SC 300 v25.3.2 - 395 1jf9da

ClouCertified Practice Tests https://cloudcertified.
in/
SC-300 Microsoft Identity and Access Administrator
Question #1Topic 1
You have an Azure Active Directory (Azure AD) tenant that contains the following objects:
✑ A device named Device1
✑ Users named User1, User2, User3, User4, and User5
✑ Groups named Group1, Group2, Group3, Group4, and Group5
The groups are configured as shown in the following table.
To which groups can you assign a Microsoft Office 365 Enterprise E5 license directly?
• A. Group1 and Group4 only

• B. Group1, Group2, Group3, Group4, and Group5
• C. Group1 and Group2 only
• D. Group1 only
• E. Group1, Group2, Group4, and Group5 only
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced
Question #2Topic 1
You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com.
Several users use their contoso.com email address for self-service sign-up to Azure Active Directory
(Azure AD).
https://cloudcertified.in/ 1
ClouCertified Practice Tests https://cloudcertified.in/
You gain global administrator privileges to the Azure AD tenant that contains the self-signed users.
You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-
service sign-up to Microsoft 365 services.
Which PowerShell cmdlet should you run?
• A. Set-MsolCompanySettings
• B. Set-MsolDomainFederationSettings
• C. Update-MsolfederatedDomain
• D. Set-MsolDomain
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-self-service-signup
Question #3Topic 1
You have a Microsoft 365 tenant that uses the domain named fabrikam.com. The Guest invite settings for
Azure Active Directory (Azure AD) are configured as shown in the exhibit. (Click the Exhibit tab.)
A user named [email protected] shares a Microsoft SharePoint Online document library to the users
shown in the following table.
Which users will be emailed a passcode?
• A. User2 only
• B. User1 only
• C. User1 and User2 only
• D. User1, User2, and User3
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
Question #4Topic 1
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are
assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft 365 Enterprise
E5 licenses to the users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of
administrative effort.
What should you use?
• A. the Identity Governance blade in the Azure Active Directory admin center
• B. the Set-AzureAdUser cmdlet
• C. the Licenses blade in the Azure Active Directory admin center
• D. the Set-WindowsProductKey cmdlet
Correct Answer: C
You can unassign licenses from users on either the Active users page, or on the Licenses page. The
method you use depends on whether you want to unassign product licenses from specific users or
unassign users licenses from a specific product.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. the Licenses blade in the Azure Active Directory admin center
2. the Set-MsolUserLicense cmdlet
Other incorrect answer options you may see on the exam include the following:
✑ the Administrative units blade in the Azure Active Directory admin center
✑ the Groups blade in the Azure Active Directory admin center
✑ the Set-AzureAdGroup cmdlet
Reference:
https://docs.microsoft.com/en-us/microsoft-365/admin/manage/remove-licenses-from-
users?view=o365-worldwide
Question #5Topic 1
HOTSPOT -
You have a Microsoft 365 tenant named contoso.com.
Guest user access is enabled.
Users are invited to collaborate with contoso.com as shown in the following table.
From the External collaboration settings in the Azure Active Directory admin center, you configure the
Collaboration restrictions settings as shown in the following exhibit.
From a Microsoft SharePoint Online site, a user invites [email protected] to the site.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct
Answer:
Box 1: Yes -
Invitations can only be sent to outlook.com. Therefore, User1 can accept the invitation and access the
application.
Box 2. Yes -
Invitations can only be sent to outlook.com. However, User2 has already received and accepted an
invitation so User2 can access the application.
Box 3. No -
Invitations can only be sent to outlook.com. Therefore, User3 will not receive an invitation.
Question #6Topic 1
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to bulk invite Azure AD business-to-business (B2B) collaboration users.
Which two parameters must you include when you create the bulk invite? Each correct answer presents
part of the solution.
• A. email address
• B. redirection URL
• C. username
• D. shared key
• E. password
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/tutorial-bulk-invite
Question #7Topic 1
You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following
table.
Which objects can you add as members to Group3?
• A. User2 and Group2 only

• B. User2, Group1, and Group2 only
• C. User1, User2, Group1 and Group2
• D. User1 and User2 only
• E. User2 only
Correct Answer: E
Reference:
https://bitsizedbytes.wordpress.com/2018/12/10/distribution-security-and-office-365-groups-nesting/
Question #8Topic 1
DRAG DROP -
You have an on-premises Microsoft Exchange organization that uses an SMTP address space of
contoso.com.
You discover that users use their email address for self-service sign-up to Microsoft 365 services.
You need to gain global administrator privileges to the Azure Active Directory (Azure AD) tenant that
contains the self-signed users.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
Question #9Topic 1
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the groups
In the tenant, you create the groups shown in the following table.
Which members can you add to GroupA and GroupB? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct
Answer:
Reference:
https://bitsizedbytes.wordpress.com/2018/12/10/distribution-security-and-office-365-groups-nesting/
Question #10Topic 1
Note: This question is part of a series of questions that present the same scenario. Each question in the
series contains a unique solution that might meet the stated goals. Some question sets might have more
than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant.
You discover that when a user account is disabled in Active Directory, the disabled user can still
authenticate to Azure AD for up to 30 minutes.
You need to ensure that when a user account is disabled in Active Directory, the user account is
immediately prevented from authenticating to Azure AD.
Solution: You configure password writeback.
Does this meet the goal?
• A. Yes
• B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn
Question #11Topic 1
Solution: You configure pass-through authentication.
• A. Yes
• B. No
Correct Answer: A
Reference:
Question #12Topic 1
You have an Azure Active Directory (Azure AD) tenant that syncs to an Active Directory forest.
Solution: You configure conditional access policies.
• A. Yes
• B. No
Correct Answer: B
Reference:
Question #13Topic 1
You have an Azure Active Directory (Azure AD) tenant that contains the following objects.
✑ A device named Device1
✑ Users named User1, User2, User3, User4, and User5
Five groups named Group1, Group2, Group3, Group4, and Group5
The groups are configured as shown in the following table.
How many licenses are used if you assign the Microsoft 365 Enterprise E5 license to Group1?
• A. 0
• B. 2
• C. 3
• D. 4
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-group-advanced
Question #14Topic 1
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains an Azure AD
enterprise application named App1.
A contractor uses the credentials of [email protected].
You need to ensure that you can provide the contractor with access to App1. The contractor must be able
to authenticate as [email protected].
What should you do?
• A. Run the New-AzADUser cmdlet.

• B. Configure the External collaboration settings.
• C. Add a WS-Fed identity provider.
• D. Create a guest user account in contoso.com.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-
users-portal
Question #15Topic 1
Your network contains an Active Directory forest named contoso.com that is linked to an Azure Active
Directory (Azure AD) tenant named contoso.com by using
Azure AD Connect.
You need to prevent the synchronization of users who have the extensionAttribute15 attribute set to
NoSync.
What should you do in Azure AD Connect?
• A. Create an inbound synchronization rule for the Windows Azure Active Directory connector.
• B. Configure a Full Import run profile.
• C. Create an inbound synchronization rule for the Active Directory Domain Services connector.
• D. Configure an Export run profile.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-
configuration
Question #16Topic 1
Your network contains an on-premises Active Directory domain that syncs to an Azure Active Directory
(Azure AD) tenant. The tenant contains the users shown in the following table.
All the users work remotely.

Azure AD Connect is configured in Azure AD as shown in the following exhibit.
Connectivity from the on-premises domain to the internet is lost.

Which users can sign in to Azure AD?
• A. User1 and User3 only

• B. User1 only
• C. User1, User2, and User3
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-current-limitations
Question #17Topic 1
Solution: You configure Azure AD Password Protection.
• A. Yes
• B. No
Correct Answer: B
Question #18Topic 1
HOTSPOT -
Your network contains an on-premises Active Directory domain named contoso.com. The domain
contains the objects shown in the following table.
You install Azure AD Connect. You configure the Domain and OU filtering settings as shown in the Domain
and OU Filtering exhibit. (Click the Domain and OU
Filtering tab.)
You configure the Filter users and devices settings as shown in the Filter Users and Devices exhibit. (Click
the Filter Users and Devices tab.)
Hot Area:
Correct
Answer:
Only direct members of Group1 are synced. Group2 will sync as it is a direct member of Group1 but the
members of Group2 will not sync.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-custom
Question #19Topic 1
You need to ensure that Azure AD External Identities pricing is based on monthly active users (MAU).
What should you configure?
• A. a user flow
• B. the terms of use
• C. a linked subscription
• D. an access review
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-pricing
Question #20Topic 1
DRAG DROP -
You have a new Microsoft 365 tenant that uses a domain name of contoso.onmicrosoft.com.
You register the name contoso.com with a domain registrar.
You need to use contoso.com as the default domain name for new Microsoft 365 users.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct
Answer:
Reference:
https://practical365.com/configure-a-custom-domain-in-office-365/
Question #21Topic 1
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that has an Azure Active Directory Premium Plan 2
license. The tenant contains the users shown in the following table.
You have the Device Settings shown in the following exhibit.
User1 has the devices shown in the following table.
Hot Area:
Correct
Answer:
Box 1: Yes -
Users may join 5 devices to Azure AD.
Box 2: No -
Cloud device administrator an enable, disable, and delete devices in Azure AD and read Windows 10
BitLocker keys in the Azure portal. The role does not grant permissions to manage any other properties
on the device.
Box 3: No -
An additional local device administrator has not been applied
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
Question #22Topic 1
DRAG DROP -
You have a Microsoft 365 E5 subscription that contains three users named User1, User2, and User3.
You need to configure the users as shown in the following table.
Which portal should you use to configure each user? To answer, drag the appropriate portals to the
correct users. Each portal may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
Select and Place:
Correct
Answer:
Question #23Topic 1
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant. The tenant
uses pass-through authentication.
A corporate security policy states the following:
✑ Domain controllers must never communicate directly to the internet.
✑ Only required software must be installed on servers.
The Active Directory domain contains the on-premises servers shown in the following table.
You need to ensure that users can authenticate to Azure AD if a server fails.
On which server should you install an additional pass-through authentication agent?
• A. Server4
• B. Server2
• C. Server1
• D. Server3
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-quick-start
Question #24Topic 1
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains an Azure AD
enterprise application named App1.
A contractor uses the credentials of [email protected].
You need to ensure that you can provide the contractor with access to App1. The contractor must be able
to authenticate as [email protected].
What should you do?
• A. Run the New-AzureADMSInvitation cmdlet.

• B. Configure the External collaboration settings.
• C. Add a WS-Fed identity provider.
• D. Implement Azure AD Connect.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-
users-portal https://docs.microsoft.com/en-us/powershell/module/azuread/new-
azureadmsinvitation?view=azureadps-2.0
Question #25Topic 1
E5 licenses to the users.
• A. the Administrative units blade in the Azure Active Directory admin center
• C. the Groups blade in the Azure Active Directory admin center
• D. the Set-MsolUserLicense cmdlet
Correct Answer: D
The Set-MsolUserLicense cmdlet updates the license assignment for a user. This can include adding a new
license, removing a license, updating the license options, or any combination of these actions.
Note:
There are several versions of this question in the exam. The question has two possible correct answers:
1. the Licenses blade in the Azure Active Directory admin center
2. the Set-MsolUserLicense cmdlet
Other incorrect answer options you may see on the exam include the following:
✑ the Identity Governance blade in the Azure Active Directory admin center
✑ the Set-WindowsProductKey cmdlet
✑ the Set-AzureAdGroup cmdlet
Reference:
https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoluserlicense?view=azureadps-
1.0
Question #26Topic 1
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant and an Azure web app named App1.
You need to provide guest users with self-service sign-up for App1. The solution must meet the following
requirements:
✑ Guest users must be able to sign up by using a one-time password.
✑ The users must provide their first name, last name, city, and email address during the sign-up process.
What should you configure in the Azure Active Directory admin center for each requirement? To answer,
select the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/identity-providers
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/self-service-sign-up-
overview
Question #27Topic 1
You have an Azure Active Directory (Azure AD) Azure AD tenant.
You need to bulk create 25 new user accounts by uploading a template file.
Which properties are required in the template file?
• A. displayName, identityIssuer, usageLocation, and userType

• B. accountEnabled, givenName, surname, and userPrincipalName
• C. accountEnabled, displayName, userPrincipalName, and passwordProfile
• D. accountEnabled, passwordProfile, usageLocation, and userPrincipalName
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-add
Question #28Topic 1
(Azure AD) tenant.
Users sign in to computers that run Windows 10 and are joined to the domain.
You plan to implement Azure AD Seamless Single Sign-On (Azure AD Seamless SSO).
You need to configure the Windows 10 computers to support Azure AD Seamless SSO.
What should you do?
• A. Configure Sign-in options from the Settings app.

• B. Enable Enterprise State Roaming.
• C. Modify the Intranet Zone settings.
• D. Install the Azure AD Connect Authentication Agent.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Question #29Topic 1
DRAG DROP -
You need to resolve the recent security incident issues.
What should you configure for each incident? To answer, drag the appropriate policy types to the correct
issues. Each policy type may be used once, more than once, or not at all. You may need to drag the split
Select and Place:
Correct
Answer:
Box 1: A user risk policy -

User-linked detections include:
Leaked credentials: This risk detection type indicates that the user's valid credentials have been leaked.
When cybercriminals compromise valid passwords of legitimate users, they often share those credentials.
User risk policy.
Identity Protection can calculate what it believes is normal for a user's behavior and use that to base
decisions for their risk. User risk is a calculation of probability that an identity has been compromised.
Administrators can make a decision based on this risk score signal to enforce organizational
requirements. Administrators can choose to block access, allow access, or allow access but require a
password change using Azure AD self-service password reset.
Box 2: A sign-in risk policy -

Suspicious browser: Suspicious browser detection indicates anomalous behavior based on suspicious
sign-in activity across multiple tenants from different countries in the same browser.
Box 3: A sign-in risk policy -

A sign-in risks include activity from anonymous IP address: This detection is discovered by Microsoft
Defender for Cloud Apps. This detection identifies that users were active from an IP address that has
been identified as an anonymous proxy IP address.
Note: The following three policies are available in Azure AD Identity Protection to protect users and
respond to suspicious activity. You can choose to turn the policy enforcement on or off, select users or
groups for the policy to apply to, and decide if you want to block access at sign-in or prompt for
additional action.
* User risk policy
Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to
create a new password.
* Sign in risk policy
Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms
of verification using Azure AD Multi-Factor Authentication.
* MFA registration policy
Makes sure users are registered for Azure AD Multi-Factor Authentication. If a sign-in risk policy prompts
for MFA, the user must already be registered for Azure
AD Multi-Factor Authentication.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-
protection-policies
Question #30Topic 1
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following
table.
For which users can you configure the Job title property and the Usage location property in Azure AD? To
answer, select the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Box 1: User1 and User2 only.

