Microsoft Practice Questions, Discussions & Exam Topics by our Authors
SIMULATION - You need to ensure that a user named user2-12345678 can manage the properties of the virtual machines in the RG1lod12345678 resource group. The solution must use the pri...To ensure user2-12345678 can manage the properties of virtual machines in the RG1lod12345678 resource group using the principle of least privilege, we need to assign the correct Azure role. The selected role must give user2-12345678 permission to manage the virtual machines in RG1lod12345678 without granting unnecessary permissions. Key Factors: - Principle of least privilege requires granting only the permissions necessary for the user to perform their tasks. - The user should be able to manage virtual machines within the resource group RG1lod12345678 but not have permissions for other resources outside of that resource group. - The user needs the ability to manage virtual machines' properties, which typically includes actions like starting, stopping, resizing, and configuring VMs. Analysis of Available Azure Roles for Virtual Machine Management: 1. Owner: - Owner gives full permissions to manage resources, including granting access to others, deleting resources, etc. This is over-permissioning because user2-12345678 needs only to manage virtual machines, not full access to the resource group. - Rejected because it provides excessive permissions. 2. Contributor: - The Contributor role allows managing resources within a resource group, including virtual mach... Author: Scarlett · Last updated May 18, 2026 |
SIMULATION - You need to create a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com. The new directory must contain a new user named user1@123...To complete the task of creating a new Azure Active Directory (Azure AD) directory named 12345678.onmicrosoft.com and adding a new user named [email protected], you would typically go through the process of creating a new directory and then adding a user to it. Here’s how the process works: Key Factors: 1. You need to create a new Azure AD directory with the name 12345678.onmicrosoft.com. 2. You need to create a new user in the newly created directory with the username [email protected]. Steps to Achieve This: 1. Create the new Azure AD directory: - You will create a new directory in the Azure portal with the specified name (`12345678.onmicrosoft.com`). - This process will establish a new tenant where your users and resources will be managed. 2. Create the new user in the directory: - After the directory is created, you will add a user to it with the user name [email protected]. Analysis of the Process: 1. Option: Create a new directory: - This option would involve using the Azure portal to create a new directory. You can specify the name of the new directory as `12345678.onmicros... Author: Carlos Garcia · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains a resource group named RG1. RG1 contains a storage account named storage1. You have two custom Azure roles named Role1 and Role2 that are scoped to RG1. The permissions for Role1 are shown in the following JSON code. The permissions for Role2 are shown in the following JSON code. You assign the roles to the users shown in the follow...Author: Andrew · Last updated May 18, 2026 |
You have an Azure subscription that contains a storage account named storage1 and two web apps named app1 and app2. Both apps will write data to storage1. You need to ensure t...To ensure that each web app (app1 and app2) can only read the data that it has written to the Azure Storage account (storage1), you need to consider solutions that allow for secure, identity-based access control, where each app can only access its specific data and not the other app's data. Let's evaluate each option: Option A: Provide each app with a system-assigned identity and configure storage1 to use Azure AD User account authentication. - Reasoning: Azure AD authentication provides a way to securely authenticate the apps using their own managed identities. By providing a system-assigned identity to each app, you can configure Azure AD-based permissions (using role-based access control or RBAC) to ensure that each app only has access to its specific data. Azure AD can enforce access control on individual data based on the identities of the apps. - Why it's selected: This option is ideal because it supports fine-grained access control through RBAC. Each app can be granted permissions to read and write only to its own data, and this can be done securely through Azure AD authentication. You can assign different permissions (such as `Storage Blob Data Contributor` or `Storage Blob Data Reader`) to each app, ensuring that each can only access its own data. Option B: Provide each app with a separate Storage account key and configure the app to send the key with each request. - Reasoning: Storage account keys are shared secrets that provide full access to all data within the storage account. While this would allow each app to read/write to the storage account, it doesn't allow you to enforce separation between the data written by app1 and app2. Both apps would have full access to all data within the storage account. - Why it's rejected: Using shared keys does not provide granular access control to the data each app writes. Both apps would have access to all the data in the storage account, which is not what you want. The requirement is to ensure tha... Author: VioletCheetah55 · Last updated May 18, 2026 |
You have an Azure subscription that contains an Azure Files share named share1 and a user named User1. Identity-based authentication is configured for share1. User1 attempts to access share1 from a Windows 1...When a user attempts to access an Azure Files share that is configured with identity-based authentication, the authentication mechanism needs to be determined based on how the authentication is set up and how the user is accessing the share. Option A: OAuth 2.0 - Reasoning: OAuth 2.0 is a framework used for authorization and is typically used for token-based authorization between services (e.g., APIs). It is not commonly used for SMB (Server Message Block) authentication in the context of Azure Files. - Why it's rejected: OAuth 2.0 is typically used for scenarios involving web applications or services that need to access APIs, not for SMB file share access. SMB authentication in Azure Files doesn't use OAuth 2.0 for token-based access. Option B: JSON Web Token (JWT) - Reasoning: JWT is commonly used in scenarios where authentication tokens need to be exchanged between services or applications, such as in OAuth and OpenID Connect scenarios. However, for Azure Files access using SMB, JWT is not used to directly authenticate the user accessing the file share. - Why it's rejected: While JWT is widely used for API-based authentication, it is not the correct token type for authenticating SMB-based access to Azure Files. SMB authentication with Azure Files typically uses Windows-integrated authentication mechanisms. Option C: SAML - Reasoning: SAML (Security Assertion Markup Language) is typically used for ... Author: StarlightBear · Last updated May 18, 2026 |
