CCNA Entra Capabilities Questions

75 of 373 questions · Page 3/5 · Entra Capabilities topic · Answers revealed

151
MCQeasy

A company wants to allow employees to sign in using their Microsoft credentials (e.g., personal Outlook.com) to access internal applications. Which Microsoft Entra feature should be configured?

A.Microsoft Entra B2B collaboration
B.Microsoft Entra device enrollment
C.Microsoft Entra hybrid identity
D.Microsoft Entra External ID
AnswerD

External ID supports consumer identities like Microsoft accounts.

Why this answer

Microsoft Entra External ID (formerly Azure AD External Identities) allows organizations to enable external users—including consumers with personal Microsoft accounts (e.g., Outlook.com)—to sign in to internal applications using their own credentials. This feature supports identity providers like Microsoft Accounts (MSA), Google, Facebook, and SAML/WS-Fed IdPs, making it the correct choice for allowing employees to use personal Outlook.com credentials for access.

Exam trap

The trap here is confusing Microsoft Entra B2B collaboration (which requires a business or school account) with Microsoft Entra External ID (which supports personal Microsoft accounts and social identities), leading candidates to incorrectly select B2B for consumer-facing scenarios.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2B collaboration is designed for business-to-business scenarios, enabling external business partners to access resources using their work or school accounts, not personal Microsoft accounts like Outlook.com. Option B is wrong because Microsoft Entra device enrollment is used to register devices (e.g., Windows, iOS, Android) for management and conditional access, not to configure external identity providers for sign-in. Option C is wrong because Microsoft Entra hybrid identity synchronizes on-premises Active Directory with Microsoft Entra ID for a unified identity across hybrid environments, but it does not enable external personal Microsoft accounts to sign in to internal applications.

152
MCQeasy

Your organization uses Microsoft Entra ID and needs to allow external partners to sign in using their own identity providers (e.g., Google or Facebook). Which Microsoft Entra feature should you configure?

A.Microsoft Entra Privileged Identity Management
B.Microsoft Entra External Identities (B2B collaboration)
C.Microsoft Entra Verified ID
D.Microsoft Entra Identity Protection
AnswerB

External Identities allows external users to sign in with their own identity providers.

Why this answer

Microsoft Entra External Identities (B2B collaboration) is the correct feature because it allows external partners to sign in using their own identity providers, such as Google or Facebook, through federation. B2B collaboration supports SAML/WS-Fed identity providers and social identity providers like Google, enabling guest users to access your organization's resources without needing a separate Microsoft account. This directly meets the requirement for external partner access with their own credentials.

Exam trap

The trap here is that candidates often confuse B2B collaboration with B2C (Azure AD B2C) or think PIM is needed for external access, but B2B collaboration is specifically designed for federating external identities from any IdP without requiring a separate directory.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Privileged Identity Management (PIM) is a feature for managing, controlling, and monitoring access to privileged roles within your own directory, not for enabling external identity providers. Option C is wrong because Microsoft Entra Verified ID is a decentralized identity solution based on verifiable credentials (W3C standards) for issuing and verifying claims, not for federating external sign-in with Google or Facebook. Option D is wrong because Microsoft Entra Identity Protection is a risk-based security tool that detects and responds to identity threats (e.g., leaked credentials, sign-in anomalies), not a feature for configuring external identity providers.

153
MCQmedium

A user reports frequent password reset requests. You suspect password spray attacks. Which Microsoft Entra ID feature should you use to investigate?

A.Identity Protection risk detections
B.Audit logs
C.Conditional Access policies
D.Multifactor authentication
AnswerA

Identity Protection detects password spray and other risks.

Why this answer

Identity Protection risk detections are the correct feature because they specifically analyze sign-in patterns and flag suspicious activities such as password spray attacks. A password spray attack involves an attacker trying a small number of common passwords against many accounts, and Identity Protection uses machine learning to detect this anomalous behavior and generate risk detections like 'Unfamiliar sign-in properties' or 'Malicious IP address'.

Exam trap

The trap here is that candidates confuse Audit logs (which show what happened) with Identity Protection risk detections (which analyze why it happened), leading them to pick Audit logs as the investigative tool for attack patterns.

How to eliminate wrong answers

Option B is wrong because Audit logs record administrative actions and configuration changes, not real-time sign-in risk analysis; they would show password reset events but not identify the attack pattern. Option C is wrong because Conditional Access policies enforce access controls based on conditions (e.g., require MFA), but they do not provide investigative insights into attack patterns like password spray. Option D is wrong because Multifactor authentication is a security control that adds a second verification step, not a detective tool for analyzing sign-in anomalies.

154
Multi-Selecteasy

Which TWO features are included in Microsoft Entra ID P2 licensing?

Select 2 answers
A.Passwordless authentication
B.Multifactor authentication (MFA)
C.Single sign-on (SSO) to SaaS apps
D.Microsoft Entra Privileged Identity Management
E.Microsoft Entra Identity Protection
AnswersD, E

PIM is a P2 feature.

Why this answer

Microsoft Entra ID P2 licensing includes Microsoft Entra Privileged Identity Management (PIM), which provides just-in-time privileged access, time-bound role assignments, and approval workflows to manage, control, and monitor access to Azure AD and Azure resources. PIM is a P2-only feature that helps reduce standing administrative privileges and enhances security posture.

Exam trap

The trap here is that candidates often confuse features available in Microsoft Entra ID P1 (like MFA, SSO, and passwordless) with P2-exclusive features, forgetting that P2 adds only advanced identity protection and privileged identity management on top of P1.

155
MCQmedium

Your organization uses Microsoft Entra ID for identity management. You need to enable users to sign in using a QR code from the Microsoft Authenticator app. Which Microsoft Entra feature should you configure?

A.FIDO2 security keys
B.Temporary Access Pass
C.Passwordless sign-in with Microsoft Authenticator
D.My Security-info (https://aka.ms/mysecurityinfo)
AnswerC

Passwordless sign-in with Authenticator uses QR codes or number match for sign-in.

Why this answer

The Microsoft Authenticator app supports passwordless sign-in by allowing users to approve a notification or scan a QR code from the sign-in screen. This feature eliminates the need for a password and relies on the Authenticator app as a primary authentication method, which is configured under the Passwordless sign-in with Microsoft Authenticator option in Entra ID.

Exam trap

The trap here is that candidates confuse the QR code scanning capability of the Authenticator app with FIDO2 security keys, but the question specifically asks about using the Microsoft Authenticator app, not a separate hardware device.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware-based passwordless credentials that use public-key cryptography, not QR codes from the Microsoft Authenticator app. Option B is wrong because Temporary Access Pass is a time-limited passcode used for onboarding or recovery scenarios, not for QR-code-based sign-in. Option D is wrong because My Security-info (https://aka.ms/mysecurityinfo) is a user portal for managing authentication methods, not a feature that enables QR-code sign-in.

156
MCQmedium

Refer to the exhibit. A user reports being unable to access Exchange Online from their personal laptop. The sign-in log shows failure due to device non-compliance. What should you configure to allow access while maintaining security?

A.Create a Conditional Access policy requiring compliant device
B.Reset the user's password
C.Block all personal devices
D.Enable MFA for the user
AnswerA

This policy will allow access only if the device is compliant.

Why this answer

The sign-in log indicates the failure is due to device non-compliance, meaning the user's personal laptop does not meet your organization's compliance policies (e.g., missing antivirus, encryption, or required updates). Creating a Conditional Access policy that requires a compliant device will block access from non-compliant devices while allowing access from compliant ones, maintaining security by enforcing device health checks before granting access to Exchange Online.

Exam trap

The trap here is that candidates often confuse device compliance with authentication factors like MFA or password resets, but the sign-in log explicitly states the failure is due to device non-compliance, so the solution must enforce device health, not just user identity verification.

How to eliminate wrong answers

Option B is wrong because resetting the user's password addresses credential compromise, not device compliance; the failure is due to the device not meeting compliance requirements, not an incorrect password. Option C is wrong because blocking all personal devices is overly restrictive and not necessary; Conditional Access can selectively allow compliant personal devices while blocking non-compliant ones, preserving user productivity. Option D is wrong because enabling MFA strengthens authentication but does not enforce device compliance; the sign-in failure is specifically due to device non-compliance, not a lack of multi-factor authentication.

157
MCQhard

A company needs to provide a developer with temporary, time-bound administrative access to Azure resources to debug a production issue. The access must require approval from the manager and automatically expire after 4 hours. Which Microsoft Entra capability should they use?

A.Privileged Identity Management (PIM)
B.Conditional Access
C.Identity Protection
D.Entitlement Management
AnswerA

PIM enables JIT activation of privileged roles with time limits, approval, and justification, perfectly matching the requirements.

Why this answer

Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access to Azure resources with time-bound activation, approval workflows, and automatic expiration. This directly matches the requirement for temporary, manager-approved administrative access that expires after 4 hours.

Exam trap

The trap here is confusing Entitlement Management (which manages access to apps/groups via access packages) with PIM (which manages time-bound role activation for Azure resources), leading candidates to pick D when the scenario explicitly requires Azure resource administrative access with automatic expiration.

How to eliminate wrong answers

Option B (Conditional Access) is wrong because it enforces access policies based on signals like location or device compliance, not time-bound role activation with approval. Option C (Identity Protection) is wrong because it detects and remediates identity-based risks like leaked credentials, not manages privileged access. Option D (Entitlement Management) is wrong because it governs access to applications and groups via access packages, not Azure resource roles with automatic expiration.

158
MCQhard

A company uses Microsoft Entra ID. They have a critical application that requires additional security. The security team wants to enforce multifactor authentication (MFA) for every access to the application, but they also want users to reauthenticate with MFA if a session lasts longer than 60 minutes, regardless of device compliance. Which Conditional Access control should the administrator configure?

A.Grant control: Require multifactor authentication
B.Session control: Sign-in frequency
C.Session control: Application enforced restrictions
D.Grant control: Require device to be marked as compliant
AnswerB

Sign-in frequency as a session control forces users to reauthenticate after a specified time period, ensuring MFA is revalidated if the session exceeds 60 minutes.

Why this answer

The requirement to force reauthentication with MFA after a specific time period (60 minutes) is a session-level control, not a grant control. The 'Sign-in frequency' session control in Conditional Access allows administrators to define how often a user must reauthenticate, including re-prompting for MFA, regardless of device compliance. This directly meets the scenario's need for a time-based reauthentication policy.

Exam trap

The trap here is that candidates confuse 'Grant controls' (which enforce conditions at sign-in) with 'Session controls' (which manage behavior after sign-in), leading them to select 'Require multifactor authentication' instead of 'Sign-in frequency' for time-based reauthentication.

How to eliminate wrong answers

Option A is wrong because 'Grant control: Require multifactor authentication' enforces MFA at initial sign-in but does not enforce reauthentication after a session duration; it lacks the time-based re-prompting capability. Option C is wrong because 'Session control: Application enforced restrictions' relies on the application itself to enforce policies (e.g., via device-based conditional access in Exchange Online), not on Entra ID to force reauthentication after a fixed time. Option D is wrong because 'Grant control: Require device to be marked as compliant' checks device health at sign-in but does not enforce a session timeout or reauthentication frequency, and the scenario explicitly states 'regardless of device compliance'.

159
MCQeasy

A user reports they cannot access the company portal from their personal device. The device is not enrolled in Microsoft Intune. The admin wants to ensure only compliant devices can access corporate resources. What should the admin configure?

A.Conditional Access policy requiring device compliance
B.Enable password writeback
C.Enable Identity Protection sign-in risk policy
D.Microsoft Entra Privileged Identity Management
AnswerA

Conditional Access can require devices to be compliant via Intune.

Why this answer

A is correct because a Conditional Access policy can require device compliance before granting access to corporate resources. When the device is not enrolled in Microsoft Intune, it cannot report compliance status, so the policy blocks access. This ensures only managed, compliant devices can access the company portal.

Exam trap

The trap here is that candidates confuse device compliance policies with sign-in risk policies or identity governance features, mistakenly thinking risk-based controls or PIM can enforce device health, when only Conditional Access with Intune compliance can block non-enrolled personal devices.

How to eliminate wrong answers

Option B is wrong because password writeback is a feature for on-premises password synchronization to Entra ID, not for controlling device access. Option C is wrong because Identity Protection sign-in risk policy evaluates user sign-in risk (e.g., anonymous IP, leaked credentials), not device compliance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation, not device-level access control.

160
MCQhard

Refer to the exhibit. You are reviewing Microsoft Entra sign-in logs. Which statement is true?