You can add or update a user's profile information using Azure Active Directory.
Add user profile information, including a profile picture, job-specific information, and some settings using
Azure Active Directory (Azure AD).
The user profile includes:
Job info. Add any job-related information, such as the user's job title, department, or manager.
Box 2: User1, User2, and User3 -

Invite users with Azure Active Directory B2B collaboration, Update user's name and usage location.
To assign a license, the invited user's Usage location must be specified. Admins can update the invited
user's profile on the Azure portal.
1. Go to Azure Active Directory > Users and groups > All users. If you don't see the newly created user,
refresh the page.
2. Click on the invited user, and then click Profile.
3. Update First name, Last name, and Usage location.
4. Click Save, and then close the Profile blade.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-profile-
azure-portal https://docs.microsoft.com/en-us/power-platform/admin/invite-users-azure-active-
directory-b2b-collaboration#update-users-name-and-usage-location
Question #31Topic 1
You have an Azure Active Directory (Azure AD) tenant that: contains a user named User1.
You need to ensure that User1 can create new catalogs and add1 resources to the catalogs they own.
What should you do?
• A. From the Roles and administrators blade, modify the Groups administrator role.
• B. From the Roles and administrators blade, modify the Service support administrator role.
• C. From the Identity Governance blade, modify the Entitlement management settings.
• D. From the Identity Governance blade, modify the roles and administrators for the General
catalog.
Correct Answer: C
Create and manage a catalog of resources in Azure AD entitlement management.
Create a catalog.
A catalog is a container of resources and access packages. You create a catalog when you want to group
related resources and access packages. A user who has been delegated the catalog creator role can
create a catalog for resources that they own. Whoever creates the catalog becomes the first catalog
owner. A catalog owner can add more users, groups of users, or application service principals as catalog
owners.
Prerequisite roles: Global administrator, Identity Governance administrator, User administrator, or
Catalog creator.
Incorrect:
* Groups Administrator - Members of this role can create/manage groups, create/manage groups
settings like naming and expiration policies, and view groups activity and audit reports.
* Service Support Administrator
Users with this role can create and manage support requests with Microsoft for Azure and Microsoft 365
services, and view the service dashboard and message center in the Azure portal and Microsoft 365
admin center.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-catalog-
create https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Question #32Topic 1
(Azure AD) tenant.
Users sign in to computers that run Windows 10 and are joined to the domain.
You plan to implement Azure AD Seamless Single Sign-On (Azure AD Seamless SSO).
You need to configure the Windows 10 computers to support Azure AD Seamless SSO.
What should you do?
• A. Configure Sign-in options from the Settings app.

• B. Enable Enterprise State Roaming.
• C. Modify the Local intranet Zone settings.
• D. Install the Azure AD Connect Authentication Agent.
Correct Answer: C
Enable Seamless SSO through Azure AD Connect.
At the User sign-in page, select the Enable single sign on option.
Note:
The option will be available for selection only if the Sign On method is Password Hash Synchronization or
Pass-through Authentication.
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through
Authentication sign-in methods.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
Question #33Topic 1
Your company has two divisions named Contoso East and Contoso West. The Microsoft 365 identity
architecture for both divisions is shown in the following exhibit.
You need to assign users from the Contoso East division access to Microsoft SharePoint Online sites in the
Contoso West tenant. The solution must not require additional Microsoft 365 licenses.
What should you do?
• A. Configure Azure AD Application Proxy in the Contoso West tenant.

• B. Invite the Contoso East users as guests in the Contoso West tenant.
• C. Deploy a second Azure AD Connect server to Contoso East and configure the server to sync the
Contoso East Active Directory forest to the Contoso West tenant.
• D. Configure the existing Azure AD Connect server in Contoso East to sync the Contoso East
Active Directory forest to the Contoso West tenant.
Correct Answer: B
Before any of your users can grant SharePoint Online team site access to external guests, you will have to
enable guest sharing from within Azure Active
Directory.
Reference:
https://redmondmag.com/articles/2020/03/11/guest-access-sharepoint-online-team-sites.aspx
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/multi-tenant-common-
considerations
Question #34Topic 1
DRAG DROP
-
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.
You need to ensure that User1 can create access reviews for groups, and that User2 can review the
history report for all the completed access reviews. The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users.
Each role may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
Correct Answer:
Question #35Topic 1
HOTSPOT
-
You have an Azure subscription.
You need to create two custom roles named Role1 and Role2. The solution must meet the following
requirements:
• Users that are assigned Role1 can create or delete instances of Azure Container Apps.
• Users that are assigned Role2 can enforce adaptive network hardening rules.
Which resource provider permissions are required for each role? To answer, select the appropriate
options in the answer area.
Correct
Answer:
Question #36Topic 1
HOTSPOT
-
You have a Microsoft 365 tenant that has 5,000 users. One hundred of the users are executives. The
executives have a dedicated support team.
You need to ensure that the support team can reset passwords and manage multi-factor authentication
(MFA) settings for only the executives. The solution must use the principle of least privilege.
Which object type and Azure Active Directory (Azure AD) role should you use? To answer, select the
appropriate options in the answer area.
Correct
Answer:
Question #37Topic 1
table.
You have an administrative unit named Au1. Group1, User2, and User3 are members of Au1.
User5 is assigned the User administrator role for Au1.
For which users can User5 reset passwords?
• A. User1, User2, and User3

• B. User1 and User2 only
Correct Answer: D
Question #38Topic 1
table.
You create a dynamic user group and configure the following rule syntax.
user.usageLocation -in ["US","AU"] -and (user.department -eq "Sales") -and -not (user.jobTitle -eq
"Manager") –or (user. jobTitle -eq "SalesRep")
Which users will be added to the group?
• A. User1 only
• B. User2 only
• C. User3 only
• E. User1 and User3 only
• F. User1, User2, and User3
Correct Answer: D
Question #39Topic 1
You have an Azure AD tenant that contains a user named User1.
User1 needs to manage license assignments and reset user passwords.
Which role should you assign to User1?
• A. Helpdesk administrator
• B. Billing administrator
• C. License administrator
• D. User administrator
Correct Answer: D
Question #40Topic 1
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office 365
Enterprise E5 licenses to a group that includes all users.
• A. the Set-MsolUserLicense cmdlet

• B. the Set-AzureADGroup cmdlet
• C. the Set-WindowsProductKey cmdlet
• D. the Administrative units blade in the Azure Active Directory admin center
Correct Answer:A
Question #41Topic 1
E5 licenses to a group that includes all the users.
• A. the Set-AzureADGroup cmdlet

• B. the Identity Governance blade in the Azure Active Directory admin center
Correct Answer: D
Question #42Topic 1
HOTSPOT
-
Your on-premises network contains an Active Directory domain that uses Azure AD Connect to sync with
an Azure AD tenant.
You need to configure Azure AD Connect to meet the following requirements:
• User sign-ins to Azure AD must be authenticated by an Active Directory domain controller.

• Active Directory domain users must be able to use Azure AD self-service password reset (SSPR).
What should you use for each requirement? To answer, select the appropriate options in the answer
area.
Correct
Answer:
Question #43Topic 1
You needed to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of
• A. the Groups blade in the Azure Active Directory admin center

• B. the Set-AzureADGroup cmdlet
• C. the Identity Governance blade in the Azure Active Directory admin center
Correct Answer: D
Question #44Topic 1
You have an Active Directory forest that syncs to an Azure AD tenant.
Solution: You configure conditional access policies.
• A. Yes
• B. No
Correct Answer: B
Question #45Topic 1
You have a Microsoft 365 E5 subscription.
You create a user named User1.
You need to ensure that User1 can update the status of Identity Secure Score improvement actions.
Solution: You assign the Exchange Administrator role to User1.
• A. Yes
• B. No
Correct Answer: A
Question #46Topic 1
Solution: You assign the User Administrator role to User1.
• A. Yes
• B. No
Correct Answer: B
Question #47Topic 1
HOTSPOT
-
Case Study
-
Overview
-
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in London
and Seattle.
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Azure Active Directory
(Azure AD) tenant named fabrikam.com.
Existing Environment. Existing Environment
The on-premises network of Contoso contains an Active Directory domain named contoso.com. The
domain contains an organizational unit (OU) named Contoso_Resources. The Contoso_Resources OU
contains all users and computers.
The contoso.com Active Directory domain contains the relevant users shown in the following table.
Contoso also includes a marketing department that has users in each office.
Existing Environment. Microsoft 365/Azure Environment
Contoso has an Azure AD tenant named contoso.com that has the following associated licenses:
• Microsoft Office 365 Enterprise E5

• Enterprise Mobility + Security E5
• Windows 10 Enterprise E3
• Project Plan 3
Azure AD Connect is configured between Azure AD and Active Directory Domain Services (AD DS). Only
the Contoso_Resources OU is synced.
Helpdesk administrators routinely use the Microsoft 365 admin center to manage user settings.
User administrators currently use the Microsoft 365 admin center to manually assign licenses. All users
have all licenses assigned besides the following exceptions:
• The users in the London office have the Microsoft 365 Phone System license unassigned.
• The users in the Seattle office have the Yammer Enterprise license unassigned.
Security defaults are disabled for contoso.com.
Contoso uses Azure AD Privileged Identity Management (PIM) to protect administrative roles.
Existing Environment. Problem Statements
Contoso identifies the following issues:
• Currently, all the helpdesk administrators can manage user licenses throughout the entire Microsoft
365 tenant.
• The user administrators report that it is tedious to manually configure the different license
requirements for each Contoso office.
• The helpdesk administrators spend too much time provisioning internal and guest access to the
required Microsoft 365 services and apps.
• Currently, the helpdesk administrators can perform tasks by using the User administrator role without
justification or approval.
• When the Logs node is selected in Azure AD, an error message appears stating that Log Analytics
integration is not enabled.
Requirements. Planned Changes

-
Contoso plans to implement the following changes:
• Implement self-service password reset (SSPR).

• Analyze Azure audit activity logs by using Azure Monitor.
• Simplify license allocation for new users added to the tenant.
• Collaborate with the users at Fabrikam on a joint marketing campaign.
• Configure the User administrator role to require justification and approval to activate.
• Implement a custom line-of-business Azure web app named App1. App1 will be accessible from the
internet and authenticated by using Azure AD accounts.
• For new users in the marketing department, implement an automated approval workflow to provide
access to a Microsoft SharePoint Online site, group, and app.
Contoso plans to acquire a company named ADatum Corporation. One hundred new ADatum users will
be created in an Active Directory OU named Adatum. The users will be located in London and Seattle.
Requirements. Technical Requirements
Contoso identifies the following technical requirements:
• All users must be synced from AD DS to the contoso.com Azure AD tenant.

• App1 must have a redirect URI pointed to https://contoso.com/auth-response.
• License allocation for new users must be assigned automatically based on the location of the user.
• Fabrikam users must have access to the marketing department’s SharePoint site for a maximum of 90
days.
• Administrative actions performed in Azure AD must be audited. Audit logs must be retained for one
year.
• The helpdesk administrators must be able to manage licenses for only the users in their respective
office.
• Users must be forced to change their password if there is a probability that the users’ identity was
compromised.
You need to meet the technical requirements for license management by the help desk administrators.
What should you create first, and which tool should you use? To answer, select the appropriate options
in the answer area.
Correct
Answer:
Question #48Topic 1
Case Study -
Overview -
ADatum Corporation is a consulting company in Montreal.
ADatum recently acquired a Vancouver-based company named Litware, Inc.
Existing Environment. ADatum Environment
The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named
adatum.com.
ADatum has a Microsoft 365 E5 subscription. The subscription contains a verified domain that syncs with
the adatum.com AD DS domain by using Azure AD Connect.
ADatum has an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant has Security
defaults disabled.
The tenant contains the users shown in the following table.
The tenant contains the groups shown in the following table.
Existing Environment. Litware Environment
Litware has an AD DS forest named litware.com
ADatum identifies the following issues:
• Multiple users in the sales department have up to five devices. The sales department users report that
sometimes they must contact the support department to join their devices to the Azure AD tenant
because they have reached their device limit.
• A recent security incident reveals that several users leaked their credentials, a suspicious browser was
used for a sign-in, and resources were accessed from an anonymous IP address.
• When you attempt to assign the Device Administrators role to IT_Group1, the group does NOT appear
in the selection list.
• Anyone in the organization can invite guest users, including other guests and non-administrators.
• The helpdesk spends too much time resetting user passwords.
• Users currently use only passwords for authentication.
Requirements. Planned Changes -
ADatum plans to implement the following changes:
• Configure self-service password reset (SSPR).

• Configure multi-factor authentication (MFA) for all users.
• Configure an access review for an access package named Package1.
• Require admin approval for application access to organizational data.

• Sync the AD DS users and groups of litware.com with the Azure AD tenant.
• Ensure that only users that are assigned specific admin roles can invite guest users.
• Increase the maximum number of devices that can be joined or registered to Azure AD to 10.
ADatum identifies the following technical requirements:
• Users assigned the User administrator role must be able to request permission to use the role when
needed for up to one year.
• Users must be prompted to register for MFA and provided with an option to bypass the registration for
a grace period.
• Users must provide one authentication method to reset their password by using SSPR. Available
methods must include:
- Email
- Phone
- Security questions
- The Microsoft Authenticator app
• Trust relationships must NOT be established between the adatum.com and litware.com AD DS domains.
• The principle of least privilege must be used.
You need to resolve the issue of the sales department users.
What should you configure for the Azure AD tenant?
• A. the Device settings

• B. the User settings
• C. the Access reviews settings
• D. Security defaults
Correct Answer: A
Question #49Topic 1
Case Study -
Overview -
adatum.com.
defaults disabled.

a grace period.
- Email
- Phone
You need to resolve the issue of IT_Group1.
What should you do first?
• A. Change Membership type of IT_Group1 to Dynamic User.

• B. Recreate the IT_Group1 group.
• C. Change Membership type of IT Group1 to Dynamic Device.
• D. Add an owner to IT_Group1.
Correct Answer: B
Question #50Topic 1
Case Study -
Overview -
adatum.com.
defaults disabled.

a grace period.
- Email
- Phone
You need to implement the planned changes for litware.com.
• A. Azure AD Connect cloud sync between the Azure AD tenant and litware.com
• B. Azure AD Connect to include the litware.com domain
• C. staging mode in Azure AD Connect for the litware.com domain
Correct Answer: B
Question #51Topic 1
You have the Azure resources shown in the following table.
To which identities can you assign the Contributor role for RG1?
• A. User1 only
• B. User1 and Group1 only
• C. User1 and VM1 only
• D. User1, VM1, and App1 only
• E. User1, Group1, VM1, and App1
Correct Answer: E
Question #52Topic 1
HOTSPOT
-
You have an Azure AD tenant that contains a user named User1. User1 is assigned the User Administrator
role.
You need to configure External collaboration settings for the tenant to meet the following requirements:
• Guest users must be prevented from querying staff email addresses.

• Guest users must be able to access the tenant only if they are invited by User1.
Which three settings should you configure? To answer, select the appropriate settings in the answer
area.
Correct
Answer:
Question #53Topic 1
You needed to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of
• A. the Groups blade in the Azure Active Directory admin center

• C. the Identity Governance blade in the Azure Active Directory admin center
• D. the Licenses blade in the Azure Active Directory admin center
Correct Answer: D
Question #54Topic 1
Solution: You assign the Security Operator role to User1.
• A. Yes
• B. No
Correct Answer: B
Question #55Topic 1
Solution: You assign the SharePoint Administrator role to User1.
• A. Yes
• B. No
Correct Answer: A
Question #56Topic 1
You have an Azure AD tenant that contains a user named Admin1.
You need to ensure that Admin1 can perform only the following tasks:
• From the Microsoft 365 admin center, create and manage service requests.
• From the Microsoft 365 admin center, read and configure service health.
• From the Azure portal, create and manage support tickets.
The solution must minimize administrative effort.
What should you do?
• A. Create an administrative unit and add Admin1.