DRAG DROP - You have an Azure subscription. You plan to create two custom roles named Role1 and Role2. The custom roles will be used to perform the following tasks: * Members of Role1 will manage application security groups. * Members of Role2 will manage Azure Bastion. You need to add permissions to the custom roles. Which resource provider should you use for each role? To answer, drag the appropriate resource providers to the correct ro...Author: Aarav2020 · Last updated May 18, 2026 |
You have an Azure subscription linked to an Azure Active Directory Premium Plan 1 tenant. You plan to implement Azure Active Directory (Azure AD) Identity Protection. You need to ensure that you c...To implement Azure Active Directory (Azure AD) Identity Protection and configure user risk policies and sign-in risk policies, you need to understand the features provided by different Azure AD license plans and how Azure AD Identity Protection works. Option A: Purchase Azure Active Directory Premium Plan 2 licenses for all users. - Reasoning: Azure AD Premium Plan 1 (which you already have) provides access to basic Identity Protection features like configuring sign-in risk policies but does not include the ability to configure user risk policies or enable certain advanced security capabilities, such as risk-based conditional access. - Why it's selected: To configure both user risk policies and sign-in risk policies with Azure AD Identity Protection, Azure AD Premium Plan 2 is required. Plan 2 offers advanced Identity Protection features, which allow both user risk policies and sign-in risk policies to be configured. - Why other options are rejected: While this option might be necessary (Plan 2), it is the most appropriate first step because you cannot configure these policies under Plan 1. Option B: Register all users for Azure Multi-Factor Authentication (MFA). - Reasoning: Azure Multi-Factor Authentication (MFA) is a separate security feature that adds an additional layer of verification during the authentication process. While MFA is a best practice and integrates with Azure AD Identity Protection for applying risk-based conditional access policies, registering users for MFA is not a requirement for configuring user risk policies or sign-in risk policies. - Why it's rejected: While MFA enhances security and is sometimes used in conjunction with risk-based policies, it ... Author: Emma Brown · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains the resources shown in the following table. You perform the following tasks: * Create a managed identity named Managed1. * Create a Microsoft 365 group named Group1. * Register an enterprise application named App1. * Enable a system-assigned managed identity for VM1. You need to identify which service principals were created and which identities c...Author: Jack · Last updated May 18, 2026 |
HOTSPOT - You have an Azure Active directory tenant that syncs with an Active Directory Domain Services (AD DS) domain. You plan to create an Azure file share that will contain folders and files. Which identity store can you use to assign permissions to the Azure file share and folders wi...Author: Carlos Garcia · Last updated May 18, 2026 |
You have an Azure subscription. You plan to deploy a new Conditional Access policy named CAPolicy1. You need to use the What if tool to evaluate how CAPolicy1 wall affect users. The solution must minimize the impac...When deploying a new Conditional Access policy in Azure, using the What if tool is a great way to simulate how the policy will affect users before enforcing it. The key here is to ensure that CAPolicy1 is evaluated in a way that minimizes the impact on users during the testing phase. Option A: Off - Reasoning: If the policy is set to Off, it will not be applied to any users, and it will not affect any user’s experience, even during evaluation with the What If tool. - Why it's rejected: Setting the policy to Off means that the policy will not be evaluated in real scenarios, and you won’t be able to see the effects or potential issues it could cause. The What If tool will not show any evaluation of how the policy will impact users in practice if the policy is turned off. Option B: On - Reasoning: Setting the policy to On means that the policy will be fully enforced, and users will be subject to it as soon as it is applied. While this is the desired setting when you are ready to apply the policy, it is not the best option during evaluation with the What If tool, because it could lead to unexpected disruptions or impacts on users. - Why it's rejected: Applying the policy while it is set to On could ... Author: Arjun · Last updated May 18, 2026 |
You have an Azure Active Directory (Azure AD) tenant that contains 500 users and an administrative unit named AU1. From the Azure Active Directory admin center, you plan to add the users to AU1 by using Bulk add members. ...When adding users in bulk to an Azure Active Directory (Azure AD) administrative unit (AU1), you need to create a file that contains specific information about the users to ensure the process is executed correctly. Let's evaluate each option in the context of the Bulk add members process: Option A: Only the display name of each user - Reasoning: The display name is typically used for identifying users but cannot be used as the unique identifier for bulk adding users. Display names are not guaranteed to be unique within Azure AD, meaning there could be conflicts when attempting to bulk add users based on just display names. - Why it's rejected: Since the display name is not unique, it cannot be used by itself for bulk adding users to an administrative unit. The system needs a unique identifier like UPN or Object ID to ensure proper user assignment. Option B: Only the user principal name (UPN) of each user - Reasoning: The UPN (User Principal Name), which is typically the user's email address in Azure AD, is a unique identifier for each user. It is often used to identify and manage users in Azure AD. - Why it's selected: The UPN is the correct identifier to use when adding users in bulk to an administrative unit. Each user has a unique UPN, which makes it an ideal choice for this task. In bulk operations, the UPN ensures the correct user is added to the administrative unit without ambiguity. Option C: Only the user principal name (UPN) and display name of each user - Reasoning: While the UPN is the correct identifier for adding users, the display name is not necessary in this case. Including both the UPN and ... Author: Joseph · Last updated May 18, 2026 |