A.jdoe's sign-in had no risk detected.
B.jdoe's sign-in failed Conditional Access.
C.asmith's sign-in was likely from an application or service principal.
D.asmith's sign-in had a high risk level.
AnswerC

NonInteractiveUser sign-in type indicates a client application or service principal, not a user interactive session.

Why this answer

Option C is correct because the sign-in log entry for asmith shows an 'Application' sign-in type, which indicates the authentication was performed by an application or service principal rather than a user. In Microsoft Entra ID, sign-ins from applications or service principals are logged with a distinct sign-in type, and the exhibit displays 'Application' for asmith's entry, confirming this.

Exam trap

The trap here is that candidates may assume all sign-in logs represent user sign-ins and overlook the 'Sign-in type' column, leading them to misinterpret the risk level or Conditional Access status for a service principal entry.

How to eliminate wrong answers

Option A is wrong because the sign-in log for jdoe shows a 'Risk level' of 'Medium', indicating risk was detected, not 'No risk'. Option B is wrong because the sign-in log for jdoe shows 'Conditional Access' status as 'Success', not 'Failure', meaning Conditional Access policies were satisfied. Option D is wrong because the sign-in log for asmith shows a 'Risk level' of 'Low', not 'High'.

161
MCQmedium

A company uses Microsoft Entra ID. They want to ensure that users who are traveling to a high-risk country, based on the sign-in IP address, are prompted for multi-factor authentication before accessing the company's CRM application. Which Microsoft Entra ID feature should they configure?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management
D.Azure AD Join
AnswerA

Correct. Conditional Access policies can include location conditions (e.g., named locations with trusted IPs or countries) to require actions like MFA based on where the sign-in originates.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that evaluate sign-in signals—such as the user's location derived from the IP address—and enforce access controls like requiring multi-factor authentication (MFA) before granting access to a specific application (e.g., the CRM app). By configuring a Conditional Access policy with a location condition targeting high-risk countries, the company can ensure that only users signing in from those IP ranges are prompted for MFA, while other sign-ins proceed normally.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based MFA (which uses machine learning on user behavior) with Conditional Access's location-based MFA (which uses static IP-to-country mapping), leading them to select Identity Protection when the question explicitly specifies a high-risk country based on IP address rather than a risk score.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and remediating identity-based risks (e.g., leaked credentials, impossible travel) and can trigger MFA via integration with Conditional Access, but it does not directly enforce MFA based on a static IP address location—it requires a risk level condition, not a geographic location condition. Option C (Privileged Identity Management) is wrong because it is designed for just-in-time privileged role activation and access reviews, not for applying MFA based on sign-in location or IP address. Option D (Azure AD Join) is wrong because it is a device identity and management feature that registers devices to Entra ID for SSO and compliance, and it has no capability to enforce MFA based on geographic location of the sign-in IP.

162
MCQeasy

A company needs to allow external business partners to securely access internal SharePoint Online sites and Teams channels. The partners use various identity providers, including Microsoft Entra ID and Google. The company wants to manage these external users in their directory and assign access policies. Which Microsoft Entra ID capability should they use?

A.Microsoft Entra B2C (Business to Customer)
B.Microsoft Entra External ID (B2B Collaboration)
C.Microsoft Entra Domain Services
D.Microsoft Entra Identity Protection
AnswerB

B2B Collaboration allows external partners to use their own identities to access internal apps and resources, with management in your directory.

Why this answer

Microsoft Entra External ID (B2B Collaboration) is the correct capability because it allows the company to invite external business partners (B2B users) from any identity provider, including Microsoft Entra ID and Google, into their own Microsoft Entra directory. This enables the company to manage these external users in their directory, assign conditional access policies, and grant them secure access to internal SharePoint Online sites and Teams channels without requiring a separate application or customer-facing identity system.

Exam trap

The trap here is that candidates often confuse Microsoft Entra B2C (for customers) with B2B Collaboration (for business partners), leading them to select B2C because both involve external users, but B2C is for consumer-facing apps, not for granting access to internal resources like SharePoint and Teams.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra B2C (Business to Customer) is designed for customer-facing applications where external users sign in with social or local identities, not for managing business partners in the company's directory with access to internal resources like SharePoint and Teams. Option C is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not for inviting and managing external business partners. Option D is wrong because Microsoft Entra Identity Protection is a security tool that detects identity-based risks and vulnerabilities, not a capability for inviting or managing external users.

163
Multi-Selecthard

Which TWO of the following are supported identity types for Microsoft Entra External ID? (Select two.)

Select 2 answers
A.OAuth 2.0 token identities
B.Social identities (e.g., Google, Facebook)
C.X.509 certificate-based identities
D.Enterprise identities from SAML/WS-Federation identity providers
E.Biometric identities (fingerprint, face)
AnswersB, D

External ID allows social identity providers.

Why this answer

Microsoft Entra External ID supports social identities (like Google and Facebook) as external identity providers, allowing users to sign in with their existing social accounts. This is a core feature of External ID, enabling B2B and B2C scenarios without requiring users to create new Microsoft accounts.

Exam trap

The trap here is that candidates confuse authentication methods (like biometrics or certificates) with identity provider types, or assume OAuth 2.0 tokens are an identity type rather than a protocol used to exchange identity information.

164
Multi-Selectmedium

Which THREE of the following are capabilities of Microsoft Entra ID Governance?

Select 3 answers
A.Self-service password reset
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
E.Conditional access
AnswersB, C, D

Access reviews are part of identity governance.

Why this answer

Access reviews are a core capability of Microsoft Entra ID Governance, enabling organizations to periodically review and certify user access to resources, groups, and applications. This ensures compliance with internal policies and regulatory requirements by automating the attestation process and removing stale or excessive permissions.

Exam trap

The trap here is that candidates often confuse security features like Conditional Access or SSPR with governance capabilities, but Microsoft Entra ID Governance specifically focuses on identity lifecycle management, access reviews, entitlement management, and privileged identity management, not on authentication or policy enforcement.

165
MCQmedium

A company with Microsoft 365 wants employees to access corporate applications from their personal Android and iOS devices. The security team requires that these devices be enrolled in mobile device management (MDM) for compliance policies, and that company data can be selectively wiped from the device without affecting personal data. Which Microsoft Entra device identity type should they configure for these personal devices?

A.Microsoft Entra registered
B.Microsoft Entra joined
C.Microsoft Entra hybrid joined
D.Microsoft Entra managed
AnswerA

Correct. Microsoft Entra registered is designed for personal devices (BYOD) and supports MDM enrollment and selective wipe.

Why this answer

Microsoft Entra registered is the correct device identity type for personal (BYOD) devices because it supports enrollment in MDM for compliance policies and enables selective wipe of company data without affecting personal data. This identity type registers the device with Entra ID without requiring organizational ownership, allowing users to access corporate applications while maintaining personal data separation.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra joined' with 'Microsoft Entra registered' because both involve device identity, but Entra joined implies full organizational control and no selective wipe capability, making it unsuitable for BYOD scenarios.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra joined is designed for organization-owned devices that are fully managed by the organization, not for personal BYOD devices, and it does not support selective wipe of only company data. Option C is wrong because Microsoft Entra hybrid joined requires on-premises Active Directory domain join and is intended for organization-owned devices that need both on-premises and cloud access, not for personal devices. Option D is wrong because 'Microsoft Entra managed' is not a valid device identity type in Microsoft Entra; the valid types are Entra registered, Entra joined, and hybrid Entra joined.

166
Multi-Selecteasy

Which two scenarios are examples of using Microsoft Entra business-to-business (B2B) collaboration? (Choose two.)

Select 2 answers
A.A user from a partner organization is invited to access a SharePoint Online site.
B.An employee uses their Microsoft Entra ID to sign in to a third-party SaaS application.
C.Two internal departments share resources within the same tenant.
D.A vendor employee uses their own work email to access a Power BI dashboard shared by your company.
E.Customers use their Facebook accounts to sign in to a company's web application.
AnswersA, D

B2B collaboration allows inviting external users from partner organizations.

Why this answer

Option A is correct because Microsoft Entra B2B collaboration allows you to invite external users from partner organizations to access your company's resources, such as a SharePoint Online site. The invited user authenticates using their own home tenant credentials, and a B2B guest user object is created in your directory to represent them.

Exam trap

The trap here is confusing B2B collaboration (inviting external business partners with work/school accounts) with B2C collaboration (allowing consumers to sign in with social identities like Facebook or Google), leading candidates to incorrectly select Option E.

167
MCQmedium

A company uses Microsoft Entra ID and requires that all guest users from a partner organization must sign in using Microsoft Authenticator for MFA. The partner organization manages their own identities. What should you configure?

A.Enable Microsoft Entra ID Protection and configure MFA registration policy for guests
B.Use Microsoft Entra ID Governance to require access reviews for guests
C.Configure cross-tenant access settings to trust MFA from the partner's Microsoft Entra ID tenant
D.Create a Conditional Access policy that requires MFA for guest users
AnswerC

Cross-tenant access settings allow you to accept MFA claims from external tenants.

Why this answer

Option C is correct because cross-tenant access settings in Microsoft Entra ID allow you to trust MFA claims from an external partner's tenant. Since the partner manages their own identities, trusting their MFA ensures that guest users from that partner organization can satisfy MFA requirements using their own Microsoft Authenticator without needing to register again in your tenant.

Exam trap

The trap here is that candidates often assume a Conditional Access policy (Option D) is the standard way to enforce MFA for guests, but they overlook the cross-tenant trust mechanism that allows the partner to manage their own MFA without guest user registration in the resource tenant.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection's MFA registration policy applies to users in your own tenant, not to guest users from a partner organization that manages their own identities. Option B is wrong because access reviews are used to periodically review and certify guest access, not to enforce MFA authentication requirements. Option D is wrong because a Conditional Access policy requiring MFA for guest users would force them to register for MFA in your tenant, which contradicts the requirement that the partner organization manages their own identities and that guests sign in using their own Microsoft Authenticator.

168
Multi-Selecteasy

Which TWO scenarios are supported by Microsoft Entra B2B collaboration? (Choose two.)

Select 2 answers
A.Set up federation with social identity providers
B.Invite external users via email to access resources
C.External users authenticate using Google or Facebook accounts
D.External users sign in with their own Azure AD or Microsoft account
E.External users are provisioned with on-premises Active Directory accounts
AnswersB, D

B2B invitations can be sent via email.

Why this answer

Option B is correct because Microsoft Entra B2B collaboration allows you to invite external users via email to access your organization's resources. This is the core functionality of B2B collaboration, where an invitation email is sent to the external user, and upon accepting, they are granted access to the specified applications or resources.

Exam trap

The trap here is that candidates confuse Microsoft Entra B2B collaboration with Microsoft Entra B2C, mistakenly thinking B2B supports social identity providers like Google or Facebook as a primary authentication method, when in fact B2B is designed for business-to-business scenarios using enterprise identities.

169
MCQmedium

A company wants to reduce the risk of privileged account misuse. They need to provide temporary, time-bound access to administrative roles in Microsoft Entra ID (Microsoft Entra ID) and require approval from a manager before granting the access. Which Microsoft Entra capability should they use?

A.Conditional Access policies
B.Microsoft Entra Privileged Identity Management (PIM)
C.Identity Protection
D.Entra ID Governance (Access Reviews)
AnswerB

PIM provides just-in-time privileged access with approval workflows, time-limited roles, and auditing.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing administrators to activate roles for a limited, time-bound duration. It also supports approval workflows, requiring a manager's approval before role activation is granted, directly addressing the need for temporary, approved access to administrative roles.

Exam trap

The trap here is that candidates often confuse PIM with Conditional Access or Access Reviews, mistakenly thinking those services can enforce time-bound approvals, but only PIM combines JIT activation with an approval workflow for privileged roles.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls based on conditions like location or device compliance, but they do not provide time-bound role activation or approval workflows for privileged roles. Option C is wrong because Identity Protection detects and responds to identity-based risks (e.g., leaked credentials, sign-in anomalies), but it does not manage privileged role activation or require approval for role assignment. Option D is wrong because Entra ID Governance (Access Reviews) enables periodic review of existing role assignments to ensure they are still needed, but it does not provide temporary, time-bound activation with an approval process.

170
MCQhard

Your organization has implemented Microsoft Entra ID Governance. You need to review and attest to the access rights of users in a specific group every quarter. The group contains both direct members and members from nested groups. Which Microsoft Entra feature should you use to automate this review?