• B. Enable Azure AD Privileged Identity Management (PIM) for Admin1.
• C. Assign Admin1 the Helpdesk Administrator role.
• D. Create a custom role and assign the role to Admin1.
Correct Answer: C
Question #57Topic 1
HOTSPOT
-
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with
an Azure AD tenant.
You need to ensure that user authentication always occurs by validating passwords against the AD DS
domain.
What should you configure, and what should you use? To answer, select the appropriate options in the
answer area.
Correct
Answer:
Question #58Topic 1
You have a Microsoft 365 tenant that uses the domain named fabrikam.com. The Guest invite settings for
Azure Active Directory (Azure AD) are configured as shown in the exhibit. (Click the Exhibit tab.)
A user named [email protected] shares a Microsoft SharePoint Online document library to the users
Which users will be emailed a passcode?
• A. User2 only
• B. User1 only
Correct Answer: A
Question #59Topic 1
• A. the Administrative units blade in the Azure Active Directory admin center
• B. the Set-MsolUserLicense cmdlet
• C. the Groups blade in the Azure Active Directory admin center
• D. the Set-WindowsProductKey cmdlet
Correct Answer: B
Question #60Topic 1
HOTSPOT
-
Azure AD and contains the users shown in the following table.
In Azure AD Connect, Domain/OU Filtering is configured as shown in the following exhibit.
Azure AD Connect is configured as shown in the following exhibit.
Correct
Answer:
Question #61Topic 1
• A. the Update-MgGroup cmdlet

• B. the Licenses blade in the Azure Active Directory admin center
• D. the Administrative units blade in the Azure Active Directory admin center
Correct Answer: B
Question #62Topic 1
You have an Azure AD tenant that contains the users shown in the following table.
You need to compare the role permissions of each user. The solution must minimize administrative
effort.
• A. the Microsoft 365 Defender portal

• B. the Microsoft 365 admin center
• C. the Microsoft Entra admin center
• D. the Microsoft Purview compliance portal
Correct Answer: B
Question #63Topic 1
You have a Microsoft Exchange organization that uses an SMTP address space of contoso.com.
Several users use their contoso.com email address for self-service sign-up to Azure AD.
You gain global administrator privileges to the Azure AD tenant that contains the self-signed users.
You need to prevent the users from creating user accounts in the contoso.com Azure AD tenant for self-
service sign-up to Microsoft 365 services.
Which PowerShell cmdlet should you run?
• A. Update-MgOrganization
• B. Update-MgPolicyPermissionGrantPolicyExclude
• C. Update-MgDomain
• D. Update-MgDomainFederationConfiguration
Correct Answer: B
Question #64Topic 1
HOTSPOT
-
You have an Azure AD tenant.
You need to configure the following External Identities features:
• B2B collaboration
• Monthly active users (MAU)-based pricing
Which two settings should you configure? To answer, select the settings in the answer area.
Correct Answer:
Question #65Topic 1
You have an Azure AD tenant that contains the external user shown in the following exhibit.
You update the email address of the user.
You need to ensure that the user can authenticate by using the updated email address.
What should you do for the user?
• A. Modify the Authentication methods settings.

• B. Reset the password.
• C. Revoke the active sessions.
• D. Reset the redemption status.
Correct Answer: D
Question #66Topic 1
You need to ensure that only users from specific external domains can be invited as guests to the tenant.
Which settings should you configure?
• A. External collaboration settings
• B. All identity providers

• C. Cross-tenant access settings
• D. Linked subscriptions
Correct Answer: A
Question #67Topic 1
You have an Azure AD tenant that contains a user named User1 and a Microsoft 365 group named
Group1. User1 is the owner of Group1.
You need to ensure that User1 is notified every three months to validate the guest membership of
Group1.
What should you do?
• A. Configure the External collaboration settings.

• B. Create an access review.
• C. Configure an access package.
• D. Create a group expiration policy.
Correct Answer:B
Question #68Topic 1
HOTSPOT
-
You have a Microsoft Entra tenant that contains a group named Group3 and an administrative unit
named Department1.
Department1 has the users shown in the Users exhibit. (Click the Users tab.)
Department1 has the groups shown in the Groups exhibit. (Click the Groups tab.)
The User Administrator role assignments are shown in the Assignments exhibit (Click the Assignments
tab.)
The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)
Correct
Answer:
Question #69Topic 1
HOTSPOT
-
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named
fabrikam.com. The domain contains an Active Directory Federation Services (AD FS) instance and a
member server named Server1 that runs Windows Server. The domain contains the users shown in the
following table.
You have a Microsoft Entra tenant named contoso.com that is linked to a Microsoft 365 subscription.
You establish federation between fabrikam.com and contoso.com by using a Microsoft Entra Connect
instance that is configured as shown in the following exhibit.
You perform the following tasks in contoso.com:
• Create a group named Group1.

• Disable User2.
• Enable User3.
Correct
Answer:
Question #70Topic 1
HOTSPOT
-
You have a Microsoft Entra tenant that has a Microsoft Entra ID P2 service plan. The tenant contains the
users shown in the following table.
You have the Device settings shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
Correct
Answer:
Question #71Topic 1
You have an Azure subscription named Sub1 that contains a user named User1.
You need to ensure that User1 can purchase a Microsoft Entra Permissions Management license for Sub1.
The solution must follow the principle of least privilege.
• A. Global Administrator
• B. Billing Administrator
• C. Permissions Management Administrator
• D. User Access Administrator
Correct Answer: B
Question #72Topic 1
You have an Azure subscription that contains a user named User1 and two resource groups named RG1
and RG2.
You need to ensure that User1 can perform the following tasks:
• View all resources.

• Restart virtual machines.
• Create virtual machines in RG1 only.
• Create storage accounts in RG1 only.
What is the minimum number of role-based access control (RBAC) role assignments required?
• A. 1
• B. 2
• C. 3
• D. 4
Correct Answer: C
Question #73Topic 1
You work for a company named Contoso, Ltd. that has a Microsoft Entra tenant named contoso.com.
Contoso is working on a project with the following two partner companies:
• A company named A. Datum Corporation that has a Microsoft Entra tenant named adatum.com.
• A company named Fabrikam, Inc. that has a Microsoft Entra tenant named fabrikam.com.
When you attempt to invite a new guest user from adatum.com to contoso.com, you receive an error
message.
You can successfully invite a new guest user from fabnkam.com to contoso.com.
You need to be able to invite new guest users from adatum.com to contoso.com.
• A. Guest invite settings

• B. Verifiable credentials
• C. Named locations
• D. Collaboration restrictions
Correct Answer: D
Topic 2 - Question Set 2

Question #1Topic 2
You configure a new Microsoft 365 tenant to use a default domain name of contoso.com.
You need to ensure that you can control access to Microsoft 365 resources by using conditional access
policies.
• A. Disable the User consent settings.

• B. Disable Security defaults.
• C. Configure a multi-factor authentication (MFA) registration policy.
• D. Configure password protection for Windows Server Active Directory.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-
defaults
Question #2Topic 2
Your company has a Microsoft 365 tenant.

The company has a call center that contains 300 users. In the call center, the users share desktop
computers and might use a different computer every day. The call center computers are NOT configured
for biometric identification.
The users are prohibited from having a mobile phone in the call center.
You need to require multi-factor authentication (MFA) for the call center users when they access
Microsoft 365 services.
What should you include in the solution?
• A. a named network location

• B. the Microsoft Authenticator app
• C. Windows Hello for Business authentication
• D. FIDO2 tokens
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-
passwordless
Question #3Topic 2
All users who run applications registered in Azure AD are subject to conditional access policies.
You need to prevent the users from using legacy authentication.
What should you include in the conditional access policies to filter out legacy authentication attempts?
• A. a cloud apps or actions condition

• B. a user risk condition
• C. a client apps condition
• D. a sign-in risk condition
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication
Question #4Topic 2
You have an Azure Active Directory (Azure AD) tenant.

You open the risk detections report.
Which risk detection type is classified as a user risk?
• A. impossible travel
• B. anonymous IP address
• C. atypical travel
• D. leaked credentials
Correct Answer: D
Leaked credentials indicates that the user's valid credentials have been leaked.
Note:
There are several versions of this question in the exam. The question can have other incorrect answer
options, including the following:
✑ password spray
✑ malicious IP address
✑ unfamiliar sign-in properties
Reference:
protection-risks
Question #5Topic 2
You have a Microsoft 365 tenant.

All users have computers that run Windows 10. Most computers are company-owned and joined to Azure
Active Directory (Azure AD). Some computers are user- owned and are only registered in Azure AD.
You need to prevent users who connect to Microsoft SharePoint Online on their user-owned computer
from downloading or syncing files. Other users must NOT be restricted.
Which policy type should you create?
• A. a Microsoft Cloud App Security activity policy that has Microsoft Office 365 governance
actions configured
• B. an Azure AD conditional access policy that has session controls configured
• C. an Azure AD conditional access policy that has client apps conditions configured
• D. a Microsoft Cloud App Security app discovery policy that has governance actions configured
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
Question #6Topic 2
You have an Active Directory domain that syncs to an Azure Active Directory (Azure AD) tenant.
The on-premises network contains a VPN server that authenticates to the on-premises Active Directory
domain. The VPN server does NOT support Azure Multi-
Factor Authentication (MFA).
You need to recommend a solution to provide Azure MFA for VPN connections.
What should you include in the recommendation?
• A. Azure AD Application Proxy

• B. an Azure AD Password Protection proxy
• C. Network Policy Server (NPS)
• D. a pass-through authentication proxy
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
Question #7Topic 2

The Azure Active Directory (Azure AD) tenant is configured to sync with an on-premises Active Directory
domain. The domain contains the servers shown in the following table.
The domain controllers are prevented from communicating to the internet.

You implement Azure AD Password Protection on Server1 and Server2.
You deploy a new server named Server4 that runs Windows Server 2019.
You need to ensure that Azure AD Password Protection will continue to work if a single server fails.
What should you implement on Server4?
• A. Azure AD Connect
• B. Azure AD Application Proxy
• C. Password Change Notification Service (PCNS)
• D. the Azure AD Password Protection proxy service
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-
premises-deploy
Question #8Topic 2
DRAG DROP -
You have a Microsoft 365 E5 tenant.
You purchase a cloud app named App1.
You need to enable real-time session-level monitoring of App1 by using Microsoft Cloud App Security.
In which order should you perform the actions? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-any-app
https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad
Question #9Topic 2

All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone
connectivity. While working from the remote locations, the users connect their laptop to a wired network
that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
• A. a notification through the Microsoft Authenticator app

• B. an app password
• C. Windows Hello for Business
• D. SMS
Correct Answer: C
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on
PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a
device and uses a biometric or PIN.
After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's
device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a
PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to
authenticate users.
Incorrect Answers:
A: A notification through the Microsoft Authenticator app requires connectivity to send the verification
code to the device requesting the logon
B: An app password can be used to open an application but it cannot be used to sign in to a computer.
D: SMS requires a mobile phone -

Reference:
methods https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-
business/hello-overview
Question #10Topic 2
All users must use the Microsoft Authenticator app for multi-factor authentication (MFA) when accessing
Some users report that they received an MFA prompt on their Microsoft Authenticator app without
initiating a sign-in request.
You need to block the users automatically when they report an MFA request that they did not initiate.
Solution: From the Azure portal, you configure the Notifications settings for multi-factor authentication
(MFA).
• A. Yes
• B. No
Correct Answer: B
You need to configure the fraud alert settings.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
Question #11Topic 2
Solution: From the Azure portal, you configure the Account lockout settings for multi-factor
authentication (MFA).
• A. Yes
• B. No
Correct Answer: B
Reference:
Question #12Topic 2
Solution: From the Azure portal, you configure the Block/unblock users settings for multi-factor
authentication (MFA).
• A. Yes
• B. No
Correct Answer: B
Reference:
Question #13Topic 2
HOTSPOT -
You need to identify users who have leaked credentials. The solution must meet the following
requirements:
✑ Identify sign-ins by users who are suspected of having leaked credentials.
✑ Flag the sign-ins as a high-risk event.
✑ Immediately enforce a control to mitigate the risk, while still allowing the user to access applications.
What should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Reference:
protection-risks
Question #14Topic 2
HOTSPOT -
table.
You plan to implement Azure AD Identity Protection.

Which users can configure the user risk policy, and which users can view the risky users report? To
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-
protection
Question #15Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains a group named Group3 and an
administrative unit named Department1.
Department1 has the users shown in the Users exhibit. (Click the Users tab.)
Department1 has the groups shown in the Groups exhibit. (Click the Groups tab.)
Department1 has the user administrator assignments shown in the Assignments exhibit. (Click the
Assignments tab.)
The members of Group2 are shown in the Group2 exhibit. (Click the Group2 tab.)
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units
Question #16Topic 2
Solution: From the Azure portal, you configure the Fraud alert settings for multi-factor authentication
(MFA).
• A. Yes
• B. No
Correct Answer: A
The fraud alert feature lets users report fraudulent attempts to access their resources. When an
unknown and suspicious MFA prompt is received, users can report the fraud attempt using the Microsoft
Authenticator app or through their phone.
The following fraud alert configuration options are available:
✑ Automatically block users who report fraud.
✑ Code to report fraud during initial greeting.
Reference:
Question #17Topic 2


• B. email
• C. security questions
• D. a verification code from the Microsoft Authenticator app
Correct Answer: D
The Authenticator app can be used as a software token to generate an OATH verification code. After
entering your username and password, you enter the code provided by the Authenticator app into the
sign-in interface.
Incorrect Answers:
A: A notification through the Microsoft Authenticator app requires connectivity to send the verification
code to the device requesting the logon.
B: An email requires network connectivity.
C: Security questions are not used as an authentication method but can be used during the self-service
password reset (SSPR) process.
Reference:
authenticator-app#verification-code-from-mobile-app
Question #18Topic 2
HOTSPOT -
You create a named location named HighRiskCountries that contains a list of high-risk countries.
You need to limit the amount of time a user can stay authenticated when connecting from a high-risk
country.
What should you configure in a conditional access policy? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-
session
Question #19Topic 2
HOTSPOT -
A user named User1 attempts to sign in to the tenant by entering the following incorrect passwords:
✑ Pa55w0rd12
✑ Pa55w0rd12
✑ Pa55w0rd12
✑ Pa55w.rd12
✑ Pa55w.rd123
✑ Pa55w.rd123
✑ Pa55w.rd123
✑ Pa55word12
✑ Pa55word12
✑ Pa55word12
✑ Pa55w.rd12
You need to identify how many sign-in attempts were tracked for User1, and how User1 can unlock her
account before the 300-second lockout duration expires.
What should identify? To answer, select the appropriate
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
Question #20Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that has Security defaults disabled.
You are creating a conditional access policy as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-
policy-all-users-mfa
Question #21Topic 2
You have an Azure Active Directory (Azure AD) tenant that contains a user named SecAdmin1. SecAdmin1
is assigned the Security administrator role.
SecAdmin1 reports that she cannot reset passwords from the Azure AD Identity Protection portal.
You need to ensure that SecAdmin1 can manage passwords and invalidate sessions on behalf of non-
administrative users. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
• A. Authentication administrator
• B. Helpdesk administrator
• C. Privileged authentication administrator
• D. Security operator
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
Question #22Topic 2
You configure Azure Active Directory (Azure AD) Password Protection as shown in the exhibit. (Click the
Exhibit tab.)
You are evaluating the following passwords:

✑ Pr0jectlitw@re
✑ T@ilw1nd
✑ C0nt0s0
Which passwords will be blocked?
• A. Pr0jectlitw@re and T@ilw1nd only

• B. C0nt0s0 only
• C. C0nt0s0, Pr0jectlitw@re, and T@ilw1nd
• D. C0nt0s0 and T@ilw1nd only
• E. C0nt0s0 and Pr0jectlitw@re only
Correct Answer: C
Reference:
https://blog.enablingtechcorp.com/azure-ad-password-protection-password-evaluation
Question #23Topic 2

• A. a verification code from the Microsoft Authenticator app

• B. security questions
• C. voice
• D. SMS
Correct Answer: A
The Authenticator app can be used as a software token to generate an OATH verification code. After
entering your username and password, you enter the code provided by the Authenticator app into the
sign-in interface.
Incorrect Answers:
B: Security questions are not used as an authentication method but can be used during the self-service
password reset (SSPR) process.
C, D: An automated voice call and an SMS requires mobile connectivity.
Reference:
methods
Question #24Topic 2
HOTSPOT -
table.
User2 reports that he can only configure multi-factor authentication (MFA) to use the Microsoft
Authenticator app.
You need to ensure that User2 can configure alternate MFA methods.
Which configuration is required, and which user should perform the configuration? To answer, select the
Hot Area:
Correct
Answer:
Box 1: Modify security defaults.