HOTSPOT - You have the role assignments shown in the following exhibit. Use the drop-down menus to select the answer choice that completes each statement based on the informat...Author: Noah · Last updated May 18, 2026 |
You have an Azure subscription that contains a user named User1. You need to ensure that User1 can create managed identities. The solution mu...To ensure that User1 can create managed identities while adhering to the principle of least privilege, we need to assign User1 the appropriate role that grants the minimum permissions necessary for creating managed identities. Let's evaluate each option: Option A: Create a management group and assign User1 the Hybrid Identity Administrator Azure Active Directory (Azure AD) role. - Reasoning: The Hybrid Identity Administrator role is primarily used to manage hybrid identity configurations (for example, integration with on-premises Active Directory). This role allows users to manage aspects of identity synchronization between on-premises and Azure AD. - Why it's rejected: This role does not grant permissions specifically related to creating managed identities, and it provides broader access than necessary for the task at hand. It is not focused on managed identities, and thus, it violates the principle of least privilege. Option B: Create a management group and assign User1 the Managed Identity Operator role. - Reasoning: The Managed Identity Operator role grants permissions to manage the lifecycle of managed identities, including creating and assigning them to resources. This role provides the necessary permissions for User1 to create managed identities, but it might be too broad depending on the specific task (for example, if you only want to grant the ability to create managed identities but not to assign them or manage them more broadly). - Why it's rejected: While the Managed Identity Operator role would technically work for creating managed identities, it grants more permissions than necessa... Author: Kai · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains a resource group named RG1. RG1 contains a virtual machine named VM1 that uses Azure Active Directory (Azure AD) authentication. You have two custom Azure roles named Role1 and Role2 that are scoped to RG1. The permissions for Role1 are shown in the following JSON code. The permissions for Role2 are shown in the following JSON code. You assign the roles to the u...Author: Liam123 · Last updated May 18, 2026 |
DRAG DROP - You have an Azure subscription that contains the resources shown in the following table. You plan to perform the following actions: * Deploy a new app named App1 that will require access to Vault1. * Configure a shared identity for VM1 and VM2 to access st1. You need to configure identities for each requirement. The solution must minimize administrative effort. Which type of identity should you configure for each requirement? To answer, drag the appropriate identity types to ...Author: Noah · Last updated May 18, 2026 |
You have an Azure AD tenant. The tenant contains users that are assigned Azure AD Premium P2 licenses. You have a partner company that has a domain named fabrikam.com. The fabrikam.com domain contains a user named User1. User1 has an email address of [email protected] You need to provide User1 with access to the resources in the tenant. The solution must meet the following requirements: * User1 must be able to sign in...To provide User1 from the fabrikam.com domain access to resources in the Azure AD tenant while ensuring the requirements are met, let's evaluate the available options based on the provided constraints: Option A: Create a user account for User1. - Reasoning: Creating a user account for User1 in the Azure AD tenant would allow access to resources, but this would mean you are creating a new account for User1 in your tenant. The challenge here is that User1 needs to sign in using their [email protected] credentials, and creating a local user in your Azure AD tenant would not allow them to use those credentials directly. Instead, User1 would have to remember new credentials. - Why it's rejected: This option would involve unnecessary administrative effort, as it would require you to create and manage a local account for User1. The goal is to minimize administrative effort and allow User1 to sign in using their existing credentials. Option B: Add fabrikam.com as a custom domain to the tenant. - Reasoning: Adding fabrikam.com as a custom domain to your Azure AD tenant would allow users from fabrikam.com to authenticate with their own email addresses. However, this does not automatically grant User1 access to your tenant’s resources. You would still need to manually create a user account or invite User1. - Why it's rejected: While adding the domain makes it possible for users from fabrikam.com to be recognized by your tenant, it doesn't solve the problem of granting User1 access to resources with minimal administrative effort. You would still need to take further steps like creating or inviting the user, which doesn't fully meet the requirement for minimized administrative effort. Option C: Create an invite for User1. - Reasoning: Inviting User1 as a guest... Author: Noah · Last updated May 18, 2026 |
You have an Azure AD tenant that contains the identities shown in the following table. You plan to implement Azure AD Identity Protection. Wh...To answer this question, we need to understand the limitations and capabilities of Azure AD Identity Protection for user risk policies. Overview of User Risk Policies in Azure AD Identity Protection: Azure AD Identity Protection allows administrators to define user risk policies based on different levels of user behavior or incidents that may indicate suspicious activity. User risk policies are designed to help protect against compromised accounts by enforcing conditional access or remediation actions like requiring password changes or MFA. Maximum Number of User Risk Policies: The number of user risk policies you can configure is based on the Azure AD license you have. Since the question does not specify the exact Azure AD license, we'll base the analysis on the Azure AD Premium P2 plan (as Azure AD Premium P2 provides advanced security features like Identity Protection). For Azure AD Premium P2, the maximum number of user risk policies that can be configured is ... Author: Ahmed97 · Last updated May 18, 2026 |