A.Lifecycle workflows
B.Access reviews
C.Privileged Identity Management
D.Entitlement management
AnswerB

Access reviews can be configured to review group membership periodically.

Why this answer

Access Reviews in Microsoft Entra ID Governance allow you to create recurring reviews of group membership, including both direct members and transitive members from nested groups. This feature automates the attestation process by sending reviewers notifications and tracking their decisions, ensuring compliance with quarterly review requirements.

Exam trap

The trap here is confusing Entitlement Management (which handles access requests and packages) with Access Reviews (which handle periodic attestation), leading candidates to pick D when the question explicitly requires a recurring review and attestation workflow.

How to eliminate wrong answers

Option A is wrong because Lifecycle Workflows automate joiner-mover-leaver processes (e.g., provisioning/deprovisioning accounts), not periodic access attestation. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time activation and oversight of privileged roles, not recurring reviews of standard group membership. Option D is wrong because Entitlement Management manages access packages and catalogs for requesting resources, but does not natively provide recurring attestation workflows for existing group members.

171
MCQmedium

Your organization has a Microsoft Entra ID tenant with 5,000 users. You need to implement a solution to allow external partners to access a specific SharePoint Online site. The partners must use their own email addresses to sign in. You want to enforce multifactor authentication for all external users. Additionally, you need to ensure that external users are automatically removed from the site after 90 days. You have the following requirements: 1. Use built-in Microsoft Entra features. 2. Minimize administrative effort. 3. The solution must support automatic expiration of access. What should you do?

A.Configure Microsoft Entra Cloud Sync to sync partner accounts from their on-premises AD.
B.Enable self-service sign-up for external users and configure an access review policy.
C.Configure Microsoft Entra B2B collaboration to invite partners, create a Conditional Access policy requiring MFA for guests, and set up an access review to remove inactive guests after 90 days.
D.Create guest accounts manually and use Azure AD Domain Services to enforce MFA.
AnswerC

B2B collaboration invites partners, Conditional Access enforces MFA, and access review automates removal.

Why this answer

Option C is correct because Microsoft Entra B2B collaboration allows external partners to sign in with their own email addresses, and a Conditional Access policy can enforce MFA for guest users. An access review policy can automatically remove external users after 90 days of inactivity, meeting the requirement for automatic expiration with minimal administrative effort using built-in features.

Exam trap

The trap here is that candidates may confuse self-service sign-up (Option B) with B2B collaboration, but self-service sign-up does not support MFA enforcement or automatic expiration, while B2B collaboration with access reviews does.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Cloud Sync is designed to sync users from on-premises AD to Entra ID, not to invite external partners with their own email addresses; it does not support automatic expiration of access. Option B is wrong because self-service sign-up allows users to create accounts on their own but does not provide a mechanism to enforce MFA for external users or automatically remove them after 90 days; access reviews require explicit configuration and are not part of self-service sign-up. Option D is wrong because manually creating guest accounts is not a built-in feature for automatic expiration, and Azure AD Domain Services (now Microsoft Entra Domain Services) is used for domain join and legacy authentication, not for enforcing MFA on external users; it does not address the automatic removal requirement.

172
MCQhard

Refer to the exhibit. You are reviewing Microsoft Entra sign-in logs for a user. The user successfully signed in from a mobile device running iOS, located in the US, with medium risk level. The sign-in did not require MFA. You have a Conditional Access policy that requires MFA for all users when sign-in risk is medium or higher. Why was MFA not triggered?

A.The Conditional Access policy may exclude 'Mobile Apps and Desktop clients' client apps.
B.The device is not compliant, so MFA was not required.
C.The sign-in risk level is medium, which is below the threshold.
D.The user is not assigned to the Conditional Access policy.
AnswerA

The policy might not apply to mobile app sign-ins, so MFA is not triggered.

Why this answer

Option A is correct because the Conditional Access policy can be configured to exclude specific client apps, such as 'Mobile Apps and Desktop clients'. If the policy excludes these client apps, the sign-in from an iOS mobile device would not be subject to the MFA requirement, even though the sign-in risk is medium. The sign-in logs confirm MFA was not required, indicating the policy did not apply to this client app type.

Exam trap

The trap here is that candidates assume a medium risk level always triggers MFA, overlooking the client apps exclusion condition that can bypass the policy for specific device types.

How to eliminate wrong answers

Option B is wrong because device compliance is not a condition in the described policy; the policy only requires MFA based on sign-in risk, not device compliance. Option C is wrong because the policy explicitly requires MFA when sign-in risk is medium or higher, and the sign-in risk is medium, so the threshold is met. Option D is wrong because the user successfully signed in, and the policy applies to 'all users' unless specifically excluded; the logs show the policy did not trigger, which points to a client app exclusion rather than user assignment.

173
MCQeasy

Your company is implementing a passwordless authentication strategy. You want users to be able to sign in using the Microsoft Authenticator app on their mobile devices. Which Microsoft Entra feature should you enable?

A.Windows Hello for Business
B.Passwordless phone sign-in with Microsoft Authenticator
C.FIDO2 security keys
D.Temporary Access Pass
AnswerB

This allows users to sign in using the Authenticator app on their phone.

Why this answer

Passwordless phone sign-in with Microsoft Authenticator allows users to sign in without entering a password by approving a notification or entering a number displayed on the screen. This directly aligns with the requirement to use the Microsoft Authenticator app on mobile devices for a passwordless authentication strategy.

Exam trap

The trap here is that candidates may confuse 'passwordless' with any non-password method, but the question specifically requires the Microsoft Authenticator app, which eliminates Windows Hello for Business (device-bound) and FIDO2 (hardware-bound) as valid options.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business is a biometric or PIN-based credential tied to a specific Windows device, not a mobile app-based solution. Option C is wrong because FIDO2 security keys are hardware-based external devices (e.g., USB keys) that require physical possession, not the Microsoft Authenticator app on a mobile phone. Option D is wrong because Temporary Access Pass is a time-limited passcode used for onboarding or recovery scenarios, not a persistent passwordless sign-in method using the Authenticator app.

174
MCQhard

Your organization is implementing Microsoft Entra Internet Access (formerly Microsoft Entra Internet Access). You need to secure access to public internet apps by enforcing traffic routing through Microsoft's network. Which feature should you enable?

A.Conditional Access
B.Global Secure Access
C.DDoS protection
D.Network segmentation
AnswerB

Global Secure Access routes traffic through Microsoft's security perimeter.

Why this answer

Microsoft Entra Internet Access (part of Global Secure Access) routes traffic from users and devices through the Microsoft network to enforce security policies for public internet apps. Enabling Global Secure Access allows you to configure traffic forwarding profiles that redirect internet-bound traffic through Microsoft Entra Internet Access, ensuring consistent policy enforcement and threat protection.

Exam trap

The trap here is that candidates often confuse Conditional Access (an identity-based policy tool) with network-level traffic routing, not realizing that Global Secure Access is the specific feature designed to enforce traffic routing through Microsoft's network for internet-bound apps.

How to eliminate wrong answers

Option A is wrong because Conditional Access is an identity-driven policy engine that enforces access controls based on signals like user, device, and location, but it does not route traffic through Microsoft's network. Option C is wrong because DDoS protection (Azure DDoS Protection) mitigates distributed denial-of-service attacks at the network layer, not traffic routing or secure access to internet apps. Option D is wrong because network segmentation (e.g., virtual networks, subnets) isolates network traffic within an organization's infrastructure but does not redirect internet-bound traffic through Microsoft's network.

175
MCQeasy

A company uses Microsoft Entra ID (Microsoft Entra ID) to manage user access to cloud applications. The security team wants to enforce that users must provide a second form of authentication, such as a phone call or mobile app notification, in addition to their password. Which Microsoft Entra capability should they enable?

A.Conditional Access
B.Identity Protection
D.Privileged Identity Management
AnswerC

MFA is the feature that requires a second verification method, such as phone call or app notification, in addition to the password.

Why this answer

Multi-Factor Authentication (MFA) is the correct capability because it requires users to provide a second form of authentication (e.g., phone call, mobile app notification) in addition to their password. This directly addresses the security team's requirement for a second authentication factor, which is the core function of MFA in Microsoft Entra ID.

Exam trap

The trap here is that candidates may confuse Conditional Access (which can *require* MFA) with the actual MFA capability itself, but the question asks for the capability that *provides* the second form of authentication, not the policy that enforces it.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces conditions (e.g., location, device state) to grant access, but it does not itself provide a second authentication factor; it can require MFA as a control, but the capability to provide the second factor is MFA. Option B is wrong because Identity Protection uses risk signals (e.g., leaked credentials, anonymous IP addresses) to detect and respond to potential identity threats, but it does not enforce a second authentication factor; it can trigger MFA via Conditional Access, but the second factor itself is MFA. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not the enforcement of a second authentication factor for all users.

176
Multi-Selecteasy

Which THREE features are included in Microsoft Entra ID Free? (Choose three.)

Select 3 answers
A.Security reports and alerts
B.Self-service password reset with on-premises writeback
C.Conditional Access
D.Single sign-on for up to 10 apps per user
E.User provisioning from cloud HR apps
AnswersA, D, E

Free includes basic security reports.

Why this answer

Option A is correct because Microsoft Entra ID Free includes basic security reports and alerts that provide insights into sign-in activities and potential risks, such as sign-ins from unfamiliar locations or devices. These reports are part of the built-in Identity Security Reports, which are available at no additional cost in the Free tier.

Exam trap

The trap here is that candidates often confuse the Free tier's capabilities with premium features, mistakenly assuming that SSPR writeback or Conditional Access are included, when in fact they require P1 or P2 licensing.

177
MCQmedium

A company uses Microsoft Entra ID. The security team wants to automatically detect user behaviors that indicate possible compromise, such as leaked credentials, impossible travel, or anomalous login patterns. When a user is determined to be at high risk, the system should automatically require the user to reset their password the next time they sign in. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Identity Governance
AnswerB

Identity Protection includes user risk policies that can automatically require a password reset when risk is high, providing the desired automated remediation.

Why this answer

Identity Protection is the correct Microsoft Entra capability because it is specifically designed to automatically detect risky user behaviors such as leaked credentials, impossible travel, and anomalous sign-in patterns. It assigns a risk level to users and sign-ins, and can be configured with a Conditional Access policy to enforce actions like requiring a password reset at next sign-in when a user is deemed high risk. This directly matches the security team's requirement for automated detection and remediation.

Exam trap

Microsoft often tests the distinction between detection and enforcement: candidates mistakenly choose Conditional Access because it enforces the password reset, but the question asks for the capability that automatically detects the risky behaviors, which is Identity Protection—Conditional Access is the enforcement mechanism, not the detection engine.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on conditions (e.g., location, device state), but it does not itself detect risky behaviors like leaked credentials or impossible travel; it relies on Identity Protection to provide the risk signals. Option C is wrong because Privileged Identity Management (PIM) focuses on just-in-time privileged role activation, approval workflows, and access reviews for administrative roles, not on detecting user compromise behaviors or enforcing password resets for risky users. Option D is wrong because Identity Governance manages user lifecycle, access certifications, and entitlement management (e.g., access reviews, group membership), but it does not include risk detection or automatic remediation for compromised accounts.

178
MCQeasy

A company uses Microsoft Entra ID. A new IT support technician is hired and needs to be able to reset passwords for users but must not be allowed to delete user accounts or modify group memberships. Which built-in Microsoft Entra ID role should be assigned to this technician?

A.User Administrator
B.Password Administrator
C.Helpdesk Administrator
D.Global Administrator
AnswerB

Password Administrators can reset passwords, manage service requests, and monitor service health, but cannot delete users or manage groups, meeting the requirement exactly.

Why this answer

The Password Administrator role is the correct choice because it grants the specific permissions required to reset passwords for all users, including administrators, while explicitly excluding permissions to delete user accounts or modify group memberships. This role is designed for scenarios where a technician needs to perform password-related tasks without broader user management capabilities.

Exam trap

The trap here is that candidates often confuse the Password Administrator role with the Helpdesk Administrator role, mistakenly thinking the latter is more restrictive, when in fact the Helpdesk Administrator has broader user management capabilities including modifying user properties and managing support tickets.

How to eliminate wrong answers

Option A is wrong because the User Administrator role includes permissions to create, delete, and manage user accounts and groups, which exceeds the required scope and would allow the technician to delete user accounts or modify group memberships. Option C is wrong because the Helpdesk Administrator role, while it can reset passwords for non-administrator users and manage support tickets, also includes permissions to manage user accounts (e.g., modify user properties) and does not restrict the ability to delete accounts or modify group memberships as tightly as the Password Administrator role. Option D is wrong because the Global Administrator role has full access to all administrative features in Microsoft Entra ID, including the ability to delete user accounts and modify group memberships, which is far beyond the required permissions.