Privileged Authentication Administrator
Users with this role can set or reset any authentication method (including passwords) for any user,
including Global Administrators. Privileged Authentication
Administrators can force users to re-register against existing non-password credential (such as MFA or
FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users.
The Authentication Administrator role has permission to force re-registration and multifactor
authentication for standard users and users with some admin roles.
Box 2: User1 only.

Security Administrator.
Users with this role have permissions to manage security-related features in the Microsoft 365 Defender
portal, Azure Active Directory Identity Protection, Azure
Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance
Center.
Incorrect:
Not User3. Service Support Administrator.
Users with this role can create and manage support requests with Microsoft for Azure and Microsoft 365
services, and view the service dashboard and message center in the Azure portal and Microsoft 365
admin center.
Reference:
Question #25Topic 2

You configure self-service password reset (SSPR) by using the following settings:
✑ Require users to register when signing in: Yes
✑ Number of methods required to reset: 1
What is a valid authentication method available to users?
• A. a Microsoft Teams chat

• B. a mobile app notification
• C. a mobile app code
• D. an FIDO2 security token
Correct Answer: C
When administrators require one method be used to reset a password, verification code is the only
option available.
Note: When administrators require two methods be used to reset a password, users are able to use
notification OR verification code in addition to any other enabled methods.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks
Question #26Topic 2
You have an Azure Active Directory (Azure AD) tenant that uses Azure AD Identity Protection and
contains the resources shown in the following table.
Azure Multi-factor Authentication (MFA) is enabled for all users.

User1 triggers a medium severity alert that requires additional investigation.
You need to force User1 to reset his password the next time he signs in. The solution must minimize
What should you do?
• A. Reconfigure the user risk, policy to trigger on medium or low severity.

• B. Mark User1 as compromised.
• C. Reset the Azure MIFA registration for User1.
• D. Configure a sign-in risk policy.
Correct Answer: B
Scenario: User compromised (True positive)
'Risky users' report shows an at-risk user [Risk state = At risk] with low risk [Risk level = Low] and that user
was indeed compromised.
Feedback: Select the user and click on 'Confirm user compromised'.
What happens under the hood? Azure AD will move the user risk to High [Risk state = Confirmed
compromised; Risk level = High] and will add a new detection
'Admin confirmed user compromised'.
Notes: Currently, the 'Confirm user compromised' option is only available in 'Risky users' report.
The detection 'Admin confirmed user compromised' is shown in the tab 'Risk detections not linked to a
sign-in' in the 'Risky users' report.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-
risk-feedback
Question #27Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant: that contains the users shown in the following
table.
In Azure. AD Identity Protection, you configure a user risk policy that has the following settings:
✑ Assignments:
- Users: Group1
- User risk: Low and above
✑ Controls:
- Access: Block access
✑ Enforce policy: On
In Azure AD Identify Protection, you configure a sign-in risk policy that has the following settings:
✑ Assignments:
- Users: Group2
- Sign-in risk: Low and above
✑ Controls:
- Access: Require multi-factor authentication
✑ Enforce policy: On
Hot Area:
Correct
Answer:
Box 1: Yes -
Note: Azure AD Identity Protection can review user sign-in attempts and take additional action if there's
suspicious behavior:
Some of the following actions may trigger Azure AD Identity Protection risk detection:
Users with leaked credentials.
* -> Sign-ins from anonymous IP addresses.
Impossible travel to atypical locations.
Sign-ins from infected devices.
Sign-ins from IP addresses with suspicious activity.

Sign-ins from unfamiliar locations.
Box 2: No -
Box 3: No -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa
Question #28Topic 2

✑ Require users to register when signing in: Yes
✑ Number of methods required to reset: 1
• A. an email to an address outside your organization

• B. a smartcard
• C. an FID02 security token
• D. a Microsoft Teams chat
Correct Answer: A
A one-gate policy requires one piece of authentication data, such as an email address or phone number.
A one-gate policy applies in the following circumstances:
It's within the first 30 days of a trial subscription; or
A custom domain hasn't been configured for your Azure AD tenant so is using the default
*.onmicrosoft.com. The default *.onmicrosoft.com domain isn't recommended for production use; and
Azure AD Connect isn't synchronizing identities.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-
policy#administrator-reset-policy-differences
Question #29Topic 2
table.
The tenant has the authentication methods shown in the following table.
Which users will sign in to cloud apps by matching a number shown in the app with a number shown on
their phone?
• A. User1 only
• B. User2 only
• C. User3 only
• E. User2 and User3 only
Correct Answer: A
Microsoft Authenticator -
You can also allow your employee's phone to become a passwordless authentication method. You may
already be using the Authenticator app as a convenient multi-factor authentication option in addition to a
password. You can also use the Authenticator App as a passwordless option.
The Authenticator App turns any iOS or Android phone into a strong, passwordless credential. Users can
sign in to any platform or browser by getting a notification to their phone, matching a number displayed
on the screen to the one on their phone, and then using their biometric (touch or face) or PIN to confirm.
Incorrect:
* Not User2
FIDO2 security keys -

The FIDO (Fast IDentity Online) Alliance helps to promote open authentication standards and reduce the
use of passwords as a form of authentication. FIDO2 is the latest standard that incorporates the web
authentication (WebAuthn) standard.
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can
come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication.
FIDO allows users and organizations to leverage the standard to sign in to their resources without a
username or password using an external security key or a platform key built into a device.
Reference:
passwordless
Question #30Topic 2
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1 and the
conditional access policies shown in the following table.
You need to evaluate which policies will be applied to User1 when User1 attempts to sign-in from various
IP addresses.
Which feature should you use?
• A. Access reviews
• B. Identity Secure Score
• C. The What If tool
• D. the Microsoft 365 network connectivity test tool
Correct Answer: C
The Azure AD conditional access What if tool allows you to understand the impact of your conditional
access policies on your environment. Instead of test driving your policies by performing multiple sign-ins
manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the
impact this sign-in has on your policies and generates a simulation report. The report does not only list
the applied conditional access policies but also classic policies if they exist.
Reference:
https://azure.microsoft.com/en-us/updates/azure-ad-conditional-access-what-if-tool-is-now-available
Question #31Topic 2

All users have mobile phones and Windows 10 laptops.
connectivity. While working from the remote locations, the users connect their laptops to a wired
network that has internet access.
• A. an app password
• B. voice
• C. Windows Hello for Business
• D. security questions
Correct Answer: C
The Microsoft Authenticator app provides an additional level of security to your Azure AD work or school
account or your Microsoft account and is available for
Android and iOS. With the Microsoft Authenticator app, users can authenticate in a passwordless way
during sign-in, or as an additional verification option during self-service password reset (SSPR) or
multifactor authentication events.
Reference:
authenticator-app#verification-code-from-mobile-app
Question #32Topic 2
You create a conditional access policy that blocks access when a user triggers a high-severity sign-in alert.
You need to test the policy under the following conditions:
✑ A user signs in from another country.
✑ A user triggers a sign-in risk.
What should you use to complete the test?
• A. the Conditional Access What If tool

• B. sign-ins logs in Azure Active Directory (Azure AD)
• C. the activity logs in Microsoft Defender for Cloud Apps
• D. access reviews in Azure Active Directory (Azure AD)
Correct Answer: A
The Azure AD conditional access What if tool allows you to understand the impact of your conditional
access policies on your environment. Instead of test driving your policies by performing multiple sign-ins
manually, this tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the
impact this sign-in has on your policies and generates a simulation report. The report does not only list
the applied conditional access policies but also classic policies if they exist.
Reference:
https://azure.microsoft.com/en-us/updates/azure-ad-conditional-access-what-if-tool-is-now-available
Question #33Topic 2
HOTSPOT -
table.
You have the locations shown in the following table.
The tenant contains a named location that has the following configurations:
✑ Name: Location1
✑ Mark as trusted location: Enabled
IPv4 range: 10.10.0.0/16 -
MFA has a trusted IP address range of 193.17.17.0/24.

✑ Name: CAPolicy1
✑ Assignments
- Users or workload identities: Group1
- Cloud apps or actions: All cloud apps
✑ Conditions
- Locations: All trusted locations
✑ Access controls
- Grant
- Grant access: Require multi-factor authentication
- Session: 0 controls selected
✑ Enable policy: On
Hot Area:
Correct
Answer:
Box 1: No -
10.10.0.150 is from a trusted location.
Note: The trusted IPs feature of Azure AD Multi-Factor Authentication bypasses multi-factor
authentication prompts for users who sign in from a defined IP address range. You can set trusted IP
ranges for your on-premises environments. When users are in one of these locations, there's no Azure AD
Multi-Factor
Authentication prompt. The trusted IPs feature requires Azure AD Premium P1 edition.
Box 2: No -
10.10.1.160 is from a trusted location
Box 3: Yes -
Reference:
Question #34Topic 2
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Email one-time
passcode for guests set to Yes.
You invite the guest users shown in the following table.
Which users will receive a one-time passcode, and how long will the passcode be valid? To answer, select
the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Box 1: Guest3 only -

When does a guest user get a one-time passcode?
When a guest user redeems an invitation or uses a link to a resource that has been shared with them,
they'll receive a one-time passcode if:
They don't have an Azure AD account
They don't have a Microsoft account
The inviting tenant didn't set up federation with social (like Google) or other identity providers.
Box 2: 30 minutes -
One-time passcodes are valid for 30 minutes. After 30 minutes, that specific one-time passcode is no
longer valid, and the user must request a new one. User sessions expire after 24 hours. After that time,
the guest user receives a new passcode when they access the resource. Session expiration provides
added security, especially when a guest user leaves their company or no longer needs access.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode
Question #35Topic 2
You currently allow email clients that use Basic authentication to connect to Microsoft Exchange Online.
You need to ensure that users can connect to Exchange only from email clients that use Modern
authentication protocols.
What should you implement?
• A. an OAuth policy in Microsoft Defender for Cloud Apps

• B. a conditional access policy in Azure Active Directory (Azure AD)
• C. a compliance policy in Microsoft Endpoint Manager
• D. an application control profile in Microsoft Endpoint Manager
Correct Answer: B
Question #36Topic 2
You have an Azure subscription that contains an Azure SQL database named db1.
You deploy an Azure App Service web app named App1 that provides product information to users that
connect to App1 anonymously.
You need to provide App1 with access to db1. The solution must meet the following requirements:
• Credentials must only be available to App1.

• Administrative effort must be minimized.
Which type of credentials should you use?
• A. a system-assigned managed identity

• B. an Azure Active Directory (Azure AD) user account
• C. a SQL Server account
• D. a user-assigned managed identity
Correct Answer: A
Question #37Topic 2
You have an Azure subscription that contains the custom roles shown in the following table.
You need to create a custom Azure subscription role named Role3 by using the Azure portal. Role3 will
use the baseline permissions of an existing role.
Which roles can you clone to create Role3?
• A. Role2 only
• B. built-in Azure subscription roles only

• C. built-in Azure subscription roles and Role2 only
• D. built-in Azure subscription roles and built-in Azure AD roles only
• E. Role1, Role2, built-in Azure subscription roles, and built-in Azure AD roles
Correct Answer: C
Question #38Topic 2
• A. Windows Hello for Business

• D. email
Correct Answer: A
Question #39Topic 2
• A. voice
• B. Windows Hello for Business
• C. email
• D. security questions
Correct Answer:B
Question #40Topic 2
HOTSPOT
-
You have an Azure subscription that contains the following virtual machine:
• Name: V1
• Azure region: East US
• System-assigned managed identity: Disabled
You create the managed identities shown in the following table.
You perform the following actions:
• Assign Managed1 to V1.

• Create a resource group named RG1 in the West US region.
Correct
Answer:
Question #41Topic 2
HOTSPOT
-
You have an Azure subscription that contains the key vaults shown in the following table.
The subscription contains the users shown in the following table.
On June 1, Admin4 performs the following actions:
• Deletes a certificate named Certificate1 from KeyVault1

• Deletes a secret named Secret1 from KeyVault2
Correct
Answer:
Question #42Topic 2
• A. password spray
• C. unfamiliar sign-in properties
• D. Azure AD threat intelligence
Correct Answer: D
Question #43Topic 2
• Require users to register when signing in: Yes

• Number of methods required to reset: 1
• A. a smartcard
• B. a mobile app code
• C. a mobile app notification
• D. an email to an address outside your organization
Correct Answer: B
Question #44Topic 2
You create a new Microsoft 365 E5 tenant.
You need to ensure that when users connect to the Microsoft 365 portal from an anonymous IP address,
they are prompted to use multi-factor authentication (MFA).
• A. a sign-in risk policy

• B. a user risk policy
• C. an MFA registration policy
Correct Answer: A
Question #45Topic 2
HOTSPOT
-
You configure a conditional access policy as shown in the Conditional Access policy exhibit. (Click the
Conditional Access policy tab.)
You view the User administrator role settings as shown in the Role setting details exhibit. (Click the Role
setting details tab.)
You view the User administrator role assignments as shown in the Role assignments exhibit. (Click the
Role assignments tab.)
Correct
Answer:
Question #46Topic 2
HOTSPOT
-
You have the Azure AD Identity Protection policies shown in the following table.
You review the Risky users report and the Risky sign-ins report and perform actions for each user as
Correct
Answer:
Question #47Topic 2
You have an Azure subscription that contains a user named User1.
You need to meet the following requirements:
• Prevent User1 from being added as an owner of newly registered apps.

• Ensure that User1 can manage the application proxy settings.
• Ensure that User1 can register apps.
• Use the principle of least privilege.
• A. Application developer
• B. Cloud application administrator
• C. Service support administrator
• D. Application administrator
Correct Answer: D
Question #48Topic 2
DRAG DROP
-
You have a Microsoft 365 E5 subscription and an Azure subscription.
• Ensure that users can sign in to Azure virtual machines by using their Microsoft 365 credentials.
• Delegate the ability to create new virtual machines.
What should you use for each requirement? To answer, drag the appropriate features to the correct
requirements. Each feature may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
Correct
Answer:
Question #49Topic 2

• B. SMS
• C. email
• D. Windows Hello for Business
Correct Answer: D
Question #50Topic 2
HOTSPOT
-
an Azure AD tenant. The AD DS domain contains the organizational units (OUs) shown in the following
table.
You need to create a break-glass account named BreakGlass.
Where should you create BreakGlass, and which role should you assign to BreakGlass? To answer, select
Correct
Answer:
Question #51Topic 2
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.
You need to ensure that users can request access to Site1. The solution must meet the following
requirements:
• Automatically approve requests from users based on their group membership.

• Automatically remove the access after 30 days.
What should you do?
• A. Create a Conditional Access policy.

• B. Create an access package.
• C. Configure Role settings in Azure AD Privileged Identity Management.
• D. Create a Microsoft Defender for Cloud Apps access policy.
Correct Answer: B
Question #52Topic 2
HOTSPOT
-
You need to create two custom roles named Role1 and Role2. The solution must meet the following
requirements:
• Users that are assigned Role1 can manage application security groups.
• Users that are assigned Role2 can manage Azure Firewall.
Which resource provider permissions are required for each role? To answer, select the appropriate
Correct
Answer:
Question #53Topic 2
• A. voice
Correct Answer: D
Question #54Topic 2
DRAG DROP
-
You have a Microsoft 365 E5 tenant.
You purchase a cloud app named App1.
You need to enable real-time session-level monitoring of App1 by using Microsoft Defender for Cloud
Apps.
In which order should you perform the actions? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Correct Answer:
Question #55Topic 2
HOTSPOT
-
Case Study
-
Overview
-
adatum.com.
defaults disabled.


-

a grace period.
- Email
- Phone
You implement the planned changes for SSPR.
What occurs when User3 attempts to use SSPR? To answer, select the appropriate options in the answer
area.
Correct
Answer:
Question #56Topic 2
HOTSPOT
-
Case Study
-
Overview
-
adatum.com.
defaults disabled.