You have an Azure subscription that contains a resource group named RG1 and the identities shown in the following table. You assign Group4 the Contributo...To answer this question, we need to understand the Azure role-based access control (RBAC) model and how group memberships and permissions interact in Azure. Key Points: - Azure RBAC roles (such as Contributor) define what users or groups can do with resources in Azure, but group memberships can also influence what actions a group can perform. - Contributor role: This role allows members to manage resources within a resource group (RG1 in this case) but not manage access (i.e., roles or permissions). - Groups: Groups in Azure AD can be assigned roles just like individual users. The permission of a group is a union of the permissions granted to its members. Analyzing the Options: The Group4 has been assigned the Contributor role on RG1, meaning that Group4 can manage resources in RG1 (e.g., creating, modifying, and deleting resources in RG1). However, we need to determine which identities can be added as members of Group4. Let's evaluate each option: Option A: User1 only - Reasoning: If Group4 is assigned the Contributor role for RG1, User1 (assuming User1 is a regular user and not assigned conflicting roles elsewhere) can be added as a member. However, the scenario in the table suggests that the group might involve multiple identities (groups or users). Limiting it to User1 only seems restrictive and not aligned with the flexibility of adding multiple members, including other groups. - Why it's rejected: This is too limiting because the question asks about the potential to add more than one member. You can likely add more members, especially other groups. Option B: User1 and Group3 only - Reasoning: Group3 may already have appropriate permissions, and adding User1 and Group3 would grant the ability to manage RG1’s resources. However, this still excludes potentially relevant groups like Group1 and Group2. If these groups have appropriate permissions or access, they should be considered as well. - Why it's rejected: This option restricts the poten... Author: Nathan · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains a storage account named contoso2023. You need to perform the following tasks: * Verify that identity-based authentication over SMB is enabled. * Only grant users access to contoso2023 in the year 2023. Which two settings shou...Author: Ahmed · Last updated May 18, 2026 |
You have an Azure subscription that is linked to an Azure AD tenant and contains the resources shown in the following table. Whi...To determine which resources can be assigned the Contributor role for VM1, we need to evaluate how Azure roles (like Contributor) apply to different types of resources. The Contributor role allows users to manage resources, including creating, modifying, and deleting, but without granting access to manage access control (permissions or roles) on resources. Analyzing the options: - VM1: Since VM1 is the virtual machine, we cannot assign the Contributor role to VM1 itself because it is the resource being managed. The Contributor role would be assigned to a user, group, or service principal to manage the resource, not the resource itself. - Managed1: Managed1 is likely a managed identity or a managed resource, which can indeed be assigned roles, including the Contributor role. If it is a service principal or a managed identity, it can be assigned the Contributor role for VM1 to manage the VM's settings or other related resources. - App1: App1 could be a web app, and apps can also be assigned the Contributor role to allow them to manage resources in Azure. However, App1 must have the appropriate permissions and scope to manage VM1 or its related resources. - Group1: Group1 is a group, which can be assigned Azure roles, such as the Contributor role, to manage resources within a subscription or resource group, including VM1. If Group1 has been granted the Contributor role on VM1, it would have the necessary permissions. - VM2: VM2 is another virtual machine. Virtual machines themselves cannot be assigned the Contributor role for other VMs (like VM1), because the Contributor role is granted to entities (like users, groups, or managed identities), not resources like VMs. Let's evaluate the options: Option A: Managed1 and App1 only - Reasoning: Managed1 (if it is a managed identity or service principal) can be assigned the Contributor role to manage VM1. App1 could potentially also be assigned the Contributor role if ... Author: Aria · Last updated May 18, 2026 |
DRAG DROP - You have an Azure AD tenant that contains the users shown in the following table. You enable passwordless authentication for the tenant. Which authentication method can each user use for passwordless authentication? To answer, drag the appropriate authentication methods to the correct users. Each authentication method may be used once, m...Author: FlamePhoenix2025 · Last updated May 18, 2026 |
DRAG DROP - You have an Azure AD tenant and an application named App1. You need to ensure that App1 can use Microsoft Entra Verified ID to verify credentials. Which three actions should you perform in sequence? To answer, move the...Author: Ming88 · Last updated May 18, 2026 |
DRAG DROP - You have an Azure subscription that contains an Azure web app named App1. You plan to configure a Conditional Access policy for App1. The solution must meet the following requirements: * Only allow access to App1 from Windows devices. * Only allow devices that are marked as compliant to access App1. Which Conditional Access policy settings should you configure? To answer, drag the appropriate settings to the correct requirem...Author: Olivia · Last updated May 18, 2026 |
You have an Azure subscription that contains a web app named App1. Users must be able to select between a Google identity or a Microsoft identity when authenticating to App1. You need to add Google as an identity provider in Azure AD. Which two pieces of information shou...To add Google as an identity provider in Azure AD for your web app (App1), you need to configure specific information related to the authentication process. Let's go over the options: A) Client ID This is required because Google provides a unique Client ID when you register your app in Google Developer Console. This ID is used by Azure AD to identify the Google identity provider and integrate it into the authentication process. B) Tenant Name This is not required in this scenario. The tenant name is typically used in Azure AD when configuring your own directory settings, but adding a third-party identity provider like Google does not require specifying the tenant name. The identity provider setup is linked to the Azure AD tenant, but the name of the tenant itself isn't part of the configuration for external identity providers. C) The Endpoint URL of an Application This is incorrect for adding Google as an identity provider in Azure AD. You do need an endpoint URL for the authentication service (like Google’s OAuth endpoint), but this is automatically handled behind the scenes in the integration... Author: Lucas Carter · Last updated May 18, 2026 |