179
MCQmedium

A company has several custom-developed web applications hosted on-premises. The company wants to provide employees with secure remote access to these applications without deploying a traditional VPN. Employees should be able to sign in using their existing Microsoft Entra ID credentials, and the solution should pass through multi-factor authentication policies. Which Microsoft Entra ID feature should they implement?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Domain Services
C.Microsoft Entra Privileged Identity Management
D.Microsoft Entra Identity Protection
AnswerA

Correct. Application Proxy provides secure remote access to on-premises web apps using Entra ID authentication, supporting MFA and conditional access policies without requiring a VPN.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications by acting as a reverse proxy. It allows employees to sign in with their existing Microsoft Entra ID credentials and enforces conditional access policies, including multi-factor authentication, without requiring a traditional VPN.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Application Proxy with a traditional VPN or assume that Microsoft Entra Domain Services is needed for authentication, but the key requirement is secure remote access without VPN, which only Application Proxy fulfills by acting as a reverse proxy with Entra ID integration.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not reverse proxy-based remote access. Option C is wrong because Microsoft Entra Privileged Identity Management manages just-in-time privileged role assignments and access reviews, not remote application access. Option D is wrong because Microsoft Entra Identity Protection detects and responds to identity-based risks using signals like leaked credentials and anomalous behavior, but does not provide a reverse proxy for accessing on-premises apps.

180
Multi-Selectmedium

Which THREE of the following are features of Microsoft Entra ID Governance? (Select three.)

Select 3 answers
A.Access reviews
B.Privileged Identity Management (PIM)
C.Entitlement management
D.Self-service password reset
E.Multifactor authentication
AnswersA, B, C

Access reviews allow periodic review of user access rights.

Why this answer

Access reviews are a core feature of Microsoft Entra ID Governance, enabling administrators to periodically review and certify user access rights to ensure they remain appropriate. This supports compliance, security, and lifecycle management by automating attestation workflows.

Exam trap

The trap here is that candidates confuse security features like MFA and SSPR (which are part of Microsoft Entra ID's core authentication and protection capabilities) with governance features, which specifically focus on access lifecycle, attestation, and privileged role management.

181
MCQmedium

Refer to the exhibit. The JSON snippet shows an app registration in Microsoft Entra ID. The password credential endDateTime is set to 2025-12-31. What will happen when that date is reached?

A.The secret will renew automatically.
B.The app will be unable to authenticate using that secret.
C.The app registration will be automatically deleted.
D.The app will be blocked from signing in.
AnswerB

The secret expires and cannot be used for authentication.

Why this answer

When the password credential (client secret) reaches its endDateTime, the secret expires and becomes invalid. Microsoft Entra ID does not automatically renew secrets; the application must use a valid secret to authenticate. Once expired, any authentication attempt using that secret will fail, preventing the app from obtaining tokens.

Exam trap

The trap here is that candidates may assume secrets auto-renew or that the app registration is deleted, but Microsoft Entra ID treats secrets as static credentials that must be manually managed before expiration.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID does not automatically renew client secrets; the secret must be manually rotated or renewed by an administrator or via automation. Option C is wrong because an expired secret does not trigger deletion of the app registration; the registration remains intact and can be updated with a new secret. Option D is wrong because the app itself is not blocked from signing in; only the specific expired secret becomes invalid, and the app can still authenticate using a different valid secret or certificate.

182
MCQeasy

You are a security administrator for a company using Microsoft Entra ID P2. The company has a critical application that should only be accessible by a specific group of users (the 'Finance' group). You need to ensure that any access to this application is automatically logged and that an administrator is notified when a user outside the Finance group attempts to access it. Additionally, the CEO wants a quarterly review of all users who have access to this application. Which combination of features should you use?

A.Grant access to the application via B2B collaboration and configure auditing.
B.Use Identity Protection to detect access attempts from non-Finance users and send alerts.
C.Assign the application to the Finance group using Privileged Identity Management, and enable sign-in logs.
D.Create a Conditional Access policy that restricts access to the Finance group, configure audit logging for the application, and set up an access review for the Finance group.
AnswerD

Conditional Access enforces access restriction, audit logs capture activity, and access reviews provide periodic recertification.

Why this answer

Option A is correct because Conditional Access can block access from non-Finance users, and access reviews provide quarterly recertification. Option B is wrong because PIM is for privileged roles. Option C is wrong because Identity Protection does not manage group-based access.

Option D is wrong because B2B collaboration is for external users.

183
MCQmedium

A company uses Microsoft 365 and requires that users access corporate email and SharePoint from managed devices that meet security policy requirements, such as having encryption enabled and antivirus software running. The security team wants to enforce this access control within Microsoft Entra ID so that unmanaged devices are blocked. Which Microsoft Entra ID feature should they configure?

A.Identity Protection
B.Conditional Access
C.Access Reviews
D.Privileged Identity Management
AnswerB

Conditional Access policies can require that devices be marked as compliant or domain-joined before granting access to cloud apps like Exchange Online and SharePoint.

Why this answer

Conditional Access is the Microsoft Entra ID feature that enforces access control policies based on conditions such as device compliance, location, and user risk. By configuring a policy that requires devices to be marked as compliant (e.g., with encryption enabled and antivirus running) and blocking access from unmanaged devices, the security team can meet the stated requirement. This is the correct choice because Conditional Access directly integrates with Microsoft Intune device compliance policies to evaluate device health before granting access to corporate email and SharePoint.

Exam trap

The trap here is that candidates often confuse Identity Protection (which handles risk-based signals like leaked credentials) with Conditional Access (which enforces broader policies including device compliance), leading them to select A instead of B.

How to eliminate wrong answers

Option A is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, sign-in anomalies) and does not enforce device-level security requirements like encryption or antivirus status. Option C is wrong because Access Reviews are used to periodically audit and recertify user access rights to groups, applications, or roles, not to block unmanaged devices based on security policy compliance. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and oversight, not device-level access controls for general users accessing email or SharePoint.

184
MCQmedium

Your company uses Microsoft Entra ID. You need to ensure that when a user's account is compromised and used to send spam, the account is automatically blocked from signing in. Which feature should you configure?

A.Microsoft Entra Conditional Access policy to block sign-ins from high-risk users
B.Microsoft Entra Privileged Identity Management
C.Microsoft Entra Identity Protection with a user risk policy to block high-risk users
D.Microsoft Entra Self-Service Password Reset
AnswerC

Identity Protection's user risk policy can automatically block sign-ins when risk is high.

Why this answer

Microsoft Entra Identity Protection uses machine learning to detect user risk, such as when an account is compromised and used to send spam. A user risk policy can be configured to automatically block sign-ins for high-risk users, directly addressing the requirement to block the compromised account from signing in.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with Identity Protection user risk policies, but the question specifically asks for the feature that automatically blocks based on compromise (spam), which is the user risk policy in Identity Protection, not a general Conditional Access policy.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy can block sign-ins based on risk, but it requires a license (e.g., P2) and is typically used in conjunction with Identity Protection; however, the question specifically asks for the feature that automatically blocks based on compromise (spam), which is directly the user risk policy in Identity Protection. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time access and approval workflows for privileged roles, not automatic blocking of compromised accounts. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords, but it does not automatically block sign-ins when an account is compromised.

185
MCQeasy

A company wants to ensure that only users with specific IP addresses can access its critical applications. Which Microsoft Entra feature should they configure?

A.Identity Protection
B.Privileged Identity Management
C.Conditional Access
D.Self-Service Password Reset
AnswerC

Conditional Access policies can restrict access based on IP address ranges.

Why this answer

Conditional Access is the correct feature because it allows administrators to create policies that enforce access controls based on conditions such as IP address location. By configuring a Conditional Access policy with a 'Locations' condition that includes only trusted IP address ranges, the company can block or grant access to critical applications based on the user's network location. This directly meets the requirement to restrict access to specific IP addresses.

Exam trap

The trap here is that candidates often confuse Identity Protection's risk-based conditional access (which uses IP reputation) with the explicit IP address location control provided by Conditional Access policies, leading them to select Identity Protection instead.

How to eliminate wrong answers

Option A is wrong because Identity Protection is designed to detect and respond to identity-based risks (e.g., leaked credentials, sign-ins from anonymous IPs) but does not provide granular IP address-based access control policies. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not network-level access restrictions based on IP addresses. Option D is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords without administrator intervention, and it has no capability to restrict application access by IP address.

186
MCQmedium

Your organization uses Microsoft Entra ID with P2 licenses. You need to review and approve role activations for the Global Administrator role on a weekly basis. Which feature should you use?

A.Microsoft Entra Identity Protection
B.Microsoft Entra Conditional Access
C.Microsoft Entra Privileged Identity Management (PIM)
D.Microsoft Entra Access Reviews
AnswerC

PIM manages just-in-time role activation with approval workflows.

Why this answer

Option A is correct because Microsoft Entra Privileged Identity Management (PIM) allows you to manage and approve role activations. Option B is wrong because Identity Protection is for risk. Option C is wrong because Access Reviews can review assignments but not activations.

Option D is wrong because Conditional Access controls access conditions.

187
MCQmedium

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that users can use the same password on-premises and in the cloud without having to sync password hashes. Additionally, you want to prevent accounts from being locked out after a few bad password attempts in the cloud. Which Microsoft Entra feature should you implement?

A.Use password hash synchronization and set up custom lockout policies.
B.Deploy password writeback and enable Microsoft Entra smart lockout.
C.Implement federation with Active Directory Federation Services (AD FS).
D.Implement pass-through authentication and configure on-premises lockout thresholds.
AnswerB

Correct: Password writeback enables on-premises password changes from the cloud, and smart lockout prevents cloud lockouts.

Why this answer

Option B is correct because password writeback enables password changes made in the cloud to be written back to on-premises Active Directory, ensuring the same password is used without syncing password hashes. Microsoft Entra smart lockout prevents accounts from being locked out after a few bad password attempts in the cloud by intelligently recognizing and blocking malicious sign-in attempts while allowing legitimate users to continue, without locking the on-premises account.

Exam trap

The trap here is that candidates often confuse pass-through authentication with password writeback, thinking that pass-through authentication alone prevents cloud lockouts, but it does not—smart lockout is required to decouple cloud lockout from on-premises lockout thresholds.

How to eliminate wrong answers

Option A is wrong because password hash synchronization requires syncing password hashes to the cloud, which contradicts the requirement to avoid syncing password hashes, and custom lockout policies in Entra ID do not prevent cloud lockouts from affecting on-premises accounts. Option C is wrong because federation with AD FS still requires password hash synchronization or pass-through authentication for cloud authentication, and it does not inherently prevent cloud lockouts from locking on-premises accounts. Option D is wrong because pass-through authentication validates passwords against on-premises Active Directory but does not prevent cloud lockouts; on-premises lockout thresholds would still cause account lockout after a few bad attempts in the cloud.

188
MCQhard

Your organization, Fabrikam Inc., is migrating from on-premises Active Directory to Microsoft Entra ID. You have a custom line-of-business (LOB) application that uses Windows Integrated Authentication (WIA) and requires Kerberos delegation. The application will be hosted on Azure VMs. You need to enable users to sign in to the LOB application using their Microsoft Entra ID credentials without exposing the application to the internet. Which approach should you use?

A.Deploy Microsoft Entra Domain Services and join the VMs to the managed domain. Configure the app to use Windows Integrated Authentication.
B.Use Microsoft Entra Application Proxy with Kerberos Constrained Delegation (KCD). Publish the app through Application Proxy and configure pre-authentication with Entra ID.
C.Set up a site-to-site VPN and join the Azure VMs to the on-premises domain. Configure the app to use Windows Integrated Authentication.
D.Install Azure AD Connect and sync users to Entra ID. Configure the app to use OAuth 2.0.
AnswerB

Application Proxy provides secure remote access and supports KCD for WIA apps.