-

a grace period.
- Email
- Phone
You need to support the planned changes and meet the technical requirements for MFA.
Which feature should you use, and how long before the users must complete the registration? To
Correct
Answer:
Question #57Topic 2
DRAG DROP
-
Case Study
-
Overview
-
adatum.com.
defaults disabled.


-

a grace period.
- Email
- Phone
You need to resolve the recent security incident issues.
What should you configure for each incident? To answer, drag the appropriate policy types to the correct
issues. Each policy type may be used once, more than once, or not at all. You may need to drag the split
Correct
Answer:
Question #58Topic 2
A user named User1 receives an error message when attempting to access the Microsoft Defender for
Cloud Apps portal.
You need to identify the cause of the error. The solution must minimize administrative effort.
• A. Log Analytics
• B. sign-in logs
• C. audit logs
• D. provisioning logs
Correct Answer: B
Question #59Topic 2
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Yammer.
You need prevent users from signing in to Yammer from high-risk locations.
What should you do in the Microsoft Defender for Cloud Apps portal?
• A. Create an access policy.

• B. Create an activity policy.
• C. Unsanction Yammer.
• D. Create an anomaly detection policy.
Correct Answer: A
Question #60Topic 2
• A. SMS
• B. email
Correct Answer: D
Question #61Topic 2
• A. impossible travel
• C. malicious IP address
• D. Azure AD threat intelligence
Correct Answer: D
Question #62Topic 2

• A. an email to an address outside your organization

• B. a mobile app notification
• C. an FIDO2 security token
• D. an email to an address in your organization
Correct Answer: A
Question #63Topic 2
You have an Azure AD Tenant.

• A. an FIDO2 security token

• B. a mobile app code
• C. a Microsoft Teams chat
• D. a Windows Hello PIN
Correct Answer: B
Question #64Topic 2
HOTSPOT
-
From Entitlement management, you plan to create a catalog named Catalog1 that will contain a custom
extension.
What should you create first, and what should you use to distribute Catalog1? To answer, select the
Correct
Answer:
Question #65Topic 2
You enable self-service password reset (SSPR) for all the users and configure SSPR to require security
questions as the only authentication method.
Which users must use security questions when resetting their password?
• A. User4 only
• B. User3 and User4 only
• D. User1, User3, and User4 only
• E. User1, User2, User3, and User4
Correct Answer: B
Question #66Topic 2
You need to implement smart lockout with a lockout threshold of 10 failed sign-ins.
What should you configure in the Azure AD admin center?
• A. Authentication strengths
• B. Password protection
• C. User risk policy
• D. Sign-in risk policy
Correct Answer: B
Question #67Topic 2
You configure a new Microsoft 365 tenant to use a default domain name of contoso.com.
You need to ensure that you can control access to Microsoft 365 resources by using conditional access
policies.
• A. Disable Security defaults.

• B. Configure password protection for the Azure AD tenant.
• C. Configure a multi-factor authentication (MFA) registration policy.
• D. Disable the User consent settings.
Correct Answer: A
Question #68Topic 2
An on-premises Active Directory domain is configured to sync with the Azure AD tenant. The domain
contains the servers shown in the following table.
The domain controllers are prevented from communicating to the internet.
You implement Azure AD Password Protection on Server1 and Server2.
You deploy a new server named Server4 that runs Windows Server 2022.
You need to ensure that Azure AD Password Protection will continue to work if a single server fails.
What should you implement on Server4?
• A. Azure AD Connect
• C. Password Change Notification Service (PCNS)
• D. the Azure AD Password Protection proxy service
Correct Answer: D
Question #69Topic 2
• A. voice
• B. email
Correct Answer: D
Question #70Topic 2
HOTSPOT
-
You have an Azure subscription that contains the resources shown in the following table.
You need to configure access to Vault1. The solution must meet the following requirements:
• Ensure that User1 can manage and create keys in Vault1.

• Ensure that User2 can access a certificate stored in Vault1.
• Use the principle of least privilege.
Which role should you assign to each user? To answer select the appropriate options in the answer area.
Correct
Answer:
Question #71Topic 2
You have an Azure AD tenant that has multi-factor authentication (MFA) enforced and self-service
password reset (SSPR) enabled.
You enable combined registration in interrupt mode.
You create a new user named User1.
Which two authentication methods can User1 use to complete the combined registration process? Each
correct answer presents a complete solution.
• A. a FIDO2 security key

• B. a hardware token
• C. a one-time passcode email
• E. the Microsoft Authenticator app
Correct Answer: CE
Question #72Topic 2
DRAG DROP
-
You have an Azure AD tenant that contains a user named Admin1.
Admin1 uses the Require password change for high-risk users policy template to create a new Conditional
Access policy.
Who is included and excluded by default in the policy assignment? To answer, drag the appropriate
options to the correct target. Each option may be used once, more than once, or not at all. You may need
to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point
Correct Answer:
Question #73Topic 2
• A. SMS
• B. Windows Hello for Business
• C. voice
• D. a notification through the Microsoft Authenticator app
Correct Answer: B
Question #74Topic 2
You currently allow email clients that use Basic authentication to connect to Microsoft Exchange Online.
You need to ensure that users can connect to Exchange Online only from email clients that use Modern
authentication protocols.
• A. a conditional access policy in Azure AD

• B. a compliance policy in Microsoft Intune
• C. an OAuth policy in Microsoft Defender for Cloud Apps
• D. an application control profile in Microsoft Intune
Correct Answer: A
Question #75Topic 2
You plan to deploy a new Azure AD tenant.
Which multifactor authentication (MFA) method will be enabled by default for the tenant?
• A. Microsoft Authenticator
• B. SMS
• C. voice call
• D. email OTP
Correct Answer: A
Question #76Topic 2
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1
and the users shown in the following table.
The users have the devices shown in the following table.
You create the following two Conditional Access policies:
• Name: CAPolicy1
• Assignments
o Users or workload identities: Group1
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions
Filter for devices: Exclude filtered devices from the policy
Rule syntax: device.displayName -startsWith “Device”

o Access controls
Grant: Block access
Session: 0 controls selected
o Enable policy: On
• Name: CAPolicy2
• Assignments
o Users or workload identities: Group2
o Cloud apps or actions: Office 365 SharePoint Online
o Conditions: 0 conditions selected
• Access controls
o Grant: Grant access
Require multifactor authentication
o Session: 0 controls selected
• Enable policy: On
All users confirm that they can successfully authenticate using MFA.
Correct
Answer:
Question #77Topic 2
You have a Microsoft 365 E5 subscription that contains three users named User1, User2, and User3 and a
Microsoft SharePoint Online site named Site1.
The subscription contains the devices shown in the following table.
The users sign in to the devices as shown in the following table.
You have a Conditional Access policy that has the following settings:
• Name: CA1
• Assignments
o Users and groups: User1, User2, User3
o Cloud apps or actions: SharePoint - Site1
• Access controls
o Session: Use app enforced restrictions
From the SharePoint admin center, you configure Access control for unmanaged devices to allow limited,
web-only access.
Which users will have full access to Site1?
• A. User1 only
• B. User2 only
• C. User3only
• E. User1, User2, and User3
Correct Answer: A
Question #78Topic 2
You have an Azure AD tenant named contoso.com that contains the resources shown in the following
table.
You create a user named Admin1.
You need to ensure that Admin1 can enable Security defaults for contoso.com.
• A. Delete Package1.
• B. Delete CAPolicy1.
• C. Assign Admin1 the Authentication Administrator role for Au1.
• D. Configure Identity Governance.
Correct Answer: B
Question #79Topic 2
DRAG DROP
-
You have an Azure subscription that is linked to an Azure AD tenant named contoso.com. The
subscription contains a group named Group1 and a virtual machine named VM1.
• Enable a system-assigned managed identity for VM1.

• Add VM1 to Group1.
How should you complete the PowerShell script? To answer, drag the appropriate cmdlets to the correct
targets. Each cmdlet may be used once, more than once or not at all. You may need to drag the split bar
between panes or scroll to view content.
Correct
Answer:
Question #80Topic 2
You deploy a new enterprise application named App1.
When users attempt to provide App1 with access to the tenant, the attempt fails.
You need to ensure that the users can request admin consent for App1. The solution must follow the
principle of least privilege.
• A. Enable admin consent requests for the tenant.

• B. Designate a reviewer of admin consent requests for the tenant.
• C. From the Permissions settings of App1, grant App1 admin consent for the tenant.
• D. Create a Conditional Access policy for App1.
Correct Answer: A
Question #81Topic 2
Solution: From the Azure Active Directory admin center, you configure the Block/unblock users settings
for multi-factor authentication (MFA).
• A. Yes
• B. No
Correct Answer: B
Question #82Topic 2
You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1 and
a Microsoft 365 group named Group1.
You need to ensure that the members of Group1 can access Site1 for 90 days. The solution must
minimize administrative effort.
• A. an access package
• B. an access review
• C. a lifecycle workflow
• D. a Conditional Access policy
Correct Answer: A

Question #1Topic 3
HOTSPOT -
You have a Microsoft 365 tenant and an Active Directory domain named adatum.com.
You deploy Azure AD Connect by using the Express Settings.
You need to configure self-service password reset (SSPR) to meet the following requirements:
✑ When users reset their password, they must be prompted to respond to a mobile app notification or
answer three predefined security questions.

✑ Passwords must be synced between the tenant and the domain regardless of where the password was
reset.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
security-questions
Question #3Topic 3

The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
Users connect to the internet by using a hardware firewall at your company. The users authenticate to
the firewall by using their Active Directory credentials.
You plan to manage access to external applications by using Azure AD.
You need to use the firewall logs to create a list of unmanaged external applications and the users who
access them.
What should you use to gather the information?
• A. Application Insights in Azure Monitor

• B. access reviews in Azure AD
• C. Cloud App Discovery in Microsoft Cloud App Security
• D. enterprise applications in Azure AD
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/create-snapshot-cloud-discovery-reports#using-
traffic-logs-for-cloud-discovery
Question #4Topic 3
HOTSPOT -
You have an on-premises datacenter that contains the hosts shown in the following table.
The Active Directory forest syncs to an Azure Active Directory (Azure AD) tenant. Multi-factor
authentication (MFA) is enforced for Azure AD.
You need to ensure that you can publish App1 to Azure AD users.
What should you configure on Server4 and Firewall1? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
Question #5Topic 3
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that has the default App registrations settings. The
tenant contains the users shown in the following table.
You purchase two cloud apps named App1 and App2. The global administrator registers App1 in Azure
AD.
You need to identify who can assign users to App1, and who can register App2 in Azure AD.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-assign-
users https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-
applications-are-added
Question #6Topic 3
HOTSPOT -
You have a custom cloud app named App1 that is registered in Azure Active Directory (Azure AD).
App1 is configured as shown in the following exhibit.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-
portal
Question #7Topic 3

You create an enterprise application collection named HR Apps that has the following settings:
✑ Applications: App1, App2, App3
✑ Owners: Admin1
✑ Users and groups: HRUsers
All three apps have the following Properties settings:
✑ Enabled for users to sign in: Yes
✑ User assignment required: Yes
Visible to users: Yes -
Users report that when they go to the My Apps portal, they only see App1 and App2.
You need to ensure that the users can also see App3.
What should you do from App3?
• A. From Users and groups, add HRUsers.

• B. From Single sign-on, configure a sign-on method.
• C. From Properties, change User assignment required to No.
• D. From Permissions, review the User consent permissions.
Correct Answer: A
Reference:
portal https://docs.microsoft.com/en-us/azure/active-directory/user-help/my-applications-portal-
workspaces
Question #8Topic 3

For the tenant, Users can register applications is set to No.
A user named Admin1 must deploy a new cloud app named App1.
You need to ensure that Admin1 can register App1 in Azure AD. The solution must use the principle of
least privilege.
Which role should you assign to Admin1?
• A. Managed Application Contributor for Subscription1.

• B. Application developer in Azure AD.
• C. Cloud application administrator in Azure AD.
• D. App Configuration Data Owner for Subscription1.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles
Question #9Topic 3
HOTSPOT -
You have a Microsoft 365 tenant that contains a group named Group1 as shown in the Group1 exhibit.
(Click the Group1 tab.)
You create an enterprise application named App1 as shown in the App1 Properties exhibit. (Click the
App1 Properties tab.)
You configure self-service for App1 as shown in the App1 Self-service exhibit. (Click the App1 Self-service
tab.)

Hot Area:
Correct
Answer:
Reference:
portal https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-
assign-users
Question #10Topic 3
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity
Protection enabled.
You need to implement a sign-in risk remediation policy without blocking user access.
• A. Configure access reviews in Azure AD.

• B. Enforce Azure AD Password Protection.
• C. Configure self-service password reset (SSPR) for all users.
• D. Implement multi-factor authentication (MFA) for all users.
Correct Answer: D
MFA and SSPR are both required. However, MFA is required first.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-
remediate-unblock https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-
deployment
Question #11Topic 3
HOTSPOT -
Your company has a Microsoft 365 tenant.
All users have computers that run Windows 10 and are joined to the Azure Active Directory (Azure AD)
tenant.
The company subscribes to a third-party cloud service named Service1. Service1 supports Azure AD
authentication and authorization based on OAuth. Service1 is published to the Azure AD gallery.
You need to recommend a solution to ensure that the users can connect to Service1 without being
prompted for authentication. The solution must ensure that the users can access Service1 only from
Azure AD-joined computers. The solution must minimize administrative effort.
What should you recommend for each requirement? To answer, select the appropriate options in the
answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-
added https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-managed-
devices
Question #12Topic 3
Your company requires that users request access before they can access corporate applications.
You register a new enterprise application named MyApp1 in Azure Active Directory (Azure AD) and
configure single sign-on (SSO) for MyApp1.
Which settings should you configure next for MyApp1?
• A. Self-service
• B. Provisioning
• C. Application proxy
• D. Roles and administrators
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access
Question #13Topic 3
DRAG DROP -
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The company is developing a web service named App1.
You need to ensure that App1 can use Microsoft Graph to read directory data in contoso.com.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange then in the correct order.
Select and Place:
Correct
Answer:
1. Create an app registration:

Your app must be registered with the Microsoft identity platform and be authorized by either a user or an
administrator for access to the Microsoft Graph resources it needs.
2. Grant admin consent:
Higher-privileged permissions require administrator consent.
3. Add app permissions:
After the consents to permissions for your app, your app can acquire access tokens that represent the
app's permission to access a resource in some capacity.
Encoded inside the access token is every permission that your app has been granted for that resource.
Reference:
https://docs.microsoft.com/en-us/graph/auth/auth-concepts
Question #14Topic 3
You have an Azure Active Directory (Azure AD) tenant that contains cloud-based enterprise apps.
You need to group related apps into categories in the My Apps portal.
What should you create?
• A. tags
• B. collections
• C. naming policies
• D. dynamic groups
Correct Answer: B
Reference:
https://support.microsoft.com/en-us/account-billing/customize-app-collections-in-the-my-apps-portal-
2dae6b8a-d8b0-4a16-9a5d-71ed4d6a6c1d
Question #15Topic 3
The Azure Active Directory (Azure AD) tenant contains the groups shown in the following table.
In Azure AD, you add a new enterprise application named App1.