You have an Azure subscription that contains a user named User1. You need to ensure that User1 can perform the following tasks: * Create groups. * Create access reviews for role-assignable groups. * Assign Azure AD roles to group...To determine the appropriate Azure role for User1, let's evaluate the tasks required: Tasks to be performed by User1: 1. Create groups 2. Create access reviews for role-assignable groups 3. Assign Azure AD roles to groups The principle of least privilege means giving User1 the minimum set of permissions necessary to perform the required tasks without granting excessive rights. A) Groups Administrator This role allows creating and managing groups in Azure AD. However, it doesn't provide permissions to create access reviews for role-assignable groups or assign Azure AD roles to groups. The Groups Administrator role is limited to group management tasks, making it insufficient for all of User1's required tasks. B) Authentication Administrator This role is primarily concerned with managing authentication-related settings, such as configuring multi-factor authentication (MFA) or managing identity providers. It doesn't grant permissions to create groups, manage role assignments, or create access reviews. Therefore, it does not meet the requirements for User1’s tasks. C) Identity Governance Administrator This role is highly relevant because it specifically covers tasks related to ac... Author: Amira · Last updated May 18, 2026 |
SIMULATION - You need to ensure that a user named user2-28681041 can manage the properties of the virtual machines in the RG1lod28681041 resource group. The solution must use the pri...To ensure User2-28681041 can manage the properties of virtual machines (VMs) in the RG1lod28681041 resource group while adhering to the principle of least privilege, the following options should be considered: Key Requirements: 1. User2-28681041 needs to manage virtual machine properties in a specific resource group, RG1lod28681041. 2. The principle of least privilege means providing the minimum necessary permissions to manage virtual machine properties. Azure Role Options: 1. Virtual Machine Contributor - This is the most appropriate role for the task. The Virtual Machine Contributor role allows managing virtual machines, including the ability to start, stop, and modify VM properties, but does not allow access to other Azure resources outside of virtual machines. - This role aligns perfectly with the requirement to manage the properties of virtual machines in a specific resource group. 2. Contributor - The Contributor role grants broad permissions, allowing full management of all resources in a resource group. While it will allow the user to manage virtual machine properties, it also grants unnecess... Author: Emily · Last updated May 18, 2026 |
SIMULATION - You need to create a new Azure AD directory named 28681041.onmicrosoft.com. The new directory must contain a new user named [email protected]...To create a new Azure AD directory named 28681041.onmicrosoft.com and add a user [email protected], we need to follow a process in the Azure portal that will ensure both the directory is created and the user is added. Below is the analysis of the possible options. Key Requirements: 1. Create a new Azure AD directory with the name 28681041.onmicrosoft.com. 2. Add a new user named [email protected] within this directory. Options to Consider: 1. Create a New Directory in Azure AD - This option involves creating a new Azure AD tenant. After signing in to the Azure portal, you can go to the Azure Active Directory section and click on Create a directory. - During the process, you'll specify the directory name as 28681041.onmicrosoft.com. - This is the correct action because it directly enables the creation of a new directory with the required name. - Once the directory is created, you can add a new user (user1) by navigating to the Users section in the new directory and creating the user [email protected]. 2. Add a New User in an Existing Directory - If an existing Azure AD directory is available and the goal is to add the user [email protected] to an existing directory, you can simply go to the User... Author: Victoria · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains a user named Admin1 and an Azure key vault named Vault1. You plan to implement Microsoft Entra Verified ID. You need to create an access policy to ensure that Admin1 has permissions to Vault1 that support the implementation of the Verified ID service. The solution must use the principle of least privilege. Wh...Author: Stella · Last updated May 18, 2026 |
You have an Azure AD tenant that contains three users named User1, User2, and User3. You configure Azure AD Password Protection as shown in the following exhibit. The users perform the following tasks: * User1 attempts to reset her password to C0nt0s0. * User2 attempts to re...To determine which password reset attempts fail, we need to assess the password strength and requirements based on Azure AD Password Protection policies, particularly considering factors like password complexity rules (e.g., banned password lists, minimum length, and character set). Let's break down the three password reset attempts: 1. User1 attempts to reset her password to C0nt0s0: - This password contains both uppercase and lowercase letters, as well as numbers, which meets the general complexity requirement. - However, "C0nt0s0" is likely to fail because it contains a "weak" or "banned" word ("Contoso"), which is common in many password lists (especially enterprise environments). Azure AD Password Protection typically enforces a rule against easily guessable or commonly used passwords, which often include terms like company names or product names. 2. User2 attempts to reset her password to F@brikamHQ: - This password also meets the general complexity requirements (uppercase, lowercase, numbers, an... Author: Krishna · Last updated May 18, 2026 |
You have an Azure subscription that uses Azure AD Privileged Identity Management (PIM). A user named User1 is eligible for the Billing administrator role. You need to ensure th...To meet the requirement of ensuring that the Billing administrator role can only be used for a maximum of two hours, we need to configure the role activation settings in Azure AD Privileged Identity Management (PIM). Azure PIM provides the ability to control how long a role can be activated once a user requests activation. Let's evaluate the options: 1. A) Create a new access review: - Access reviews in Azure AD PIM are used to periodically review and validate user role assignments. This is useful for ensuring that users still need a role and that the role assignments are correct. However, it does not limit the activation time for roles. Therefore, this option is not appropriate for the given scenario. 2. B) Edit the role assignment settings: - The role assignment settings control the eligibility of a user for a specific role but do not control the activation time. This setting allows a user to be assigned a role or be eligible for a role, but it doesn't specify how long the role ca... Author: Lina Zhang · Last updated May 18, 2026 |