Why this answer

Option B is correct because Microsoft Entra Application Proxy with Kerberos Constrained Delegation (KCD) allows you to publish an on-premises or Azure VM-hosted application that uses Windows Integrated Authentication (WIA) without exposing it to the internet. The Application Proxy service handles pre-authentication with Microsoft Entra ID, then uses KCD to obtain a Kerberos ticket on behalf of the user, enabling seamless sign-in with Entra ID credentials while keeping the application internal.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Domain Services with a full replacement for on-premises Active Directory, not realizing that it does not provide the Kerberos delegation path needed for Application Proxy to work with WIA, and they overlook the requirement to keep the application off the internet, which eliminates VPN-based options.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Domain Services provides a managed domain with Kerberos and NTLM support, but it does not integrate with Microsoft Entra ID for user authentication in the way required; users would still need to authenticate against the managed domain, not directly with their Entra ID credentials, and the application would be exposed to the internet unless additional measures are taken. Option C is wrong because setting up a site-to-site VPN and joining Azure VMs to the on-premises domain requires the application to be exposed to the internet or rely on the VPN for connectivity, and it does not enable users to sign in using their Microsoft Entra ID credentials—they would still need on-premises Active Directory credentials. Option D is wrong because installing Azure AD Connect and syncing users to Entra ID does not address the need for Kerberos delegation or Windows Integrated Authentication; configuring the app to use OAuth 2.0 would require rewriting the application to support modern authentication, which is not a migration approach for a legacy WIA app.

189
MCQhard

A company has a Microsoft Entra ID tenant with thousands of users. They need to ensure that only users with a 'Manager' attribute populated can access a sensitive app. Which approach should they use?

A.Use HR-driven provisioning to populate an on-premises attribute and sync it
B.Create a dynamic group rule that includes users with a non-empty Manager attribute, then target the group in a Conditional Access policy
C.Create an access package in Entitlement Management that requires manager approval
D.Create an Administrative Unit for users with managers and assign the app to that unit
AnswerB

Dynamic groups can automatically include users based on attributes like Manager.

Why this answer

Option B is correct because a dynamic group rule can evaluate the 'Manager' attribute and include only users where it is populated. This group can then be assigned to a Conditional Access policy that requires the group membership for access to the sensitive app, ensuring only users with a manager can authenticate.

Exam trap

The trap here is confusing attribute-based dynamic group membership with approval workflows or administrative delegation, leading candidates to choose Entitlement Management or Administrative Units instead of the correct Conditional Access and dynamic group combination.

How to eliminate wrong answers

Option A is wrong because HR-driven provisioning populates attributes from an HR system, but it does not enforce access control based on the Manager attribute; it merely syncs data. Option C is wrong because an access package in Entitlement Management with manager approval manages access requests and approvals, but it does not automatically restrict access based on whether the Manager attribute is populated; it requires manual approval. Option D is wrong because Administrative Units are for delegating administrative scope over users and groups, not for controlling application access via attribute-based membership.

190
MCQhard

Refer to the exhibit. An administrator runs the PowerShell cmdlet shown. What is the purpose of this command?

A.To show the dynamic membership rules of the Sales group.
B.To list all groups in the Sales department.
C.To list Azure AD roles assigned to the Sales group.
D.To display the display name and user principal name of members of the Sales group.
AnswerD

The cmdlet retrieves group members and selects name and UPN.

Why this answer

The PowerShell cmdlet `Get-AzureADGroupMember -ObjectId <SalesGroupObjectId>` retrieves the members of a specific Azure AD group. By default, it returns the members' display names and user principal names (UPNs), which are the primary identifiers for users in Microsoft Entra ID. Option D correctly identifies this purpose.

Exam trap

The trap here is that candidates confuse retrieving group members (Option D) with viewing dynamic membership rules (Option A), because both involve Azure AD groups, but the cmdlet names and parameters differ significantly.

How to eliminate wrong answers

Option A is wrong because the cmdlet `Get-AzureADGroupMember` retrieves members, not membership rules; dynamic membership rules are viewed using `Get-AzureADMSGroup` with the `-GroupType DynamicMembership` parameter. Option B is wrong because the cmdlet targets a single group by its ObjectId, not all groups in a department; listing groups by department would require `Get-AzureADGroup` with a filter on the `Department` attribute. Option C is wrong because Azure AD role assignments are retrieved using `Get-AzureADDirectoryRoleMember` or `Get-AzureADMSRoleAssignment`, not `Get-AzureADGroupMember`.

191
MCQhard

Refer to the exhibit. You are reviewing a Privileged Identity Management (PIM) configuration for a role in Microsoft Entra ID. The roleDefinitionId corresponds to a specific role. What is the effect of this configuration?

A.The user is permanently activated for the role for 1 hour.
B.The user is permanently assigned the role for 1 hour.
C.The user can activate the role without approval for up to 1 hour.
D.The user is eligible for the role indefinitely, but activation requires approval and lasts up to 1 hour.
AnswerD

Eligible assignment with no end date, approval required, activation max 1 hour.

Why this answer

Option D is correct because the configuration shown in the exhibit sets the role assignment to 'Eligible' with an activation duration of 1 hour and no approval required (the approval toggle is off). An 'Eligible' assignment means the user is not permanently active; they must activate the role when needed. The absence of an approval requirement means activation is self-service, and the 1-hour duration limits how long the activation lasts.

This matches the description of being eligible indefinitely, with activation requiring no approval and lasting up to 1 hour.

Exam trap

The trap here is that candidates confuse 'Eligible' with 'Active' assignments, assuming that an eligible assignment with no approval required means the user is automatically active, when in fact they must still manually activate the role.

How to eliminate wrong answers

Option A is wrong because 'permanently activated' implies the user is always active in the role, but the configuration shows an 'Eligible' assignment, not an 'Active' assignment. Option B is wrong because 'permanently assigned the role for 1 hour' is contradictory; a permanent assignment has no time limit, and the 1-hour duration applies only to activation, not to the assignment itself. Option C is wrong because while the user can activate without approval (as the approval toggle is off), the configuration shows an 'Eligible' assignment, not an 'Active' one; the user is not automatically activated and must perform an activation step.

192
MCQmedium

A company wants to reduce help desk calls by allowing users to reset their own passwords. The security team requires that users verify their identity using a registered mobile phone or alternative email before resetting. Additionally, the company policy states that passwords cannot be reused until at least five new passwords have been used. Which Microsoft Entra ID features should they configure to meet these requirements?

A.Self-Service Password Reset (SSPR) and password protection policies (password history enforcement)
B.Self-Service Password Reset (SSPR) and Conditional Access policies
C.Multi-Factor Authentication (MFA) and password protection policies
D.Identity Protection and Authentication Strengths
AnswerA

SSPR handles the self-service reset with identity verification, while password protection policies (part of Entra ID authentication methods) enforce the history rule to prevent reuse.

Why this answer

Self-Service Password Reset (SSPR) allows users to reset their own passwords, reducing help desk calls. The security requirement for identity verification via registered mobile phone or alternative email is met by SSPR's authentication methods. The password history enforcement (preventing reuse until at least five new passwords have been used) is configured through password protection policies, specifically the 'password history' setting that enforces a minimum of 5 unique passwords before reuse.

Exam trap

The trap here is that candidates often confuse Conditional Access with password policies, thinking that Conditional Access can enforce password history, when in fact password history is a separate setting under password protection policies, not a Conditional Access control.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access based on conditions like location or device compliance, but they do not enforce password history rules; password reuse restrictions are managed by password protection policies, not Conditional Access. Option C is wrong because Multi-Factor Authentication (MFA) provides an additional verification step during sign-in, but it does not include password history enforcement; password protection policies are required for that. Option D is wrong because Identity Protection detects risky sign-ins and user behavior, and Authentication Strengths define which authentication methods are acceptable, but neither feature enforces password history or self-service password reset capabilities.

193
Multi-Selectmedium

Which TWO of the following are capabilities of Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Device Management
B.Identity Protection
C.Endpoint Detection and Response
D.Privileged Identity Management
E.Information Protection
AnswersB, D

Identity Protection is a feature of Entra ID.

Why this answer

Microsoft Entra ID includes Identity Protection, which uses machine learning to detect and respond to identity-based risks such as compromised credentials and anomalous sign-in behavior. It provides automated risk remediation and conditional access policies to protect user accounts.

Exam trap

Microsoft often tests the distinction between identity management (Entra ID) and endpoint security (Defender for Endpoint) or device management (Intune), causing candidates to confuse overlapping security terms.

194
MCQmedium

A company uses Microsoft Entra ID. They want to configure a Conditional Access policy that requires multi-factor authentication (MFA) when a sign-in is assessed as medium or high risk by Microsoft's identity protection signals. For sign-ins with no detected risk, MFA should not be required. Which feature or service provides the risk assessment signals that can be consumed by Conditional Access policies?

A.Identity Protection
B.Privileged Identity Management (PIM)
C.Entitlement Management
D.Identity Governance
AnswerA

Correct. Identity Protection provides risk detection and assessment that can be directly used as a condition in Conditional Access policies.

Why this answer

Identity Protection is the Microsoft Entra service that analyzes billions of sign-in signals using machine learning to assign a risk level (low, medium, high) for each authentication attempt. Conditional Access policies can then consume these risk assessments directly as a condition, enabling granular MFA enforcement only when the sign-in risk is medium or high, while allowing low-risk sign-ins to proceed without MFA.

Exam trap

The trap here is that candidates confuse Privileged Identity Management (PIM) with Identity Protection because both involve 'identity' and 'security,' but PIM handles role activation and approval workflows, not risk-based sign-in analysis.

How to eliminate wrong answers

Option B (Privileged Identity Management) is wrong because PIM provides just-in-time privileged role activation and access reviews, not risk-based sign-in assessments. Option C (Entitlement Management) is wrong because it manages access packages and catalogs for external user governance, not real-time sign-in risk signals. Option D (Identity Governance) is wrong because it focuses on access certifications, lifecycle workflows, and compliance reporting, not the detection of risky sign-in behaviors.

195
MCQeasy

You are configuring Microsoft Entra ID for a new user. The user will need to access resources in multiple Microsoft cloud services (Office 365, Azure, Dynamics 365). Which Microsoft Entra edition is minimally required to provide single sign-on (SSO) across these services?

A.Microsoft Entra ID Free (included with Office 365)
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerC

SSO across Microsoft cloud services is available in the Free edition.

Why this answer

Microsoft Entra ID Free (included with Office 365) provides SSO across Microsoft cloud services like Office 365, Azure, and Dynamics 365 because it supports federated identity and the same user identity is used across all these services. SSO is a core capability of the Free edition, requiring no additional licensing for this specific scenario. The question asks for the minimally required edition, and since Free supports SSO across these services, it is the correct choice.

Exam trap

The trap here is that candidates often assume SSO requires a premium edition like P1 or P2, but Microsoft Entra ID Free already provides SSO across Microsoft cloud services, and the question specifically asks for the minimally required edition.

How to eliminate wrong answers

Option A is wrong because it is the same as option C (Microsoft Entra ID Free) and is not a distinct edition; the correct answer is C, not A. Option B is wrong because Microsoft Entra ID P2 includes advanced features like Identity Protection and Privileged Identity Management, which are not required for basic SSO across Microsoft cloud services. Option D is wrong because Microsoft Entra ID P1 adds features like Conditional Access and dynamic groups, but these are not necessary for SSO; the Free edition already provides SSO.

196
MCQhard

Your organization uses Microsoft Entra ID P2 licenses. You need to implement a process to automatically remove users from a group if they have not signed in for 90 days. Which feature should you use?

A.Conditional Access policy
B.Privileged Identity Management
C.Access reviews in Identity Governance
D.Microsoft Entra ID Protection
AnswerC

Access reviews can automatically remove inactive users.

Why this answer

Access reviews in Identity Governance allow you to automate the review and removal of group memberships based on inactivity criteria, such as users who haven't signed in for 90 days. This feature is specifically designed for periodic attestation and lifecycle management of group memberships, leveraging Microsoft Entra ID P2 licenses.

Exam trap

The trap here is confusing Access Reviews (which handle membership lifecycle based on inactivity) with Conditional Access (which controls access at sign-in) or Privileged Identity Management (which focuses on privileged roles).

How to eliminate wrong answers

Option A is wrong because Conditional Access policies enforce access controls during sign-in (e.g., requiring MFA or blocking locations) but cannot automatically remove users from groups based on inactivity. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and assignment, not general group membership lifecycle based on sign-in activity. Option D is wrong because Microsoft Entra ID Protection detects and responds to identity risks (e.g., leaked credentials, impossible travel) but does not automate group membership removal based on inactivity.

197
MCQhard

A company wants to implement just-in-time (JIT) privileged access management for their Global Administrators in Microsoft Entra ID. They require that a user must request activation of the Global Administrator role, the request must be approved by a separate administrator, and the role will automatically expire after 4 hours. Additionally, they need an audit trail of all activations. Which Microsoft Entra feature should they use?