Which groups can you assign to App1?
• A. Group1 only
• B. Group2 only
• C. Group3 only
• D. Group1 and Group4
• E. Group1 and Group3
Correct Answer: E
Using Azure Active Directory (Azure AD) with an Azure AD Premium license plan, you can use groups to
assign access to a SaaS application that's integrated with Azure AD. For example, if you want to assign
access for the marketing department to use five different SaaS applications, you can create an Office 365
or security group that contains the users in the marketing department, and then assign that group to
these five SaaS applications that are needed by the marketing department.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-saasapps
Question #16Topic 3
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in, the following
table.
The User settings for enterprise applications have the following configurations:
✑ Users can consent to apps accessing company data on their behalf: No
✑ Users can consent to apps accessing company data for the groups they own: No
✑ Users can request admin consent to apps they are unable to consent to: Yes
Who can review admin consent requests: Admin2, User2
User1 attempts, to add an app that requires consent to access company data.
Which user can provide consent?
• A. User1
• B. User2
• C. Admin1
• D. Admin2
Correct Answer: C
To approve requests, a reviewer must be a global administrator, cloud application administrator, or
application administrator.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-
workflow
Question #17Topic 3
You have a Microsoft 365 subscription. The subscription contains users that use Microsoft Outlook 2016
and Outlook 2013 clients.
You need to implement tenant restrictions. The solution must minimize administrative effort.
• A. Configure the Outlook 2013 clients to use modern authentication.

• B. Upgrade the Outlook 2013 clients to Outlook 2016.
• C. From the Exchange admin center, configure Organization Sharing.
• D. Upgrade all the Outlook clients to Outlook 2019.
Correct Answer: B
From October 13, 2020 onward, only these versions of Office are supported for connecting to Microsoft
365 (and Office 365) services:
Microsoft 365 Apps for enterprise (previously named Office 365 ProPlus)
Microsoft 365 Apps for business (previously named Office 365 Business)
Office LTSC 2021, such as Office LTSC Professional Plus 2021
Office 2019, such as Office Professional Plus 2019
Office 2016, such as Office Standard 2016

Note:
Office 2019 and Office 2016 will be supported for connecting to Microsoft 365 (and Office 365) services
until October 2023.
Note: Client software: To support tenant restrictions, client software must request tokens directly from
Azure AD, so that the proxy infrastructure can intercept traffic. Browser-based Microsoft 365 applications
currently support tenant restrictions, as do Office clients that use modern authentication (like OAuth 2.0).
Reference:
https://docs.microsoft.com/en-us/deployoffice/endofsupport/microsoft-365-services-connectivity
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions
Question #18Topic 3
You need to create a Microsoft Defender for Cloud Apps session policy.
• A. From the Microsoft Defender for Cloud Apps portal, select User monitoring.
• B. From the Microsoft Defender for Cloud Apps portal, select App onboarding/maintenance.
• C. From the Azure Active Directory admin center, create a Conditional Access policy.
• D. From the Microsoft Defender for Cloud Apps portal, create a continuous report.
Correct Answer: A
Question #19Topic 3
table.
You add an enterprise application named App1 to Azure AD and set User1 as the owner of App1. App1
requires admin consent to access Azure AD before the app can be used.
You configure the Admin consent requests settings as shown in the following exhibit.
Admin1, Admin2, Admin3, and User’ are added as reviewers.
Which users can review and approve the admin consent requests?
• A. Admin1 only
• B. Admin1, Admin2 and Admin3 only
• C. Admin1, Admin2, and User1 only
• D. Admin1 and Admin2 only
• E. Admin1, Admin2, Admin3, and User1
Correct Answer: D
Question #20Topic 3
You need to be notified if a user downloads more than 50 files in one minute from Site1.
Which type of policy should you create in the Microsoft Defender for Cloud Apps portal?
• A. session policy
• B. activity policy
• C. file policy
• D. anomaly detection policy
Correct Answer: B
Question #21Topic 3
Site1 hosts PDF files.
You need to prevent users from printing the files directly from Site1.
• A. activity policy
• B. access policy
• C. file policy
• D. session policy
Correct Answer: D
Question #22Topic 3
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps and Conditional
Access policies.
You need to block access to cloud apps when a user is assessed as high risk.
• A. access policy
• B. OAuth app policy
• C. anomaly detection policy
• D. activity policy
Correct Answer: A
Question #23Topic 3
Users authorize third-party cloud apps to access their data.
You need to configure an alert that will be triggered when an app requires high permissions and is
authorized by more than 20 users.
• A. anomaly detection policy

• B. OAuth app policy
• C. access policy
• D. activity policy
Correct Answer: D
Question #24Topic 3
Your company has an Azure AD tenant that contains the users shown in the following table.
You have the app registrations shown in the following table.
A company policy prevents changes to user permissions.
Which user can create appointments in the calendar of each user at the company?
• A. User1
• B. User2
• C. User3
• D. User4
Correct Answer: B
Question #25Topic 3
You have an Azure AD tenant that contains a user named User1 and a registered app named App1.
User1 deletes the app registration of App1.
You need to restore the app registration.
What is the maximum number of days you have to restore the app registration from when it was
deleted?
• A. 14
• B. 30
• C. 60
• D. 180
Correct Answer: B
Question #26Topic 3
HOTSPOT
-
Sometimes, users use external, third-party applications that require limited access to the Microsoft 365
data of the respective user. The users register the applications in Azure AD.
You need to receive an alert if a registered application gains read and write access to the users’ email.
Correct
Answer:
Question #27Topic 3
Case Study -
Overview -
adatum.com.
defaults disabled.


a grace period.
- Email
- Phone
You need implement the planned changes for application access to organizational data.
• A. authentication methods
• B. the User consent settings
• C. access packages
• D. an application proxy
Correct Answer: B
Question #28Topic 3
You configure User consent settings to allow users to provide consent to apps from verified publishers.
You need to ensure that the users can only provide consent to apps that require low impact permissions.
What should you do?
• A. Create an enterprise application collection.

• B. Create an access review.
• C. Create an access package.
• D. Configure permission classifications.
Correct Answer: A
Question #29Topic 3
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a user named User1.
You configure app governance integration.
User1 needs to view the App governance dashboard. The solution must use the principle of the least
privilege.
Which role should you assign to User1, and which portal should User1 use to view the dashboard? To
Correct
Answer:
Question #30Topic 3
You are evaluating enterprise software as a service (SaaS) apps.
You need to ensure that the apps support automatic provisioning of Azure AD users.
Which specification should the apps support?
• A. OAuth 2.0
• B. WS-Fed
• C. SCIM 2.0
• D. LDAP 3
Correct Answer: C
Question #31Topic 3
You have an Azure AD tenant and a .NET web app named App1.
You need to register App1 for Azure AD authentication.
What should you configure for App1?
• A. the executable name

• B. the bundle ID
• C. the package name
• D. the redirect URI
Correct Answer: D
Question #32Topic 3

• B. security questions
• C. voice
Correct Answer: D
Question #33Topic 3
You discover that a large number of new apps were added to the tenant.
You need to implement an approval process for new enterprise applications.
What should you do?
• A. From the Microsoft Defender for Cloud Apps portal, create a Cloud Discovery anomaly
detection policy.
• B. From the Microsoft Entra admin center, configure the Admin consent settings.
• C. From the Microsoft Defender for Cloud Apps portal, configure an app connector.
• D. From the Microsoft Entra admin center, configure an access review.
Correct Answer: B
Question #34Topic 3
You purchase the app governance add-on license.
You need to enable app governance integration.
Which portal should you use?
• A. the Microsoft Defender for Cloud Apps portal

• C. Microsoft 365 Defender
• D. the Azure Active Directory admin center
• E. the Microsoft Purview compliance portal
Correct Answer: C
Question #35Topic 3
Your company purchases a new Microsoft 365 E5 subscription and an app named App1.
You need to create a Microsoft Defender for Cloud Apps access policy for App1.
What should you do you first?
• A. Configure a Conditional Access policy to use app-enforced restrictions.

• B. Configure a Token configuration for App1.
• C. Add an API permission for App1.
• D. Configure a Conditional Access policy to use Conditional Access App Control.
Correct Answer: D
Question #36Topic 3
Case Study -
Overview -
and Seattle.
Contoso has a partnership with a company named Fabrikam, Inc. Fabrikam has an Azure AD tenant
named fabrikam.com.
domain contains an organizational unit (OU) named Contoso_Resources. The Contoso_Resources OU
contains all users and computers.
• Microsoft Office 365 Enterprise E5

• Enterprise Mobility + Security E5
• Windows 10 Enterprise E3
• Project Plan 3
• The users in the London office have the Microsoft 365 Phone System license unassigned.
• The users in the Seattle office have the Yammer Enterprise license unassigned.
• Currently, all the helpdesk administrators can manage user licenses throughout the entire Microsoft
365 tenant.
• The user administrators report that it is tedious to manually configure the different license
requirements for each Contoso office.

• The helpdesk administrators spend too much time provisioning internal and guest access to the
• Currently, the helpdesk administrators can perform tasks by using the User administrator role without
• When the Logs node is selected in Azure AD, an error message appears stating that Log Analytics
• Implement self-service password reset (SSPR).

• Analyze Azure audit activity logs by using Azure Monitor.
• Simplify license allocation for new users added to the tenant.
• Collaborate with the users at Fabrikam on a joint marketing campaign.
• Configure the User administrator role to require justification and approval to activate.
• Implement a custom line-of-business Azure web app named App1. App1 will be accessible from the
• For new users in the marketing department, implement an automated approval workflow to provide
Contoso plans to acquire a company named A. Datum Corporation. One hundred new A. Datum users will
• All users must be synced from AD DS to the contoso.com Azure AD tenant.

• App1 must have a redirect URI pointed to https://contoso.com/auth-response.
• License allocation for new users must be assigned automatically based on the location of the user.
• Fabrikam users must have access to the marketing department’s SharePoint site for a maximum of 90
days.
• Administrative actions performed in Azure AD must be audited. Audit logs must be retained for one
year.
• The helpdesk administrators must be able to manage licenses for only the users in their respective
office.
• Users must be forced to change their password if there is a probability that the users’ identity was
compromised.
You need to meet the planned changes and technical requirements for App1.
• A. a policy set in Microsoft Intune

• C. an app configuration policy in Microsoft Intune
• D. an app registration in Azure AD
Correct Answer: D
Question #37Topic 3
You have an Amazon Web Services (AWS) account, a Google Workspace subscription, and a GitHub
account.
You deploy an Azure subscription and enable Microsoft 365 Defender.
You need to ensure that you can monitor OAuth authentication requests by using Microsoft Defender for
Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Google Workspace app connector.
• A. Yes
• B. No
Correct Answer: A
Question #38Topic 3
account.
Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Microsoft Azure app connector.
• A. Yes
• B. No
Correct Answer: B
Question #39Topic 3
account.
Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the Amazon Web Services app connector.
• A. Yes
• B. No
Correct Answer: A
Question #40Topic 3
Your company purchases a Microsoft 365 E5 subscription.
A user named User1 is assigned the Security Administrator role.
You need to ensure that User1 can create Microsoft Defender for Cloud Apps session policies.
• A. Create a Conditional Access policy and select Require app protection policy.
• B. Create a Conditional Access policy and select Use Conditional Access App Control.
• C. Assign the Cloud Application Administrator role to User1.
• D. Assign the Cloud App Security Administrator role to User1.
Correct Answer: B
Question #41Topic 3
The App registration settings for the Azure AD tenant are configured as shown in the following exhibit.
User1 builds an ASP.NET web app named App1.
You need to ensure that User1 can register App1. The solution must use the principle of least privilege.
• A. Application Developer
• B. Cloud App Security Administrator
• C. Cloud Application Administrator
• D. Application Administrator
Correct Answer: A
Question #42Topic 3
HOTSPOT
-
The subscription contains the virtual machines shown in the following table.
Which identities can be assigned the Owner role for RG1, and to which virtual machines can you assign
Managed2? To answer, select the appropriate options in the answer area.
Correct
Answer:
Question #43Topic 3
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Cloud Apps.
You plan to increase app security for the subscription.
You need to identify which apps do NOT require user authentication.
What should you do in the Microsoft 365 Defender portal?
• A. Review the cloud app catalog.

• B. Create an OAuth policy and review alerts.
• C. Create a snapshot Cloud Discovery report.
• D. Create a discovered app query.
Correct Answer: A
Question #44Topic 3
HOTSPOT
-
You have a Microsoft Entra tenant that contains multiple storage accounts.
You plan to deploy multiple Azure App Service apps that will require access to the storage accounts.
You need to recommend an identity solution to provide the apps with access to the storage accounts. The
solution must minimize administrative effort.
Which type of identity should you recommend, and what should you recommend using to control access
to the storage accounts? To answer, select the appropriate options in the answer area.
Correct
Answer:
Question #45Topic 3
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains an
Azure Cosmos DB database named DB1 and an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1
uses a managed identity.
You need to ensure that AKS1 can access DB1. The solution must meet the following requirements:
• Ensure that AKS1 uses the managed identity to access DB1.
• Follow the principle of least privilege.
Which role should you assign to the managed identity of AKS1?
• A. For Sub1, assign the Owner role.

• B. For DB1, assign the Azure Cosmos DB Account Reader Role role.
• C. For RG1, assign the Azure Cosmos DB Data Reader Role role.
• D. For RG1, assign the Reader role.
Correct Answer: C
Question #46Topic 3
You have an Azure subscription that contains a storage account named storage1 and a web app named
WebApp1. WebApp1 uses a system-assigned managed identity.
You need to ensure that WebApp1 can read and write files to storage1 by using the system-assigned
managed identity.
What should you configure for storage1 in the Azure portal?
• A. data protection
• B. a shared access signature (SAS)
• C. the Access control (IAM) settings
• D. the File share settings
• E. access keys
Correct Answer: C

Question #1Topic 4

In Azure Active Directory (Azure AD), you configure the terms of use.
You need to ensure that only users who accept the terms of use can access the resources in the tenant.
Other users must be denied access.
• A. an access policy in Microsoft Cloud App Security.

• B. Terms and conditions in Microsoft Endpoint Manager.
• C. a conditional access policy in Azure AD
• D. a compliance policy in Microsoft Endpoint Manager
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
Question #2Topic 4
You have an Azure Active Directory (Azure AD) tenant that contains the groups shown in the following
table.
For which groups can you create an access review?
• A. Group1 only
• B. Group1 and Group4 only
• C. Group1 and Group2 only
• D. Group1, Group2, Group4, and Group5 only
• E. Group1, Group2, Group3, Group4 and Group5
Correct Answer: D
You cannot create access reviews for device groups.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Question #3Topic 4
table.
User1 is the owner of Group1.

You create an access review that has the following settings:
✑ Users to review: Members of a group
✑ Scope: Everyone
✑ Group: Group1
✑ Reviewers: Members (self)
Which users can perform access reviews for User3?
• A. User1, User2, and User3

• B. User3 only
• C. User1 only
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-
start-security-review
Question #4Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains Azure AD Privileged Identity
Management (PIM) role settings for the User administrator role as shown in the following exhibit.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
deployment-plan
Question #5Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named
User1.
On November 5, 2020, you create and enforce terms of use in contoso.com that has the following
settings:
✑ Name: Terms1
✑ Display name: Contoso terms of use
✑ Require users to expand the terms of use: On
✑ Require users to consent on every device: On
✑ Expire consents: On
✑ Expire starting on: December 10, 2020

✑ Frequency: Monthly
On November 15, 2020, User1 accepts Terms1 on Device3.
Hot Area:
Correct
Answer:
Box 1: Yes because User1 has not yet accepted the terms on Device1.
Box 2: Yes because User1 has not yet accepted the terms on Device2. User1 will be prompted to register
the device before the terms can be accepted.
Box 3: No because User1 has already accepted the terms on Device3. The terms do not expire until
December 10 and then monthly after that. th
Reference:
Question #6Topic 4
Your company recently implemented Azure Active Directory (Azure AD) Privileged Identity Management
(PIM).
While you review the roles in PIM, you discover that all 15 users in the IT department at the company
have permanent security administrator rights.
You need to ensure that the IT department users only have access to the Security administrator role
when required.
What should you configure for the Security administrator role assignment?
• A. Expire eligible assignments after from the Role settings details

• B. Expire active assignments after from the Role settings details
• C. Assignment type to Active
• D. Assignment type to Eligible
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Question #7Topic 4

The Sign-ins activity report shows that an external contractor signed in to the Exchange admin center.
You need to review access to the Exchange admin center at the end of each month and block sign-ins if
required.
What should you create?
• A. an access package that targets users outside your directory

• B. an access package that targets users in your directory
• C. a group-based access review that targets guest users
• D. an application-based access review that targets guest users
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Question #8Topic 4
You have 100 IT administrators who are organized into 10 departments.
You create the access review shown in the exhibit. (Click the Exhibit tab.)
You discover that all access review requests are received by Megan Bowen.
You need to ensure that the manager of each department receives the access reviews of their respective
department.
Solution: You create a separate access review for each role.
• A. Yes
• B. No
Correct Answer: B
Reference:
Question #9Topic 4
department.
Solution: You modify the properties of the IT administrator user accounts.
• A. Yes
• B. No
Correct Answer: A
Reference:
Question #10Topic 4
department.
Solution: You set Reviewers to Member (self).