HOTSPOT - You have an Azure subscription that contains a user named User1 and a storage account named storage1. The storage1 account contains the resources shown in the following table. User1 is assigned the following roles for storage1: * Storage Blob Data Reader * Storage Table Data Contributor * Storage File Data SMB Share Reader In storage1, you create a shared acce...Author: GlowingTiger · Last updated May 18, 2026 |
You have an Azure subscription that contains a user named User1 and a storage account that hosts a blob container named blob1. You need to grant User1 access to blob1. The soluti...To grant User1 access to the blob container (blob1) and ensure that the access expires after six days, we need a solution that allows setting an expiration date on the access. Let's evaluate the available options: 1. A) A shared access signature (SAS): - Shared Access Signature (SAS) allows for granting access to specific resources in a storage account (such as a blob container) for a limited time. You can specify both the permissions (read, write, etc.) and the expiration time for the SAS token. This would be the ideal solution for your scenario because you can set the SAS token to expire exactly after six days. - Why it's selected: The SAS token is flexible, supports fine-grained permissions, and allows you to set an expiration time, directly meeting the requirement to expire after six days. 2. B) Role-based access control (RBAC): - Role-based access control (RBAC) is used to assign roles to users or groups in Azure, giving them access to Azure resources. However, RBAC doesn't provide an expiration mechanism on role assignments out of the box. While you can assign roles such as Storage Blob Data Reader to User1, this access is not time-bound and would persist unless manually removed. - Why it's rejected: RBAC does not support automatic expiration of the access. It requires manual intervention to revoke or remove access, which doesn’t meet the requirement to automatically expire after six days. 3. ... Author: Jack · Last updated May 18, 2026 |
You have an Azure subscription linked to an Azure AD tenant named contoso.com. Contoso.com contains a user named User1 and an Azure web app named App1. You plan to enable User1 to perform the following tasks: * Configure contoso.com to use Microsoft Entra Verified ID. * Register App1 in contoso.com. You need to identify which roles to assign to User1. The solution must use the pri...To allow User1 to perform the specified tasks with the principle of least privilege in mind, we need to carefully assess which roles grant the necessary permissions while minimizing unnecessary access. Let’s break down the two tasks User1 needs to perform: Tasks for User1: 1. Configure contoso.com to use Microsoft Entra Verified ID. - Microsoft Entra Verified ID is a feature that requires administrative control over authentication and identity settings. The role responsible for managing authentication policies is key to enabling features like Microsoft Entra Verified ID. 2. Register App1 in contoso.com. - To register an application, you need the ability to create and configure apps in Azure AD. Now, let's evaluate the available roles: 1. A) Authentication Policy Administrator: - Authentication Policy Administrator has permissions to manage authentication policies in Azure AD, which includes configuring and enabling features like Microsoft Entra Verified ID. This role fits the requirement to configure contoso.com to use Microsoft Entra Verified ID. - Why it’s selected: This role directly enables User1 to configure the Microsoft Entra Verified ID service, which is part of the task of configuring authentication policies. 2. B) Authentication Administrator: - Authentication Administrator has broader permissions than the Authentication Policy Administrator. This role allows managing all authentication-related settings, including configuring multifactor authentication (MFA), password policies, and verification methods. While this role could technically enable User1 to configure Microsoft Entra Verified ID, it's more privileged than necessary for this task. - Why it’s rejected: Since the task ... Author: RadiantJaguar56 · Last updated May 18, 2026 |
You have an Azure AD tenant. You plan to implement an authentication solution to meet the following requirements: * Require number matching. * Display the geographical location wh...To meet the requirements of number matching and displaying the geographical location when signing in, we need to consider authentication methods that align with these features. Let’s evaluate each option: A) Microsoft Authenticator - Number matching: The Microsoft Authenticator app supports number matching, which requires users to input a number shown on the screen in the app during sign-in. This feature enhances security by ensuring the user is in control of the authentication process. - Geographical location: The Microsoft Authenticator can provide additional details during sign-in, including the geographical location of the device, provided location services are enabled. This option fits both requirements. It can provide number matching, and the location is generally displayed during the sign-in process when using the app. B) FIDO2 security key - Number matching: FIDO2 security keys are hardware-based and do not natively support number matching. They are more focused on passwordless authentication, using biometric verification or PIN codes to access the key. - Geographical location: FIDO2 security keys typically don’t display geographical information during sign-in. They are focused on strong authentication but not on location tracking. This method is secure but does not meet the number ... Author: Emma · Last updated May 18, 2026 |
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. You plan to implement single sign-on (SSO) for Azure AD resources. You need to configure an Intranet Zon...To configure a setting for Single Sign-On (SSO) for Azure AD resources through Group Policy Object (GPO), you need to ensure that the users can seamlessly authenticate without additional prompts when accessing Azure AD services. In this case, we need to focus on a setting that allows users to access data across different domains, as they would typically be interacting with resources both on-premises (via Active Directory) and in Azure AD. A) Logon options - This setting typically controls how users log in to their machines, such as specifying the type of credentials they must use or whether smart cards are required. It does not directly impact the ability to configure a zone setting for accessing resources across domains, nor does it specifically facilitate Single Sign-On for Azure AD resources. B) Allow updates to status bar via script - This setting is related to allowing scripts to update the status bar in Internet Explorer (IE) and is typically used for browser-related functionality. This setting does not relate to configuring a Group Policy for Single Sign-On (SSO) or accessing resources across domains in the context of Active Directory and Azure AD. C) Allow active scripting - This setting pertains to the ability to execute active scripts in In... Author: Maya2022 · Last updated May 18, 2026 |