A.Microsoft Entra Conditional Access
B.Microsoft Entra Identity Protection
C.Microsoft Entra Privileged Identity Management (PIM)
D.Azure Role-Based Access Control (RBAC)
AnswerC

PIM provides just-in-time privileged access with features including role activation, approval workflows, time-bound assignments, and comprehensive auditing, exactly meeting the requirements.

Why this answer

Microsoft Entra Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by allowing users to activate roles like Global Administrator on-demand, requiring approval from designated approvers, setting a maximum activation duration (e.g., 4 hours), and automatically deactivating the role upon expiry. It also maintains a full audit trail of all activations, approvals, and role assignments via the PIM audit history and Azure AD audit logs, meeting all the stated requirements.

Exam trap

The trap here is that candidates often confuse Azure RBAC (which manages Azure resource permissions) with PIM (which manages Microsoft Entra ID directory roles and JIT activation), leading them to select option D despite Azure RBAC lacking approval workflows and automatic expiry for directory roles.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access enforces access policies based on signals like user location or device compliance, but it does not provide JIT role activation, approval workflows, or automatic role expiry. Option B is wrong because Microsoft Entra Identity Protection detects and remediates identity-based risks (e.g., leaked credentials, sign-in anomalies) but does not manage privileged role activation or approval processes. Option D is wrong because Azure Role-Based Access Control (RBAC) manages permissions for Azure resources (e.g., VMs, storage) using role definitions and assignments, but it does not support JIT activation, approval workflows, or time-bound expiry for Microsoft Entra ID directory roles like Global Administrator.

198
MCQmedium

A company uses Microsoft Entra ID. They want to enforce multifactor authentication (MFA) for all access to a sensitive HR application. However, they only want to require MFA when the sign-in risk is assessed as medium or high, and block access if the risk is high. Which Conditional Access components must the administrator configure to meet these requirements? (Choose the best answer)

A.Assignments (Users and cloud apps) and Session controls (Sign-in frequency)
B.Conditions (Sign-in risk) and Grant controls (Require multifactor authentication, Block access)
C.Conditions (Device platforms) and Grant controls (Require approved client app)
D.Grant controls (Require multifactor authentication) and Session controls (Application enforce restrictions)
AnswerB

Correct. The conditions specify when a policy applies (e.g., when risk is medium or high). Grant controls enforce the required actions: require MFA for medium/high risk and block for high risk. Block access is an available grant control.

Why this answer

Option B is correct because the scenario requires evaluating sign-in risk as a condition, which is configured under Conditions (Sign-in risk) in Conditional Access. The Grant controls then enforce 'Require multifactor authentication' for medium/high risk and 'Block access' for high risk, directly matching the requirements.

Exam trap

The trap here is that candidates confuse Conditions (sign-in risk) with Conditions (device platforms) or Session controls, overlooking that risk-based MFA requires both the risk condition and specific grant controls to enforce different actions per risk level.

How to eliminate wrong answers

Option A is wrong because Session controls like Sign-in frequency manage session lifetime, not risk-based MFA enforcement or blocking. Option C is wrong because Device platforms condition filters by OS type, not sign-in risk, and Require approved client app is a grant control for device compliance, not risk-based access. Option D is wrong because Grant controls alone (Require MFA) cannot differentiate risk levels, and Session controls (Application enforce restrictions) do not provide risk-based blocking or conditional MFA.

199
MCQmedium

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user passwords and enable password writeback for self-service password reset. Which tool should you use?

A.Microsoft Entra admin center
B.Microsoft Entra Connect Sync
C.Active Directory Federation Services (AD FS)
D.Azure AD Connect (deprecated)
AnswerB

Entra Connect Sync synchronizes identities and supports password hash sync and writeback.

Why this answer

Microsoft Entra Connect Sync (formerly Azure AD Connect) is the correct tool because it synchronizes on-premises Active Directory objects, including password hashes, to Microsoft Entra ID and supports password writeback, which enables self-service password reset (SSPR) to write changed passwords back to on-premises AD. The question specifically requires both password synchronization and writeback, which are core features of Entra Connect Sync.

Exam trap

The trap here is that candidates may confuse the deprecated name 'Azure AD Connect' (Option D) with the current tool, or mistakenly think that AD FS (Option C) can handle password synchronization and writeback, when in fact AD FS only handles authentication federation and not directory synchronization or writeback operations.

How to eliminate wrong answers

Option A is wrong because the Microsoft Entra admin center is a web-based management portal for configuring cloud settings, but it cannot perform the actual synchronization or writeback of passwords from on-premises AD; it relies on a sync engine like Entra Connect Sync. Option C is wrong because Active Directory Federation Services (AD FS) is a federation service used for single sign-on and claims-based authentication, not for synchronizing password hashes or enabling password writeback for SSPR. Option D is wrong because Azure AD Connect is the deprecated name for the tool that has been rebranded as Microsoft Entra Connect Sync; while it functionally could perform the task, the exam expects the current, correct name.

200
MCQhard

A company is planning to migrate from on-premises Active Directory to Microsoft Entra ID. They have multiple on-premises applications that use LDAP for authentication. They want to enable single sign-on (SSO) to these applications from the cloud without modifying the applications. Which approach should they use?

A.Microsoft Entra Domain Services
B.Federation with Active Directory Federation Services (AD FS)
C.Pass-through authentication
D.Password hash synchronization with Seamless SSO
AnswerA

Entra Domain Services provides LDAP, Kerberos, and NTLM authentication for legacy apps.

Why this answer

Microsoft Entra Domain Services provides managed domain services such as LDAP, Kerberos, and NTLM authentication without requiring you to deploy and manage domain controllers. Since the on-premises applications use LDAP for authentication and cannot be modified, Entra Domain Services can be used to lift and shift these applications into Azure while enabling SSO from the cloud, as it presents a compatible LDAP interface that the applications can continue to use.

Exam trap

The trap here is that candidates often confuse authentication methods (like Pass-through or Federation) with directory services, not realizing that legacy LDAP-based applications require a domain service that exposes an LDAP endpoint, not just a cloud authentication protocol.

How to eliminate wrong answers

Option B is wrong because Federation with AD FS requires modifying the applications to support SAML or WS-Federation, and it does not natively provide an LDAP interface for legacy applications. Option C is wrong because Pass-through authentication validates passwords against on-premises Active Directory but does not expose an LDAP endpoint for applications to authenticate against; it is an authentication method for cloud apps, not a replacement for LDAP directory services. Option D is wrong because Password hash synchronization with Seamless SSO enables cloud authentication for web-based apps using Kerberos tickets but does not provide an LDAP interface for legacy on-premises applications that require direct LDAP binds.

201
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that guest users can access resources without requiring invitation redemption. Which feature should you enable?

A.Application Proxy
B.B2B Collaboration
C.B2B Direct Connect
D.Privileged Identity Management
AnswerC

B2B Direct Connect enables mutual trust without invitations.

Why this answer

Option C is correct because B2B Direct Connect allows guest users to access resources in your Microsoft Entra ID tenant without requiring them to redeem an invitation or accept a consent prompt. This feature establishes a mutual, two-way trust relationship between your tenant and an external Microsoft Entra ID tenant, enabling seamless resource access for users who already exist in the partner's directory.

Exam trap

The trap here is that candidates often confuse B2B Collaboration (which requires invitation redemption) with B2B Direct Connect (which does not), because both involve external users, but only Direct Connect eliminates the redemption step.

How to eliminate wrong answers

Option A is wrong because Application Proxy is used to publish on-premises web applications to external users via Microsoft Entra ID, not to manage guest user access or bypass invitation redemption. Option B is wrong because B2B Collaboration requires guest users to redeem an invitation (via email or direct link) to access resources, which contradicts the requirement of no invitation redemption. Option D is wrong because Privileged Identity Management (PIM) is a service for managing, controlling, and monitoring access to privileged roles within Microsoft Entra ID, not for enabling guest user access without invitation redemption.

202
MCQmedium

A company uses Microsoft Entra ID. They want to enforce that users accessing the finance app from outside the corporate network must use multifactor authentication (MFA) and access from a device marked as compliant. Additionally, if the user's sign-in risk is medium or higher, access must be blocked. Which component of a Conditional Access policy should the administrator configure to specify the 'Block access' action for high-risk sign-ins?

A.Grant controls
B.Conditions
C.Assignments
D.Session controls
AnswerA

Grant controls allow you to either 'Block access' or require specific conditions (e.g., MFA, compliant device) to grant access. The 'Block access' option is located here.

Why this answer

The 'Block access' action is specified within the Grant controls section of a Conditional Access policy. Grant controls allow administrators to either require specific conditions (like MFA or compliant device) to be met for access to be granted, or to explicitly block access entirely. By selecting 'Block access' in the Grant controls, the policy enforces that any user meeting the policy's conditions (such as high sign-in risk) is denied access.

Exam trap

The trap here is that candidates often confuse the 'Conditions' section (where sign-in risk is defined as a trigger) with the 'Grant controls' section (where the resulting action of blocking access is configured), leading them to incorrectly select Conditions instead of Grant controls.

How to eliminate wrong answers

Option B is wrong because Conditions define the signals or triggers for the policy (e.g., sign-in risk level, user location, device platform), not the resulting action. Option C is wrong because Assignments specify which users, groups, or applications the policy applies to, not the control action. Option D is wrong because Session controls enforce limitations on an active session (e.g., app-enforced restrictions, sign-in frequency) but do not include a 'Block access' action.

203
MCQhard

Refer to the exhibit. A Conditional Access policy is defined as shown. Which client applications will be blocked?

A.Browser-based applications accessing Office 365.
B.Exchange ActiveSync clients only.
C.Legacy authentication clients such as IMAP, POP, and SMTP.
D.Applications using modern authentication (e.g., Outlook for Windows with OAuth).
AnswerC

These are included in 'otherClients' and 'exchangeActiveSync'.

Why this answer

The policy targets 'Legacy authentication clients' such as IMAP, POP, and SMTP, which do not support modern authentication protocols like OAuth 2.0. These protocols rely on basic authentication and are blocked by Conditional Access policies configured to require modern authentication. Option C is correct because the policy explicitly blocks these legacy protocols.

Exam trap

The trap here is that candidates may confuse 'Exchange ActiveSync clients' (which can use modern authentication) with legacy protocols like IMAP/POP/SMTP, or assume that all browser-based apps are blocked, when the policy specifically targets legacy authentication clients only.

How to eliminate wrong answers

Option A is wrong because browser-based applications accessing Office 365 typically use modern authentication (e.g., OAuth 2.0 via the browser) and are not blocked unless the policy specifically targets browser-based apps. Option B is wrong because Exchange ActiveSync clients can use modern authentication (e.g., OAuth 2.0) and are not inherently blocked; the policy targets legacy authentication, not all ActiveSync clients. Option D is wrong because applications using modern authentication (e.g., Outlook for Windows with OAuth) are explicitly allowed by the policy, as it only blocks legacy authentication clients.

204
Multi-Selectmedium

Which TWO Microsoft Entra ID features can be used to protect against credential theft? (Choose two.)

Select 2 answers
A.Passwordless authentication
B.Self-Service Password Reset (SSPR)
C.Microsoft Entra ID Domain Services
D.Microsoft Entra ID Connect
E.Conditional Access policies that require MFA
AnswersA, E

Eliminates password-related risks.

Why this answer

Passwordless authentication (Option A) eliminates the use of passwords entirely, removing the primary vector for credential theft such as phishing or password spraying. By relying on biometrics, FIDO2 security keys, or Microsoft Authenticator, there is no password to steal, directly mitigating credential theft attacks.

Exam trap

The trap here is that candidates often confuse SSPR (a recovery mechanism) with a preventive control, or mistakenly think Entra ID Connect or Domain Services offer security features they do not, when the question specifically asks for features that protect against credential theft.

205
Multi-Selecthard

Which THREE components are part of the Microsoft Entra External Identities suite?

Select 3 answers
A.Azure AD B2B (now Entra External ID)
B.Conditional Access
C.B2C (business-to-consumer)
D.B2B collaboration
E.Identity Protection
AnswersA, C, D

This is the core of External Identities.

Why this answer

Option A is correct because Azure AD B2B (now rebranded as Entra External ID) is a core component of the Microsoft Entra External Identities suite, enabling organizations to securely share applications and resources with external users (guests) while maintaining control over their own corporate data. This service allows external partners to use their own identity provider (e.g., Microsoft, Google, or SAML/WS-Fed IdPs) without requiring a separate account in the tenant.