• A. Yes
• B. No
Correct Answer: B
Reference:
Question #11Topic 4

The Azure Active Directory (Azure AD) tenant syncs to an on-premises Active Directory domain.
You plan to create an emergency-access administrative account named Emergency1. Emergency1 will be
assigned the Global administrator role in Azure AD.
Emergency1 will be used in the event of Azure AD functionality failures and on-premises infrastructure
failures.
You need to reduce the likelihood that Emergency1 will be prevented from signing in during an
emergency.
What should you do?
• A. Configure Azure Monitor to generate an alert if Emergency1 is modified or signs in.

• B. Require Azure AD Privileged Identity Management (PIM) activation of the Global administrator
role for Emergency1.
• C. Configure a conditional access policy to restrict sign-in locations for Emergency1 to only the
corporate network.
• D. Configure a conditional access policy to require multi-factor authentication (MFA) for
Emergency1.
Correct Answer: A
Question #12Topic 4
You implement entitlement management to provide resource access to users at a company named
Fabrikam, Inc. Fabrikam uses a domain named fabrikam.com.
Fabrikam users must be removed automatically from the tenant when access is no longer required.
You need to configure the following settings:
✑ Block external user from signing in to this directory: No
✑ Remove external user: Yes
✑ Number of days before removing external user from this directory: 90
What should you configure on the Identity Governance blade?
• A. Access packages
• B. Entitlement management settings
• C. Terms of use
• D. Access reviews settings
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-
external-users
Question #13Topic 4
You have an Azure Active Directory (Azure AD) P1 tenant.

You need to review the Azure AD sign-in logs to investigate sign-ins that occurred in the past.
For how long does Azure AD store events in the sign-in logs?
• A. 14 days
• B. 30 days
• C. 90 days
• D. 365 days
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-
retention#how-long-does-azure-ad-store-the-data
Question #14Topic 4
For which resources can you create an access review?
• A. Group1, Role1, and Contributor only

• B. Group1 only
• C. Group1, App1, Contributor, and Role1
• D. Role1 and Contributor only
Correct Answer: C
Access reviews require an Azure AD Premium P2 license.
Access reviews for Group1 and App1 can be configured in Azure AD Access Reviews.
Access reviews for the Contributor role and Role1 would need to be configured in Privileged Identity
Management (PIM). PIM is included in Azure AD Premium
P2.
Reference:
start-security-review?toc=/azure/active-directory/governance/ toc.json https://docs.microsoft.com/en-
us/azure/active-directory/governance/access-reviews-overview
Question #15Topic 4
You have an Azure Active Directory (Azure AD) tenant that uses conditional access policies.
You plan to use third-party security information and event management (SIEM) to analyze conditional
access usage.
You need to download the Azure AD log by using the administrative portal. The log file must contain
changes to conditional access policies.
What should you export from Azure AD?
• A. audit logs in CSV format

• B. sign-ins in CSV format
• C. audit logs in JSON format

• D. sign-ins in JSON format
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
Question #16Topic 4
department.
Solution: You add each manager as a fallback reviewer.
• A. Yes
• B. No
Correct Answer: B
Reference:
Question #17Topic 4
You have an Azure Active Directory (Azure AD) tenant that contains the objects shown in the following
table.
Which objects can you add as eligible in Azure AD Privileged Identity Management (PIM) for an Azure AD
role?
• A. User1, Guest1, and Identity1

• B. User1 and Guest1 only
• C. User1 only
• D. User1 and Identity1 only
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-
deployment-plan
Question #18Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains the following group:
✑ Name: Group1
✑ Members: User1, User2
✑ Owner: User3
On January 15, 2021, you create an access review as shown in the exhibit. (Click the Exhibit tab.)
Users answer the Review1 question as shown in the following table.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/review-your-access
Question #19Topic 4
HOTSPOT -
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com. The company has a
business partner named Fabrikam, Inc.
Fabrikam uses Azure AD and has two verified domain names of fabrikam.com and litwareinc.com. Both
domain names are used for Fabrikam email addresses.
You plan to create an access package named package1 that will be accessible only to the users at
Fabrikam.
You create a connected organization for Fabrikam.
You need to ensure that the package1 will be accessible only to users who have fabrikam.com email
addresses.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-
package-request-policy https://docs.microsoft.com/en-us/azure/active-
directory/governance/entitlement-management-access-package-create
Question #20Topic 4
You have an Azure Active Directory (Azure AD) tenant named contoso.com that has Azure AD Identity
Protection policies enforced.
You create an Azure Sentinel instance and configure the Azure Active Directory connector.
You need to ensure that Azure Sentinel can generate incidents based on the risk alerts raised by Azure AD
Identity Protection.
• A. Add a Microsoft Sentinel data connector.

• B. Configure the Notify settings in Azure AD Identity Protection.
• C. Create a Microsoft Sentinel playbook.
• D. Modify the Diagnostics settings in Azure AD.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-ad-identity-protection
Question #21Topic 4
You use Azure Monitor to analyze Azure Active Directory (Azure AD) activity logs.
You receive more than 100 email alerts each day for failed Azure AD user sign-in attempts.
You need to ensure that a new security administrator receives the alerts instead of you.
Solution: From Azure AD, you create an assignment for the Insights administrator role.
• A. Yes
• B. No
Correct Answer: B
Question #22Topic 4
Solution: From Azure AD, you modify the Diagnostics settings.
• A. Yes
• B. No
Correct Answer: A
Question #23Topic 4
Solution: From Azure Monitor, you create a data collection rule.
• A. Yes
• B. No
Correct Answer: B
Question #24Topic 4
You have an Azure Active Directory Premium P2 tenant.

You create a Log Analytics workspace.
You need to ensure that you can view Azure Active Directory (Azure AD) audit log information by using
Azure Monitor.
• A. Run the Set-AzureADTenantDetail cmdlet.

• B. Create an Azure AD workbook.
• C. Modify the Diagnostics settings for Azure AD.
• D. Run the Get-AzureADAuditDirectoryLogs cmdlet.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-
logs-with-log-analytics
Question #25Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant contains the users shown in the following table.
In Azure AD Privileged Identity Management (PIM), you configure the Global administrator role as shown
in the following exhibit.
User1 is eligible for the Global administrator role.

Hot Area:
Correct
Answer:
Box 1: Yes -
MFA is required on activation -
Box 2: No -
The Privileged Authentication Administrator can set or reset any authentication method for any user,
including Global Administrators.
The Privileged Role Administrator can manage role assignments, including the Global Administrator role,
in Azure Active Directory, as well as within Azure AD
Privileged Identity Management. In addition, this role allows management of all aspects of Privileged
Identity Management and administrative units.
Box 3: No -
The Privileged Authentication Administrator can set or reset any authentication method for any user,
including Global Administrators.
The Privileged Role Administrator can manage role assignments, including the Global Administrator role,
in Azure Active Directory, as well as within Azure AD
Privileged Identity Management. In addition, this role allows management of all aspects of Privileged
Identity Management and administrative units.
Question #26Topic 4
You have a Microsoft 365 subscription that contains the following:

✑ An Azure Active Directory (Azure AD) tenant that has an Azure Active Directory Premium P2 license
✑ A Microsoft SharePoint Online site named Site1
✑ A Microsoft Teams team named Team1
You need to create an entitlement management workflow to manage Site1 and Team1.
• A. Configure an app registration.

• B. Create an Administrative unit.
• C. Create an access package.
• D. Create a catalog.
Correct Answer: C
Question #27Topic 4
Solution: From Azure Monitor, you modify the action group.
• A. Yes
• B. No
Correct Answer: B
Question #28Topic 4
HOTSPOT -
(Azure AD) tenant.
You create an access review as shown in the following table.
Hot Area:
Correct
Answer:
Box 1: No -
User1 is member of Group1. Group1 is in the cloud. Group1 is member of Group3. Group3 is in the cloud.
The access review applies to Group3, but not to Group1. The access review is setup to remove access if
reviewers don't respond.
Box 2: Yes -
User2 is member of Group2. Group1 is in an Active Directory domain.
The access review applies to Group2.
Box 3: No -
User3 is member of Group3, not of Group2.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
Question #29Topic 4
You have a Microsoft 365 E5 subscription that contains a web app named App1.
Guest users are regularly granted access to App1.
You need to ensure that the guest users that have NOT accessed App1 during the past 30 days have their
access removed. The solution must minimize administrative effort.
• A. a Conditional Access policy

• B. a compliance policy
• C. a guest access review
• D. an access review for application access
Correct Answer: D
Access to groups and applications for employees and guests changes over time. To reduce the risk
associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to
create access reviews for group members or application access.
Reference:
Question #30Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) ten-ant: that contains the groups shown in the following
table.
You create an access review for Group1 as shown in the following table.
You create an access review for Group2 as shown in the following table.
What is the minimum member of Azure Active Directory Premium P2 licenses required for each group?
To answer, select the appropriate, options in the answer area.
Hot Area:
Correct Answer:
Box 1: 525 -
For Group1:
Review scope: All Users, Reviewers: Users review own access
Note: How many licenses must you have?
Your directory needs at least as many Azure AD Premium P2 licenses as the number of employees who
will be performing the following tasks:
Member users who are assigned as reviewers
Member users who perform a self-review
Member users as group owners who perform an access review
Member users as application owners who perform an access review
For guest users, licensing needs will depend on the licensing model you're using. However, the below
guest users' activities are considered Azure AD Premium
P2 usage:
Guest users who are assigned as reviewers
Guest users who perform a self-review
Guest users as group owners who perform an access review
Guest users as application owners who perform an access review
Box 2: 1 -
For Group2:
Review scope: Guest users only. Reviewers: Group Owner.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#license-
requirements
Question #31Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a group named
All Company and has the following Identity Governance settings:
✑ Block external users from signing in to this directory: Yes
✑ Remove external user. Yes
✑ Number of days before removing external user from this directory: 30
On March 11, 2.022, you create an access package named Package1 that has the following settings:
✑ Resource rales
1. Name: All Company
2. Type: Group and Team
3. Role: Member
✑ Lifecycle
1. Access package assignment expire: On date
2. Assignment expiration date: April 1, 2022
On March 1, 2022, you assign Package1 to the guest users shown in the following table.
On March 2, 2022, you assign the Reports reader role to Guest1.

On April 1, 2022, you invite a guest user named Guest3 to contoso.com.
On April 4, 2022, you add Guest3 to the All Company group.
Hot Area:
Correct
Answer:
Box 1: No -
On March 2, 2022, you assign the Reports reader role to Guest1.
On April 1 the access package assignment expires. After another 30 days, well before May 5, the guest
user account is removed.
Box 2: No -
On April 1 the access package assignment expires. After another 30 days, well before May 5, the guest
user account is removed.
Box 3: Yes -
Note: Lifecycle -
On the Lifecycle tab, you specify when a user's assignment to the access package expires. You can also
specify whether users can extend their assignments.
In the Expiration section, set Access package assignments expires to On date, Number of days, Number of
hours, or Never.
For On date, select an expiration date in the future.
For Number of days, specify a number between 0 and 3660 days.
For Number of hours, specify a number of hours.
Based on your selection, a user's assignment to the access package expires on a certain date, a certain
number of days after they are approved, or never.
Note 2: By default, when an external user no longer has any access package assignments, they are
blocked from signing in to your directory. After 30 days, their guest user account is removed from your
directory.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-
package-lifecycle-policy https://docs.microsoft.com/en-us/azure/active-
directory/governance/entitlement-management-external-users
Question #32Topic 4
You have an Azure Active Directory (Azure AD) tenant named Contoso that contains a terms of use (Toll)
named Terms1 and an access package. Contoso users collaborate with an external organization named
Fabrikam. Fabrikam users must accept Terms1 before being allowed to use the access package.
You need to identify which users accepted or declined Terms1.
• A. sign-in logs
• B. the Usage and Insights report
• C. provisioning logs
• D. audit logs
Correct Answer: D
View Azure AD audit logs -
If you want to view more activity, Azure AD terms of use policies include audit logs. Each user consent
triggers an event in the audit logs that is stored for 30 days.
You can view these logs in the portal or download as a .csv file.
To get started with Azure AD audit logs, use the following procedure:
1. Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access
administrator.
2. Browse to Azure Active Directory > Security > Conditional Access > Terms of use.
3. Select a terms of use policy.
4. Select View audit logs.
5. On the Azure AD audit logs screen, you can filter the information using the provided lists to target
specific audit log information.

Reference:
Question #33Topic 4
table.
User1 is the owner of Group1.

You create an access review that has the following settings:
✑ What to review: Teams + Groups
✑ Scope: All users
✑ Group: Group1
✑ Reviewers: Users review their own access
Which users can perform access reviews for User3?
• A. User1 only
• B. User3 only
Correct Answer: A
Note:
If you set Select reviewers to Users review their own access or Managers of users, B2B direct connect
users and Teams won't be able to review their own access in your tenant. The owner of the Team under
review will get an email that asks the owner to review the B2B direct connect user and Teams.
Reference:
Question #34Topic 4
HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User2, and
User3.
You create a group named Group1. You add User2 and User3 to Group1.
You configure a role in Azure AD Privileged Identity Management (PIM) as shown in the Application
Administrator exhibit. (Click the Application Administrator tab.)
Group1 is configured as the approver for the Application administrator role.

You configure User2 to be eligible for the Application administrator role.
For User1 you add an assignment to the Application administrator role as shown in the Assignment
exhibit. (Click the Assignment tab.)
Hot Area:
Correct
Answer:
Box 1: No -
User1 is eligible from 1/1/2021 to 1/31/2021.
However, here the Application Administrator role requires approval.
Box 2: No -
User2 is also member of Group1, and Group1 is configured as the approver for the Application
administrator role.
Box 3: Yes -
User1 is eligible from 1/1/2021 to 1/31/2021.
Activation maximum duration (hours) is set to 5 hours.
Question #35Topic 4
HOTSPOT -
You create an access review for Azure Active Directory (Azure AD) roles.
You need to ensure that users who do not respond to review requests are removed automatically from
the roles. The solution must minimize administrative effort.
Which two settings should you modify? To answer, select the settings in the answer area.
Hot Area:
Correct
Answer:
Box 1: Reviewers, Members (self)

Reviewers for guest users can be:
Specified reviewers: Certain users within your organization
Group owners: Office 365 Group owners that also includes Teams
Self-review: Guest users can review access on their own
Box 2: If reviewers don't respond, No Change
If reviewers don't respond (within the configured review period):
No change: Leave user's access unchanged
Remove access: Remove user's access
Approve access: Approve user's access
Take recommendations: Take the system's recommendation on denying or approving the user's
continued access
Reference:
https://blog.quadrotech-it.com/blog/how-to-manage-guest-access-in-azure-active-directory-pt-1/
Question #36Topic 4
HOTSPOT
-
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1.
An administrator deletes User1.
You need to identify the following:
• How many days after the account of User1 is deleted can you restore the account?
• Which is the least privileged role that can be used to restore User1?
What should you identify? To answer, select the appropriate options in the answer area.
Correct
Answer:
Question #37Topic 4
HOTSPOT
-
You have an Azure AD tenant that contains the groups shown in the following exhibit.
Correct
Answer:
Question #38Topic 4
You have an Azure AD tenant that contains two users named User1 and User2.
You plan to perform the following actions:
• Create a group named Group1.