HOTSPOT - You have an Azure AD tenant that contains the groups shown in the following table. You assign licenses to the groups as shown in the following table. On May1, you delete Group1, Group2, and Group3. For each of the following statemen...Author: Ethan Smith · Last updated May 18, 2026 |
You have an Azure AD tenant. You need to ensure that users cannot create passwords containing a variation of...To prevent users from creating passwords containing a variation of the word "contoso" in your Azure AD tenant, you need to configure a policy that can enforce password complexity rules, including banning specific words or patterns. Let’s evaluate each option based on this requirement. A) Microsoft Entra Verified ID - Explanation: Microsoft Entra Verified ID is used for decentralized identity management and credential verification. It’s designed for scenarios where users need to present verifiable credentials from trusted issuers (e.g., for external identity systems). - Why rejected: This option is unrelated to password policies or restrictions on specific word usage in passwords. It's more about managing decentralized identities rather than controlling password creation. B) Microsoft Entra Identity Governance - Explanation: Microsoft Entra Identity Governance is designed for managing the lifecycle of identities and ensuring that users have appropriate access to resources within the organization. It provides tools for access reviews, entitlement management, and identity lifecycle management. - Why rejected: While important for managing user access and permissions, this service doesn't specifically deal with password complexity rules or restrictions on certain words like "contoso." C) Azure AD Privileged Identity Management (PIM) - Explanation: Azure AD Privileged Identity Management is a service that helps manage, control, and monitor access within Azure AD. It focuses on elevating and controlling privileges for administrative users. - W... Author: Harper · Last updated May 18, 2026 |
HOTSPOT - You have a Microsoft Entra tenant that contains the users shown in the following table. You configure the Temporary Access Pass settings as shown in the following exhibit. You add the Temporary Access Pass authentication method to Admin2. For each of the follow...Author: Michael · Last updated May 18, 2026 |
HOTSPOT - Your network contains an on-premises Active Directory domain named adatum.com that syncs to a Microsoft Entra tenant. The Microsoft Entra tenant contains the users shown in the following table. You configure the Microsoft Entra Password Protection settings for adatum.com as shown in the following exhibit. Fo...Author: Kai · Last updated May 18, 2026 |
HOTSPOT - You have a Microsoft Entra tenant that contains the users shown in the following table. From Microsoft Entra Privileged Identity Management (PIM), you configure the settings for the Security Administrator role as shown in the following exhibit. From PIM, you assign the Security Administrator role to the following groups: * Group1: Active assignment type, permanently assigned * Group2: Eligible ass...Author: Lina Zhang · Last updated May 18, 2026 |
DRAG DROP - You have an Azure subscription that contains an Azure web app named App1. You plan to configure a Conditional Access policy for App1. The solution must meet the following requirements: * Only allow access to App1 from Windows devices. * Only allow devices that are marked as compliant to access App1. Which Conditional Access policy settings should you configure? To answer, drag the appropriate settings to the correct requirem...Author: Ethan · Last updated May 18, 2026 |
HOTSPOT - Your network contains an on-premises Active Directory domain that syncs to a Microsoft Entra tenant. The tenant contains the users shown in the following table. The tenant contains the groups shown in the following table. You configure a multi-factor authentication (MFA) registration policy that has the following settings: * Assignments: o Include: Group1 o Exclude: Group2 * Controls: Require Azure MF...Author: Emma · Last updated May 18, 2026 |
You have a Microsoft Entra tenant named contoso.com. You plan to collaborate with a partner organization that has a Microsoft Entra tenant named fabrikam.com. Fabrikam.com uses the following identity providers: * Google Cloud Platform (GCP) * Microsoft accounts * Microsoft Entra ID You ...To configure Cross-Tenant (B2B) collaboration for your Microsoft Entra tenant, you need to understand which identity providers can support B2B collaboration access. This involves determining which identity providers are supported by Microsoft Entra for B2B partnerships. A) Microsoft Entra ID only - Explanation: Microsoft Entra ID (formerly Azure Active Directory) is the primary identity provider for B2B collaboration in Microsoft Entra. It allows seamless collaboration between different organizations by enabling users from external Microsoft Entra tenants to access resources in your tenant. - Why rejected: While Microsoft Entra ID is crucial for cross-tenant access, this option is too restrictive because it does not include other identity providers, such as Google Cloud Platform (GCP) or Microsoft accounts, which may also be used for collaboration in a B2B context. B) GCP and Microsoft Entra ID only - Explanation: Google Cloud Platform (GCP) users can be included in a B2B collaboration scenario if GCP is federated with Microsoft Entra. In this case, users in GCP can access Microsoft Entra resources via a federated identity. Microsoft Entra ID is also supported, as mentioned above. - Why rejected: This option omits Microsoft accounts, which are also supported as identity providers for B2B collaboration. Limiting access to only GCP and Microsoft Entra ID excludes a key provider. C) Microsoft accounts and Microsoft Entra ID only - Explanation: Microsoft ... Author: Emma · Last updated May 18, 2026 |