Exam trap

The trap here is that candidates often confuse security features like Conditional Access or Identity Protection with the core identity management components of the External Identities suite, because Microsoft bundles these services under the broader Microsoft Entra umbrella, but the exam specifically tests which services directly handle external user identity lifecycle and collaboration.

206
MCQeasy

A company wants to automatically remove a user's access to all applications when the user leaves the organization. Which Microsoft Entra feature can help achieve this?

A.Access Reviews
B.Privileged Identity Management
C.Conditional Access
D.Identity Protection
AnswerA

Access reviews can remove access for inactive or departed users.

Why this answer

A is correct because Access Reviews in Microsoft Entra allow administrators to create recurring reviews of user access to applications and groups. When a user leaves the organization, an access review can be configured to automatically remove their access by either disabling the user or removing them from the assigned groups/applications based on the review outcome. This directly addresses the requirement to automatically remove access upon departure.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with access lifecycle management, mistakenly thinking PIM handles all access removal, when in fact PIM only manages privileged role activation and not general application access removal.

How to eliminate wrong answers

Option B is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for automatically removing a user's access to all applications when they leave; it focuses on managing and auditing privileged roles, not general application access. Option C is wrong because Conditional Access enforces policies based on signals like location or device compliance to grant or block access in real time, but it does not automatically remove a user's access when they leave the organization—it controls access conditions, not lifecycle-based removal. Option D is wrong because Identity Protection detects and responds to identity-based risks such as compromised credentials or suspicious sign-ins, but it does not handle the automated removal of access for departing users; it focuses on risk remediation, not lifecycle management.

207
MCQmedium

An organization uses Microsoft Entra ID. They want to automatically detect when a user's sign-in shows a high risk of compromise (e.g., impossible travel, anonymous IP address) and immediately require the user to reset their password. Which Microsoft Entra capability should they use?

A.Conditional Access
B.Identity Protection
C.Privileged Identity Management (PIM)
D.Access Reviews
AnswerB

Correct. Microsoft Entra ID Protection provides risk detection and risk-based policies that can automatically require a user to change their password when high user risk is detected.

Why this answer

B is correct because Microsoft Entra ID Identity Protection uses machine learning to detect risk signals such as impossible travel and anonymous IP addresses. When a user's sign-in is flagged as high risk, Identity Protection can be configured to automatically trigger a password reset as a remediation action, enforcing the principle of least privilege and reducing the window of compromise.

Exam trap

The trap here is that candidates often confuse Conditional Access with Identity Protection, but Conditional Access is the policy enforcement layer that can use Identity Protection risk detections as a condition, not the detection and remediation engine itself.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls (e.g., requiring MFA or blocking sign-in) based on conditions, but it does not itself detect risk signals or automatically trigger password resets; it relies on Identity Protection risk detections as a condition. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not user sign-in risk detection or password reset automation. Option D is wrong because Access Reviews are used for periodic attestation of group memberships or role assignments, not for real-time risk-based sign-in detection or password reset enforcement.

208
MCQmedium

Your company uses Microsoft Entra ID with P2 licenses. You want to require approval for users to activate the Global Administrator role. Which feature should you configure?

A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access
D.Access reviews
AnswerA

PIM enables approval workflows for role activation.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time privileged access, including the ability to require approval for role activation. By configuring PIM for the Global Administrator role, you can enforce that users must request activation and receive approval before gaining the role's permissions, ensuring least-privilege and auditability.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls sign-in conditions) with PIM's approval workflow, but Conditional Access cannot enforce a multi-step approval process for role activation; only PIM provides that capability.

How to eliminate wrong answers

Option B (Identity Protection) is wrong because it focuses on detecting and responding to identity risks (e.g., compromised accounts, risky sign-ins) and does not manage role activation workflows or approval requirements. Option C (Conditional Access) is wrong because it enforces access policies based on conditions like location or device state, but it does not provide approval-based role activation; it controls sign-in access, not role elevation. Option D (Access reviews) is wrong because it periodically recertifies existing role assignments, ensuring they are still needed, but it does not enforce an approval step for activating a role in real time.

209
Multi-Selecteasy

Which TWO Microsoft Entra features can be used to enforce multifactor authentication (MFA)?

Select 2 answers
A.Self-Service Password Reset
B.Security defaults
C.Identity Protection
D.Privileged Identity Management
E.Conditional Access
AnswersB, E

Security defaults enforce MFA for all users.

Why this answer

Security defaults is a baseline security policy that Microsoft automatically enables for eligible tenants, enforcing MFA registration and requiring MFA for all users during sign-in. It provides a simple, pre-configured way to enforce MFA without requiring additional licensing or configuration of Conditional Access policies.

Exam trap

The trap here is that candidates often confuse Identity Protection or PIM as direct MFA enforcement features, when in reality they are risk-detection or privilege-management services that rely on Conditional Access to actually enforce MFA.

210
Multi-Selecthard

A security team is using Microsoft Entra ID Protection. They want to automatically block sign-ins from known malicious IP addresses, but if a user's account is compromised (e.g., leaked credentials), they want to force the user to change their password upon next sign-in. Which two risk policies should they configure? (Select all that apply.)

Select 2 answers
A.Sign-in risk policy set to 'Block access' for High risk
B.User risk policy set to 'Allow access' with 'Require password change' for High risk
C.MFA registration policy
D.Conditional Access policy with a custom block rule
AnswersA, B

This policy automatically blocks sign-ins from high-risk scenarios, such as anonymous IP addresses.

Why this answer

Option A is correct because the sign-in risk policy in Microsoft Entra ID Protection can be configured to automatically block access when a sign-in is detected as high risk, such as from a known malicious IP address. This policy evaluates real-time risk signals during authentication and enforces the specified action (e.g., 'Block access') without requiring additional Conditional Access policies.

Exam trap

The trap here is that candidates might confuse the sign-in risk policy and user risk policy with Conditional Access policies or MFA registration, but the question explicitly asks for risk policies within Entra ID Protection, not generic Conditional Access or registration policies.

211
MCQhard

A healthcare organization uses Microsoft Entra ID and needs to enforce that only users from the United States and Canada can access patient records. Access attempts from all other locations must be blocked. Which Microsoft Entra ID Conditional Access condition should be configured to meet this requirement?

A.Device state
B.Sign-in risk
C.Locations
D.Client apps
AnswerC

The Locations condition in Conditional Access allows you to define named locations based on IP ranges or countries, and then grant or block access accordingly.

Why this answer

Option C is correct because the Locations condition in Microsoft Entra ID Conditional Access allows administrators to define named locations (e.g., countries or IP ranges) and then grant or block access based on those locations. By configuring a policy that blocks access from all countries except the United States and Canada, the organization can enforce geographic restrictions on patient record access.

Exam trap

The trap here is that candidates often confuse the Locations condition with Sign-in risk, mistakenly thinking that blocking by country is a risk-based control rather than a straightforward geographic restriction.

How to eliminate wrong answers

Option A is wrong because Device state controls access based on whether a device is marked as compliant or hybrid Azure AD joined, not based on geographic location. Option B is wrong because Sign-in risk is a condition that detects suspicious sign-in behavior (e.g., anonymous IP, leaked credentials) and is used for risk-based policies, not for blocking by country. Option D is wrong because Client apps condition filters access by application type (e.g., browser, mobile app, legacy auth), not by the user's physical or network location.

212
MCQmedium

A company uses Microsoft Entra ID (Azure AD). They have a cloud-based HR system (e.g., Workday) that contains employee records. They want to automate the process of creating user accounts in Microsoft Entra ID for new hires and deactivating accounts for terminated employees based on information from the HR system. Which Microsoft Entra ID feature should they configure?

A.Microsoft Entra Connect
B.Microsoft Entra Application Provisioning
C.Self-Service Password Reset (SSPR)
D.Microsoft Entra Access Reviews
AnswerB

This feature can automate user lifecycle management from HR systems like Workday to Microsoft Entra ID.

Why this answer

Microsoft Entra Application Provisioning (specifically HR-driven provisioning) is the correct feature because it automates the creation, update, and deactivation of user accounts in Microsoft Entra ID based on changes in an external HR system like Workday. It uses SCIM (System for Cross-domain Identity Management) protocol to synchronize employee lifecycle events from the HR source to Entra ID, enabling fully automated user provisioning without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect (hybrid sync from on-prem AD) with HR-driven provisioning, but the question specifies a cloud-based HR system (Workday) with no on-premises AD involvement, making Application Provisioning the correct choice.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Connect is used for hybrid identity synchronization from on-premises Active Directory to Microsoft Entra ID, not for direct HR system integration. Option C is wrong because Self-Service Password Reset (SSPR) allows users to reset their own passwords and does not automate user account creation or deactivation based on HR data. Option D is wrong because Microsoft Entra Access Reviews are used for periodic attestation of user access rights and group memberships, not for provisioning or deprovisioning user accounts.

213
MCQmedium

A company wants to allow its employees to reset forgotten passwords or unlock their accounts without contacting the help desk. The solution must verify the user's identity using a phone call or mobile app notification before allowing the action. Which Microsoft Entra ID feature should be enabled?

A.Microsoft Entra ID Protection
B.Self-Service Password Reset (SSPR)
C.Privileged Identity Management (PIM)
D.Conditional Access
AnswerB

SSPR enables users to reset passwords or unlock accounts after authenticating through approved methods like phone call or mobile app notifications.

Why this answer

B is correct because Self-Service Password Reset (SSPR) enables users to reset forgotten passwords or unlock accounts without help desk intervention. It supports identity verification via phone call or mobile app notification (Microsoft Authenticator), meeting the stated requirement exactly.

Exam trap

The trap here is confusing SSPR with Conditional Access or ID Protection, as both involve authentication controls, but only SSPR directly provides the self-service password reset and account unlock functionality with phone call or app notification verification.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection is a risk-detection and remediation service (e.g., risky sign-ins, leaked credentials), not a self-service password reset or account unlock feature. Option C is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not end-user password reset or account unlock. Option D is wrong because Conditional Access enforces access policies (e.g., MFA, device compliance) at sign-in, but does not provide a self-service mechanism for password reset or account unlock.

214
MCQeasy

An organization wants to automatically revoke access to cloud apps when an employee leaves the company. Which Microsoft Entra feature should they use?

A.Conditional Access
B.Automated user provisioning
C.Privileged Identity Management
D.Identity Protection
AnswerB

Automated provisioning can disable accounts and remove access upon termination.

Why this answer

Automated user provisioning (B) is the correct answer because it can automatically disable or remove a user's access to cloud apps when the user is deleted or deactivated in the HR system or on-premises directory. This feature synchronizes identity lifecycle events (e.g., termination) to connected SaaS applications, ensuring revocation of access without manual intervention.

Exam trap

The trap here is that candidates confuse Conditional Access (which blocks new sign-ins) with full deprovisioning, not realizing that Conditional Access does not terminate existing sessions or remove the user account from the cloud app.

How to eliminate wrong answers

Option A is wrong because Conditional Access enforces access policies based on signals like location or device compliance at sign-in time, but it does not automatically revoke access when an employee leaves; it blocks new sign-ins but does not terminate existing sessions or deprovision accounts. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it is not designed to deprovision standard user access to cloud apps upon termination. Option D is wrong because Identity Protection detects risks like leaked credentials or anomalous sign-ins and triggers remediation like requiring MFA, but it does not handle lifecycle-based deprovisioning when an employee leaves.

215
Multi-Selecteasy

Which TWO of the following are methods for implementing passwordless authentication in Microsoft Entra ID?

Select 2 answers
A.Windows Hello for Business
B.App passwords
C.Email one-time passcode
D.SMS-based one-time passcode (OTP)
E.FIDO2 security keys
AnswersA, E

Windows Hello for Business provides passwordless sign-in using biometrics or PIN.

Why this answer

Windows Hello for Business is a passwordless authentication method in Microsoft Entra ID that uses biometric or PIN-based credentials tied to a user's device. It leverages asymmetric key pairs (public/private key cryptography) to authenticate users without transmitting passwords over the network, meeting the passwordless requirement.

Exam trap

The trap here is that candidates often confuse multi-factor authentication (MFA) methods like SMS OTP or app passwords with passwordless authentication, but passwordless requires eliminating the password as a primary factor, not just adding another layer.

216
MCQeasy

Your company, Contoso, uses Microsoft Entra ID for employee identity management. You need to ensure that when an employee leaves the company, their access to all SaaS applications is automatically revoked within 24 hours. The HR department updates the employee status in a cloud HR system (Workday). What should you do?

