi-Selectmedium

Which two capabilities are provided by Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Mobile device management (MDM)
B.Conditional Access policies
C.Identity protection with risk-based conditional access
D.Data loss prevention (DLP) for sensitive information
E.Cloud access security broker (CASB)
AnswersB, C

Conditional Access is a core Entra ID feature.

Why this answer

Conditional Access policies (B) are a core capability of Microsoft Entra ID, enabling administrators to enforce access controls based on signals like user location, device state, and application sensitivity. Identity Protection with risk-based conditional access (C) leverages machine learning to detect sign-in and user risks, automatically applying policies to block or require multi-factor authentication. Both are native to Microsoft Entra ID and integral to its identity and access management (IAM) framework.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID's identity-focused capabilities (Conditional Access, Identity Protection) with adjacent security services like Intune (MDM), Microsoft Purview (DLP), and Defender for Cloud Apps (CASB), which are separate products in the Microsoft security stack.

370
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to ensure that users can sign in using their existing Facebook accounts without creating a separate Microsoft Entra ID account. What should you configure?

A.Configure Microsoft Entra ID Protection
B.Create a Microsoft Entra External ID tenant and add Facebook as an identity provider
C.Enable Microsoft Entra ID Domain Services
D.Configure Microsoft Entra ID Governance
AnswerB

Microsoft Entra External ID (B2C) allows adding social identity providers for customer-facing apps.

Why this answer

Option B is correct because Microsoft Entra External ID (formerly Azure AD B2C) is designed to allow external identities, such as social identity providers like Facebook, to authenticate users without requiring a separate Microsoft Entra ID account. By creating an External ID tenant and adding Facebook as an identity provider, you enable users to sign in using their existing Facebook credentials via OAuth 2.0 or OpenID Connect protocols.

Exam trap

The trap here is that candidates often confuse Microsoft Entra External ID (B2C) with Microsoft Entra ID (Azure AD) itself, assuming social identity providers can be added directly to a standard tenant, but only an External ID tenant supports social identity federation without requiring a separate Microsoft Entra ID account.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a security feature that detects and responds to identity risks (e.g., leaked credentials, sign-ins from anonymous IPs), not a mechanism for adding external identity providers like Facebook. Option C is wrong because Microsoft Entra ID Domain Services provides managed domain services (e.g., LDAP, Kerberos, NTLM) for legacy on-premises applications, not social identity federation. Option D is wrong because Microsoft Entra ID Governance focuses on managing identity lifecycle, access reviews, and entitlement management, not on configuring external authentication sources.

371
MCQmedium

A company uses Microsoft Entra ID. The security team wants to grant temporary, time-bound administrative access to the Microsoft 365 user management role for IT support staff. The access should require an approval from a senior administrator, and all actions should be audited. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Identity Governance
AnswerC

PIM provides JIT privileged access with activation, approval, and auditing, meeting all stated requirements.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID provides just-in-time (JIT) privileged access with time-bound role activation, approval workflows, and full auditing. This directly matches the requirement for temporary, approved administrative access to the Microsoft 365 user management role with audit trails.

Exam trap

The trap here is confusing Identity Governance (which handles access reviews and entitlement management for regular users) with Privileged Identity Management (which specifically handles just-in-time privileged role activation and approval).

How to eliminate wrong answers

Option A is wrong because Conditional Access controls authentication and access policies based on signals like location or device compliance, but it does not provide time-bound role activation or approval workflows for administrative roles. Option B is wrong because Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role assignments or approvals. Option D is wrong because Identity Governance focuses on access reviews, entitlement management, and lifecycle automation for regular users, not on just-in-time privileged role activation with approval.

372
MCQeasy

Refer to the exhibit. The JSON shows a Conditional Access policy. What is the primary purpose of this policy?

A.Block legacy authentication protocols
B.Require MFA for all applications
C.Disable the policy for emergency access
D.Allow only iOS devices
AnswerA

The policy blocks client app types that use legacy protocols.

Why this answer

The policy targets 'Block legacy authentication' by applying a condition that blocks authentication attempts using legacy protocols (e.g., POP3, IMAP4, SMTP, ActiveSync) which do not support modern authentication methods like MFA. This is a common security measure to prevent credential-stuffing and password-spray attacks that exploit the lack of MFA enforcement in legacy protocols.

Exam trap

The trap here is that candidates often confuse 'blocking legacy authentication' with 'requiring MFA' — the policy blocks the protocol entirely rather than prompting for an additional factor, which is a distinct control in Conditional Access.

How to eliminate wrong answers

Option B is wrong because the policy does not require MFA; it explicitly blocks authentication entirely, not just requiring an additional factor. Option C is wrong because the policy does not include any exclusion for emergency access accounts (e.g., break-glass accounts) — it applies to all users unless a separate exclusion is configured. Option D is wrong because the policy does not filter by device platform (iOS) — it targets authentication protocol, not device type.

373
MCQmedium

Your company is implementing a hybrid identity solution with Microsoft Entra ID. Users report that they can sign in to Microsoft 365 but cannot access on-premises applications that are configured for integrated Windows authentication. You need to ensure seamless single sign-on (SSO) for both cloud and on-premises resources. What should you implement?

A.Implement Passthrough Authentication.
B.Deploy Active Directory Federation Services (AD FS).
C.Enable Microsoft Entra seamless SSO.
D.Configure password hash synchronization.
AnswerC

Seamless SSO provides automatic sign-in for domain-joined devices, covering both cloud and on-premises.

Why this answer

Microsoft Entra seamless SSO (Seamless SSO) is the correct choice because it automatically signs users in when they are on corporate devices connected to the corporate network, using Kerberos delegation to provide single sign-on for both cloud resources (like Microsoft 365) and on-premises applications configured for Integrated Windows Authentication (IWA). This eliminates the need for users to re-enter credentials when accessing on-premises apps after authenticating to the cloud.

Exam trap

The trap here is that candidates often confuse Passthrough Authentication or password hash synchronization with providing SSO for on-premises applications, but neither includes the Kerberos delegation required for Integrated Windows Authentication, which is the specific need in this scenario.

How to eliminate wrong answers

Option A is wrong because Passthrough Authentication validates passwords against on-premises Active Directory but does not provide the Kerberos-based SSO needed for Integrated Windows Authentication to on-premises applications; it only handles cloud authentication. Option B is wrong because Active Directory Federation Services (AD FS) is a more complex, on-premises federation solution that can provide SSO, but it is overkill for this scenario and not the simplest or recommended approach when Seamless SSO can achieve the same goal with less infrastructure. Option D is wrong because password hash synchronization only synchronizes password hashes to the cloud for cloud authentication and does not enable Kerberos-based SSO for on-premises IWA applications.

← PreviousPage 5 of 5 · 373 questions total

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft Entra questions.