You have a Microsoft Entra tenant named contoso.com. You have a partner company that has a Microsoft Entra tenant named fabrikam.com. You need to ensure that when a user in fabrikam.com attempts to access the resources in contoso.com, the user only receives a single Microsoft...To solve the problem, the goal is to allow users in the fabrikam.com tenant to access resources in the contoso.com tenant with a single Microsoft Entra Multi-Factor Authentication (MFA) prompt. This means we need to ensure that authentication is streamlined, and the user is only prompted for MFA once when accessing resources across both tenants. Let's examine the options: Option A: From the Azure portal of contoso.com, configure the inbound access default settings. - Reason for rejection: Inbound access settings in contoso.com are typically used for managing access for external users (such as fabrikam.com users) into contoso.com resources. However, this does not directly handle the MFA experience across both tenants. MFA is part of authentication and access policies, which isn't solved by just configuring inbound access. Option B: From the Azure portal of contoso.com, configure the External collaboration settings. - Reason for rejection: External collaboration settings in contoso.com are used to manage how external users (like fabrikam.com users) can collaborate with contoso.com resources. While these settings help manage sharing and permissions, they do not specifically address the issue of single MFA prompts for users in a cross-tenant scenario. O... Author: John · Last updated May 18, 2026 |
DRAG DROP - You have a Microsoft Entra tenant. On January 1, you configure a multi-factor authentication (MFA) registration policy that has the following settings: * Assignments: All users * Require Microsoft Entra ID multifactor authentication registration: Enabled * Enforce policy: On On January 3, you create two new users named User1 and User2. On January 5, User1 authenticates to Microsoft Entra ID for the first time. On January 7, User2 authenticates to Microsoft Entra ID for the first time. On which date will User1 and User2 be forced to register for ...Author: Aarav · Last updated May 18, 2026 |
HOTSPOT - You have a Microsoft Entra tenant that contains the groups shown in the following table. From the Azure portal, you configure a group expiration policy that has a lifetime of 180 days. Which groups will be deleted after 180 days of inactivity, and what is the maximum amount of time you have to ...Author: Andrew · Last updated May 18, 2026 |
You have a Microsoft Entra tenant that uses Microsoft Entra Permissions Management and contains the accounts shown in the following table: Which accounts will be listed as assigned to highly pr...To determine which accounts are listed as assigned to highly privileged roles on the Azure AD Insights tab in the Entra Permissions Management portal, we need to understand the concept of highly privileged roles in the context of Microsoft Entra Permissions Management. Key Concepts: - Highly privileged roles are those roles that provide significant administrative control over the Azure Active Directory (Azure AD) environment or other critical resources. Examples include Global Administrator, Privileged Role Administrator, and Security Administrator. - The Azure AD Insights tab in the Entra Permissions Management portal lists users with highly privileged roles assigned, which typically includes high-level admin roles such as Global Administrator, Privileged Role Administrator, and similar roles. Account Analysis: Based on the available options and assuming we have information on the role assignments for the following accounts (Admin1, Admin2, Admin3, and Admin4), we would focus on identifying whether any of the users are assigned a highly privileged role, as described. Option Analysis: - Option A: Admin1 only - Reason for rejection: If Admin1 is the only user with a highly privileged role, then no other accounts would be listed. However, there is likely more than just Admin1 in the scenario that fits the criteria for highly privileged roles. - Option B: Admin2 and Admin3 only - Reason for rejection: This o... Author: Olivia Johnson · Last updated May 18, 2026 |
HOTSPOT - You have a Microsoft Entra tenant that contains the user shown in the following table. You configure a Conditional Access policy that has the following settings: * Name:CAPolicy1 * Assignments o Users or workload identities: Group1 o Target resources: All cloud apps * Access controls o Grant access: Require multifactor authentication From Microsoft Authenticator settings for the tenant, the Enable and Target settings are configured as shown in the Enable and Target exhibit. (Click the Enable and Target tab.) From Microsoft Authenticator settings for the tenan...Author: Kunal · Last updated May 18, 2026 |
You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ContReg1. You enable content trust for ContReg1. You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege. Which two roles s...To ensure that User1 can create trusted images in ContReg1, you need to assign roles that provide the necessary permissions for creating and managing images while adhering to the principle of least privilege. Here's the breakdown: 1. AcrQuarantineReader: - This role grants read access to quarantined images in an Azure Container Registry. This is not suitable because it doesn't provide permissions for creating or pushing images to the registry, which is necessary for creating trusted images. 2. Contributor: - The Contributor role grants full management permissions on the resources within the registry, such as creating, deleting, and managing repositories and images. However, it doesn't directly address trusted image creation, which involves content trust and signing. Therefore, while this role provides broad permissions, it's more permissive than necessary for the specific task at hand. 3. AcrPush: - The AcrPush role grants permissions to push container images to a container registry. This role is needed for creating or uploading images t... Author: David · Last updated May 18, 2026 |
You have an Azure Container Registry named ContReg1 that contains a container image named image1. You enable content trust for ContReg1. After content trust is enabled, you push two image...To determine which images are trusted images in ContReg1, it's important to understand how content trust works in Azure Container Registry (ACR). Content trust enables signing of container images, ensuring that only trusted images are used. When content trust is enabled, images must be signed before they are considered "trusted." Here’s how the scenario works: - image1: This image existed before content trust was enabled. It was not signed before the content trust feature was turned on, so it cannot be considered a trusted image. - image2: This image was pushed after content trust was enabled. For image2 to be trusted, it must be signed. If it was successfully signed when pushed, it is a trusted image. - image3: This image is another new image pushed after content trust was enabled. Similarly, for image3 to be trusted, it must also have been signed when it was pushed. Key Points: 1. Content ... Author: MysticJaguar44 · Last updated May 18, 2026 |