A.Ask HR to manually disable each user in Microsoft Entra ID after termination.
B.Configure Microsoft Entra ID provisioning from Workday to automatically disable users when their employment status changes.
C.Use Microsoft Graph API to write a custom application that polls Workday and disables users.
D.Create an Azure Automation runbook that runs daily and checks Workday for terminated employees, then disables them in Entra ID.
AnswerB

Correct: Workday-driven provisioning can automatically disable accounts based on HR status changes.

Why this answer

Option B is correct because Microsoft Entra ID supports automated user provisioning from Workday via the built-in Workday to Entra ID provisioning connector. When an employee's status changes to 'terminated' in Workday, the provisioning service automatically disables the corresponding user account in Entra ID, typically within 40 minutes (well under the 24-hour requirement). This eliminates manual intervention and ensures timely revocation of access to all SaaS applications integrated with Entra ID.

Exam trap

The trap here is that candidates may overcomplicate the solution by choosing custom development (C or D) or manual processes (A), failing to recognize that Microsoft provides a native, automated provisioning connector specifically designed for this exact HR-driven lifecycle scenario.

How to eliminate wrong answers

Option A is wrong because manually disabling users in Entra ID is inefficient, error-prone, and does not meet the automated 24-hour revocation requirement. Option C is wrong because using Microsoft Graph API to build a custom polling application is unnecessarily complex, requires development and maintenance overhead, and is not the recommended out-of-box solution when the native Workday provisioning connector exists. Option D is wrong because an Azure Automation runbook that polls Workday daily introduces latency (up to 24 hours) and requires custom scripting, whereas the native provisioning service provides near-real-time synchronization without additional infrastructure.

217
Multi-Selecteasy

Which TWO capabilities are part of Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Application management
B.Single sign-on (SSO)
C.Cloud security posture management
D.Mobile device management (MDM)
E.Security information and event management (SIEM)
AnswersA, B

Entra ID provides application integration and access management.

Why this answer

Microsoft Entra ID includes application management capabilities that allow administrators to register, configure, and control access to enterprise applications. It also provides single sign-on (SSO) functionality, enabling users to authenticate once and access multiple applications without re-entering credentials, using protocols such as SAML 2.0, OAuth 2.0, and OpenID Connect.

Exam trap

The trap here is that candidates confuse Microsoft Entra ID's identity and access management capabilities with broader security tools like Defender for Cloud (CSPM) or Sentinel (SIEM), or with device management tools like Intune (MDM), because all are part of Microsoft's security portfolio but serve distinct functions.

218
MCQeasy

You need to allow users to reset their own passwords without contacting the help desk. Which Microsoft Entra feature should you enable?

A.Microsoft Authenticator
B.Identity Governance
C.Self-service password reset
D.Conditional Access
AnswerC

SSPR enables users to reset passwords without help desk.

Why this answer

Self-service password reset (SSPR) is the Microsoft Entra feature that allows users to reset their own passwords without contacting the help desk. It is designed to reduce help desk costs and improve user productivity by enabling password changes or unlocks through a verified authentication method, such as email, phone, or security questions.

Exam trap

The trap here is that candidates often confuse the authentication app (Microsoft Authenticator) with the self-service password reset feature, thinking the app itself provides password reset capabilities, when in fact it only provides a second factor for authentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Authenticator is a multi-factor authentication app that provides a second factor for sign-in, not a self-service password reset mechanism. Option B is wrong because Identity Governance focuses on managing user access rights, certifications, and lifecycle, not on enabling users to reset their own passwords. Option D is wrong because Conditional Access is a policy engine that enforces access controls based on conditions like location or device state, but it does not provide a direct password reset capability.

219
MCQhard

Refer to the exhibit. An administrator runs the Azure CLI commands shown. What is the purpose of these commands?

A.To create a new service principal.
B.To list all Azure subscriptions.
C.To log in to Azure as a user with MFA.
D.To authenticate a service principal for automated tasks.
AnswerD

Service principal authentication is used for automation.

Why this answer

The Azure CLI commands shown are used to authenticate a service principal for automated tasks. Specifically, `az login --service-principal -u <app-id> -p <password> --tenant <tenant-id>` authenticates using the service principal's credentials without interactive user login, enabling non-interactive automation or scripts.

Exam trap

The trap here is that candidates confuse the `az login` command with creating a service principal, but `az ad sp create-for-rbac` is the command for creation, while `az login --service-principal` is strictly for authentication.

How to eliminate wrong answers

Option A is wrong because the commands do not create a new service principal; they authenticate an existing one using its app ID and password. Option B is wrong because the commands do not list Azure subscriptions; they perform a login operation, and listing subscriptions would require a separate command like `az account list`. Option C is wrong because the commands use `--service-principal` with a password, which bypasses MFA; MFA is only triggered for interactive user logins, not service principal authentication.

220
MCQmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to implement a solution that ensures only compliant devices can access corporate applications. Devices must be enrolled in Intune and meet compliance policies (e.g., disk encryption enabled, antivirus running). Additionally, you require that users must authenticate with multi-factor authentication (MFA) when accessing sensitive applications from non-compliant devices, even if the user is compliant. The solution must use a single policy where possible. What should you configure?

A.Create two conditional access policies: one to require device compliance for all users, and another to require MFA for sensitive applications.
B.Create a conditional access policy that blocks access from non-compliant devices, and configure MFA for all users.
C.Configure Intune compliance policies and enforce them via conditional access by requiring compliant device. For sensitive apps, add MFA requirement in the same conditional access policy.
D.Use Microsoft Entra ID Protection to enforce MFA based on risk, and Intune for device compliance.
AnswerC

A single conditional access policy can require both compliant device and MFA.

Why this answer

Option C is correct because it uses a single Conditional Access policy to enforce both device compliance (via Intune) and MFA for sensitive applications, meeting the requirement for a unified policy. Conditional Access policies can combine multiple conditions (e.g., device compliance status, application sensitivity) and grant controls (e.g., require compliant device, require MFA) in one policy, allowing granular access decisions based on device state and user authentication.

Exam trap

The trap here is that candidates assume device compliance and MFA must be in separate policies, but Conditional Access allows combining multiple grant controls in one policy, and the key is understanding that the policy's conditions (like device compliance state) can trigger different grant requirements within the same policy.

How to eliminate wrong answers

Option A is wrong because it creates two separate policies, violating the requirement to use a single policy where possible, and it does not specifically tie MFA to non-compliant devices accessing sensitive apps. Option B is wrong because it blocks all non-compliant devices entirely, preventing the scenario where users on non-compliant devices can still access sensitive apps after MFA, which is explicitly required. Option D is wrong because Microsoft Entra ID Protection focuses on user and sign-in risk (e.g., leaked credentials, anonymous IP), not device compliance; it cannot enforce MFA based on device compliance status, and it does not replace the need for a Conditional Access policy to combine device compliance and MFA controls.

221
MCQmedium

A multinational corporation uses Microsoft Entra ID. The IT department wants to allow regional IT administrators in Europe to manage users and groups only for their own region, without granting them permissions to manage users in other regions. Which Microsoft Entra ID feature should they use?

A.A. Conditional Access
B.B. Administrative Units
C.C. Privileged Identity Management
D.D. Identity Governance
AnswerB

Administrative Units allow you to define a subset of users, groups, or devices and assign administrative roles scoped only to that subset.

Why this answer

Administrative Units (AUs) in Microsoft Entra ID allow you to delegate administrative permissions scoped to a subset of users, groups, or devices. By creating an AU for the Europe region and assigning regional IT administrators to it, you restrict their management scope to only those objects within that AU, preventing them from managing users in other regions.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with scope delegation, not realizing that PIM controls when a role is activated, not where it can be applied.

How to eliminate wrong answers

Option A is wrong because Conditional Access is a policy engine that enforces access controls based on signals like user location or device state, not a mechanism for scoping administrative permissions. Option C is wrong because Privileged Identity Management (PIM) provides just-in-time role activation and approval workflows, but does not limit the scope of a role to specific users or groups; it still requires an Administrative Unit to achieve regional scoping. Option D is wrong because Identity Governance covers access reviews, entitlement management, and lifecycle workflows, but does not natively provide the granular administrative scoping that Administrative Units offer.

222
MCQhard

Your organization uses Microsoft Entra ID and has deployed Microsoft Entra ID Governance for entitlement management. You need to allow external partners to request access to a specific application, but only if they have a valid email address from an approved domain. Once approved, their access should automatically expire after 30 days. You also need to ensure that the partner's access is reviewed quarterly by the application owner. What should you configure?

A.Create an access package with a connected organization for the partner's domain, add the application as a resource, configure approval, set expiration to 30 days, and add a quarterly access review.
B.Create an access package with a connected organization for the partner's domain, add the application as a resource, configure approval, and set expiration to 30 days.
C.Create a dynamic group based on partner email domain and assign the application to the group with a 30-day expiration policy.
D.Add the partner as a guest user manually and assign the application directly with an expiration date.
AnswerA

Correct: This fully addresses all requirements.

Why this answer

Option A is correct because it combines all required components: a connected organization restricts access to approved partner domains, the access package includes the application as a resource, approval ensures authorization, a 30-day expiration enforces automatic access removal, and a quarterly access review satisfies ongoing compliance. Microsoft Entra ID Governance entitlement management uses access packages to bundle resources, policies, and reviews for external collaboration.

Exam trap

The trap here is that candidates often confuse access packages with simple group-based assignment or manual guest user creation, overlooking that entitlement management's connected organization and policy-driven lifecycle are required to meet domain validation, automatic expiration, and recurring review requirements simultaneously.

How to eliminate wrong answers

Option B is wrong because it omits the quarterly access review, which is explicitly required for ongoing compliance and periodic attestation by the application owner. Option C is wrong because dynamic groups do not support expiration policies or access reviews natively; they are for automatic membership based on attributes, not for time-bound external access with governance workflows. Option D is wrong because manually adding guest users and assigning applications directly bypasses entitlement management's automated approval, expiration, and review capabilities, and does not enforce domain validation or quarterly reviews.

223
MCQeasy

Your organization uses Microsoft Entra ID to allow users to access cloud applications. You need to ensure that any sign-in from a known malicious IP address is blocked. Which feature should you configure?

A.Privileged Identity Management
B.Self-service password reset
C.Conditional Access policy with a location condition
D.Identity Protection risk policy
AnswerC

You can create a policy to block access from specific locations (IP ranges).

Why this answer

Conditional Access policies in Microsoft Entra ID allow you to enforce access controls based on conditions such as the user's location or IP address. By configuring a location condition that includes known malicious IP addresses, you can block sign-ins from those IPs. This is the correct feature because it directly evaluates the network location at sign-in time and applies a block grant control.

Exam trap

The trap here is that candidates often confuse Identity Protection risk policies (which use risk-based scoring) with Conditional Access location policies (which use explicit IP address conditions), leading them to select D instead of C.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not real-time sign-in blocking based on IP address. Option B is wrong because Self-service password reset (SSPR) allows users to reset their own passwords and does not evaluate or block sign-ins based on IP address. Option D is wrong because Identity Protection risk policies detect and respond to user or sign-in risk (e.g., leaked credentials, anonymous IP addresses) but are not designed to block a static list of known malicious IP addresses; they use risk-based scoring rather than explicit IP allow/block lists.

224
MCQmedium

A user is locked out of their account after multiple failed sign-in attempts. You need to reduce false lockouts while maintaining security. What should you do?

A.Require MFA for all users
B.Disable account lockout
C.Enable Smart Lockout
D.Increase lockout threshold to 20 attempts
AnswerC

Smart Lockout adapts to user behavior, reducing false lockouts.

Why this answer

Smart lockout learns user behavior and reduces false lockouts. Option A is wrong because disabling lockout reduces security. Option B is wrong because MFA doesn't prevent lockouts.

Option D is wrong because increasing threshold may increase risk.

225
Multi-Selecteasy

Which TWO of the following are types of identities that can be managed in Microsoft Entra ID? (Select two.)

Select 2 answers
A.Group objects
B.User identities
C.Service principal identities (application identities)
D.Policy objects
E.Device objects
AnswersB, C

Users are the primary identity type.

Why this answer

Option B is correct because user identities represent individual users who need access to resources, and they are the most fundamental identity type in Microsoft Entra ID. Option C is correct because service principal identities (application identities) are used to represent applications and automated tools, enabling them to authenticate and access resources securely.

Exam trap

The trap here is that candidates often confuse directory objects (like groups, devices, and policies) with identity principals, mistakenly thinking that any object stored in Entra ID is a type of identity that can be directly authenticated.

← PreviousPage 3 of 5 · 373 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Entra Capabilities questions.