• Add User1 and User2 to Group1.
• Assign Azure AD roles to Group1.
You need to create Group1.
Which two settings can you use? Each correct answer presents a complete solution.
• A. Group type: Microsoft 365 -

Membership type: Assigned
• B. Group type: Security -
Membership type: Assigned
• C. Group type: Security -
Membership type: Dynamic User
• D. Group type: Microsoft 365 -
Membership type: Dynamic User
• E. Group type: Security -
Membership type: Dynamic Device
Correct Answer: AB
Question #39Topic 4
DRAG DROP
-
You need to perform the following tasks:
• Identify the locations and IP addresses used by Azure AD users to sign in.
• Review the Azure AD security settings and identify improvement recommendations.
• Identify changes to Azure AD users or service principals.
What should you use for each task? To answer, drag the appropriate resources to the correct
requirements. Each resource may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
Correct
Answer:
Question #40Topic 4
Case Study -
Overview -
adatum.com.
defaults disabled.

a grace period.
- Email
- Phone
You need to implement the planned changes for Package1.
Which users can create and manage the access review?
• A. User3 only
• B. User4 only
• C. User5 only
• D. User3 and User4
• E. User3 and User5
• F. User4 and User5
Correct Answer: E
Question #41Topic 4
Case Study -
Overview -
adatum.com.
defaults disabled.

a grace period.
- Email
- Phone
You need to resolve the issue of the guest user invitations.
What should you do for the Azure AD tenant?
• A. Configure the Continuous access evaluation settings.

• B. Configure a Conditional Access policy.
• C. Modify the External collaboration settings.
• D. Configure the Access reviews settings.
Correct Answer: C
Question #42Topic 4
Case Study -
Overview -
adatum.com.
defaults disabled.

a grace period.
- Email
- Phone
You need to modify the settings of the User administrator role to meet the technical requirements.
Which two actions should you perform for the role? Each correct answer presents part of the solution.
• A. Select Require justification on activation.

• B. Select Require ticket information on activation.
• C. Modify the Expire eligible assignments after setting.
• D. Set all assignments to Eligible.
• E. Set all assignments to Active.
Correct Answer: CD
Question #43Topic 4
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Azure AD roles. The solution must use the
• A. Privileged role administrator

• B. Identity Governance Administrator
• C. User administrator
• D. User Access Administrator
Correct Answer: C
Question #44Topic 4
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains three users named User1, User2, and User3.
You have two Azure AD roles that have the Activation settings shown in the following table.
The Azure AD roles have the Assignment settings shown in the following table.
The Azure AD roles have the eligible users shown in the following table.
Correct
Answer:
Question #45Topic 4
HOTSPOT
-
You have a hybrid Microsoft 365 subscription that contains the users shown in the following table.
You plan to deploy an on-premises app named App1. App1 will be registered in Azure AD and will use
Azure AD Application Proxy.
You need to delegate the installation of the Application Proxy connector and ensure that User1 can
register App1 in Azure AD. The solution must use the principle of least privilege.
Which user should perform the installation, and which role should you assign to User1? To answer, select
Correct
Answer:
Question #46Topic 4
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
The users are assigned the roles shown in the following table.
For which users can User1 and User4 reset passwords? To answer, select the appropriate options in the
answer area.
Correct
Answer:
Question #47Topic 4
You have a Microsoft 365 E5 subscription that contains a user named User1. User is eligible for the
Application administrator role.
User1 needs to configure a new connector group for an application proxy.
What should you use to activate the role for User1?
• A. the Microsoft Defender for Cloud Apps portal

• C. the Azure Active Directory admin center
• D. the Microsoft 365 Defender portal
Correct Answer: C
Question #48Topic 4
You have an Azure subscription that contains a registered app named App1.
You need to review the sign-in activity for App1. The solution must meet the following requirements:
• Identify the number of failed sign-ins.

• Identify the success rate of sign-ins.
• Minimize administrative effort.
• A. Sign-in logs
• B. Access reviews
• C. Audit logs
• D. Usage & insights
Correct Answer: A
Question #49Topic 4
Your company has an Azure AD tenant that contains a user named User1.
The company has two departments named marketing and finance.
You need to grant permissions to User1 to manage only the users in the marketing department. The
solution must ensure that User1 does NOT have permissions to manage the users in the finance
department.
What should you create first?
• A. a management group
• B. an administrative unit
• C. a resource group
• D. a Microsoft 365 group
Correct Answer: B
Question #50Topic 4
You have an Azure AD tenant that contains an access package named Package1 and a user named User1.
Package1 is configured as shown in the following exhibit.
You need to ensure that User1 can modify the review frequency of Package1. The solution must use the
• A. Security administrator
• B. Privileged role administrator
• C. External Identity Provider administrator
• D. User administrator
Correct Answer: D
Question #51Topic 4
HOTSPOT
-
Azure AD logs are sent to a Log Analytics workspace.
You need to query the logs and graphically display the number of sign-ins per user.
How should you complete the query? To answer, select the appropriate options in the answer area,
Correct
Answer:
Question #52Topic 4
You need to identify which users access Facebook from their devices and browsers. The solution must
• A. Create a Conditional Access policy.

• B. Create a Defender for Cloud Apps access policy.
• C. Create an app configuration policy in Microsoft Endpoint Manager.
• D. From the Microsoft Defender for Cloud Apps portal, unsanction Facebook.
Correct Answer: D
Question #53Topic 4
You have an Azure subscription that uses Azure AD Privileged Identity Management (PIM).
You need to identify users that are eligible for the Cloud Application Administrator role.
Which blade in the Privileged Identity Management settings should you use?
• A. Azure resources
• B. Privileged access groups
• C. Review access
• D. Azure AD roles
Correct Answer: B
Question #54Topic 4
HOTSPOT
-
You need to create a dynamic user group that will include all the users that do NOT have a department
defined in their user profile.
How should you complete the membership rule? To answer, select the appropriate options in the answer
area.
Correct
Answer:
Question #55Topic 4
You have an Azure AD Premium P2 tenant.
You create a Log Analytics workspace.
You need to ensure that you can view Azure AD audit log information by using Azure Monitor.
• A. Modify the Diagnostics settings for Azure AD.

• B. Run the Update-MgOrganization cmdlet.
• C. Run the Update-MgDomain cmdlet.
• D. Create an Azure AD workbook.
Correct Answer: A
Question #56Topic 4
You need to identify which users access Facebook from their devices and browsers. The solution must
• A. From the Microsoft 365 Defender portal, unsanction Facebook.

• B. Create a Defender for Cloud Apps access policy.
• C. Create an app configuration policy in Microsoft Intune.
• D. Create a Conditional Access policy.
Correct Answer: A
Question #57Topic 4
You have a Microsoft 365 subscription that contains the users shown in the following table.
From the tenant, you configure a naming policy for groups.
Which users are affected by the naming policy?
• A. User2 only
• B. User3only
• E. User1, User2, and User3 only
• F. User1, User2, User3, and User4
Correct Answer: D
Question #58Topic 4
You have an Azure subscription that contains the users shown in the following table.
You need to implement Azure AD Privileged Identity Management (PIM).
Which users can use PIM to activate their role permissions?
• A. Admin1 only
• B. Admin2 only
• C. Admin3 only
• D. Admin1 and Admin2 only
• E. Admin2 and Admin3 only
• F. Admin1, Admin2, and Admin3
Correct Answer: C
Question #59Topic 4
HOTSPOT
-
You perform the tasks shown in the following table.
On April 5, an administrator deletes App1, App2, App3, and App4.
You need to restore the apps and the settings.
Which apps can you restore on April 16, and which settings can you restore for App4 on April 16? To
Correct
Answer:
Question #60Topic 4
account.
Cloud Apps.
Solution: From the Microsoft 365 Defender portal, you add the GitHub app connector.
• A. Yes
• B. No
Correct Answer: B
Question #61Topic 4
You plan to implement Azure AD Privileged Identity Management (PIM).
Which roles can you manage by using PIM?
• A. Global Administrator only

• B. Global Administrator and Security Administrator only
• C. Global Administrator, Security Administrator, and Security Contributor only
• D. Account Administrator, Global Administrator, Security Administrator, and Security Contributor
only
Correct Answer: C
Question #62Topic 4
In Microsoft Entra ID, you configure the terms of use.
You need to ensure that only users who accept the terms of use can access the resources in the tenant.
Other users must be denied access.
• A. Terms and conditions in Microsoft Intune

• B. an access policy in Microsoft Defender for Cloud Apps
• C. a conditional access policy in Microsoft Entra ID
• D. a compliance policy in Microsoft Intune
Correct Answer: C
Question #63Topic 4
You have a Microsoft 365 E5 subscription that contains a user named User1. User1 is eligible for the
Application Administrator role.
User1 needs to configure a new connector group for an application proxy.
What should you use to activate the role for User1?
• A. the Microsoft 365 Defender portal

• C. the Microsoft Intune admin center
• D. the Azure Active Directory admin center
Correct Answer: D
Question #64Topic 4
Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a
certification authority (CA) named CA1.
You need to implement certificate-based authentication in Azure AD. The solution must ensure that users
can sign in by using certificates issued by CA1. What should you do first?
• A. Deploy an Azure key vault.

• B. Add CA1 as a Certificate Authority to the Microsoft Entra ID tenant.
• C. Enable auto-enrollment for CA1.
• D. Deploy Windows Hello for Business.
Correct Answer: B
Question #65Topic 4
You have accounts for the following cloud platforms:
• Azure
• Alibaba Cloud
• Amazon Web Services (AWS)
• Google Cloud Platform (GCP)
You configure an Azure subscription to use Microsoft Entra Permissions Management to manage the
permissions in Azure only.
Which additional cloud platforms can be managed by using Permissions Management?
• A. AWS only
• B. Alibaba Cloud and AWS only
• C. Alibaba Cloud and GCP only
• D. AWS and GCP only
• E. Alibaba Cloud, AWS, and GCP
Correct Answer: D
Question #66Topic 4
You have three Azure subscriptions that are linked to a single Microsoft Entra tenant.
You need to evaluate and remediate the risks associated with highly privileged accounts. The solution
must minimize administrative effort.
• A. Global Secure Access

• B. Privileged Identity Management (PIM)
• C. Microsoft Entra Permissions Management
• D. Microsoft Entra Verified ID
Correct Answer: C
Question #67Topic 4
You have an Azure subscription named Sub1 that uses Microsoft Entra Permissions Management. Sub1
contains a user named User1. User1 is granted multiple permissions across Sub1.
You need to replace all the permissions granted to User1 with read-only permissions. The solution must
What should you do on the Remediation tab in Permissions Management?
• A. From the Role/Policy Template subtab, create a template.

• B. From the My Requests subtab, create a new request.
• C. From the Roles/Policies subtab, create a role.
• D. From the Permissions subtab, use a quick action.
Correct Answer: D
Question #68Topic 4
You have an Azure subscription that contains a user named User1. The subscription is onboarded to
Microsoft Entra Permissions Management.
You need to provide User1 with access to Permissions Management. The solution must meet the
following requirements:
• Follow the principle of least privilege.

• Minimize administrative effort.
• A. From the Role/Policy Template subtab of Permissions Management, create a template.
• B. From the Microsoft Entra admin center, create a security group.

• C. From the My Requests subtab of Permissions Management, create a new request.
• D. From the Microsoft Entra admin center, assign a role to User1.
Correct Answer: B
Question #69Topic 4
DRAG DROP
-
The subscription uses Privileged Identity Management (PIM).
You need to configure the following access controls by using PIM:
• Ensure that User1 can read and update Secret1.

• Ensure that User2 can read the contents of the secrets stored in Vault2.
The solution must follow the principle of least privilege.
Which authorization method should you use for each user? To answer, drag the appropriate
authorization methods to the correct users. Each authorization method may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
Question #70Topic 4
HOTSPOT
-
You have two Azure subscriptions named Sub1 and Sub2 that are linked to a Microsoft Entra tenant. The
tenant contains three groups named Group1, Group2, and Group3.
The subscriptions contain the resources shown in the following table.
You manage the subscriptions by using Microsoft Entra Permissions Management. Permissions
Management is configured as shown in the following table.
Correct
Answer:
Question #71Topic 4
HOTSPOT
-
You onboard Microsoft Entra Permissions Management.
You need to perform the following tasks:
• Identify all the accounts that are assigned the Global Administrator role permanently.
• Review the Permission Creep Index (PCI) of User1.
Which tab in Permissions Management should you use for each task? To answer, select the appropriate
Correct
Answer:
Topic 5 - Testlet 1
Question #1Topic 5
Introductory InfoCase Study -
Overview -
and Seattle.
domain contains an organizational unit (OU) named
Contoso_Resources. The Contoso_Resources OU contains all users and computers.
Microsoft Office 365 Enterprise E5
Enterprise Mobility + Security E5

Windows 10 Enterprise E3
Project Plan 3
The users in the London office have the Microsoft 365 Phone System license unassigned.
The users in the Seattle office have the Yammer Enterprise license unassigned.
Currently, all the helpdesk administrators can manage user licenses throughout the entire Microsoft 365
tenant.
The user administrators report that it is tedious to manually configure the different license requirements
for each Contoso office.

The helpdesk administrators spend too much time provisioning internal and guest access to the required
Microsoft 365 services and apps.
Currently, the helpdesk administrators can perform tasks by using the User administrator role without
When the Logs node is selected in Azure AD, an error message appears stating that Log Analytics

Implement self-service password reset (SSPR).
Analyze Azure audit activity logs by using Azure Monitor.
Simplify license allocation for new users added to the tenant.
Collaborate with the users at Fabrikam on a joint marketing campaign.
Configure the User administrator role to require justification and approval to activate.
Implement a custom line-of-business Azure web app named App1. App1 will be accessible from the
For new users in the marketing department, implement an automated approval workflow to provide
All users must be synced from AD DS to the contoso.com Azure AD tenant.
App1 must have a redirect URI pointed to https://contoso.com/auth-response.
License allocation for new users must be assigned automatically based on the location of the user.
Fabrikam users must have access to the marketing department's SharePoint site for a maximum of 90
days.
Administrative actions performed in Azure AD must be audited. Audit logs must be retained for one year.
The helpdesk administrators must be able to manage licenses for only the users in their respective office.
Users must be forced to change their password if there is a probability that the users' identity was
compromised.QuestionYou need to allocate licenses to the new users from ADatum. The solution must
meet the technical requirements.
Which type of object should you create?
• A. a Dynamic User security group

• B. a distribution group
• C. an OU
• D. an administrative unit
Correct Answer: D
An administrative unit is an Azure AD resource that can be a container for other Azure AD resources. An
administrative unit can contain only users, groups, or devices.
Administrative units restrict permissions in a role to any portion of your organization that you define.
Deployment scenario -
It can be useful to restrict administrative scope by using administrative units in organizations that are
made up of independent divisions of any kind. Consider the example of a large university that's made up
of many autonomous schools (School of Business, School of Engineering, and so on). Each school has a
team of IT admins who control access, manage users, and set policies for their school.
Scenario: Contoso plans to acquire a company named ADatum Corporation. One hundred new ADatum
users will be created in an Active Directory OU named
Adatum. The users will be located in London and Seattle.
Contoso identifies the following technical requirements: License allocation for new users must be
assigned automatically based on the location of the user.

Reference:
Question #2Topic 5
Overview -
and Seattle.

Project Plan 3

tenant.

days.
compromised.QuestionYou need to sync the ADatum users. The solution must meet the technical
requirements.
What should you do?
• A. From the Microsoft Azure Active Directory Connect wizard, select Customize synchronization
options.
• B. From PowerShell, run Set-ADSyncScheduler.
• C. From PowerShell, run Start-ADSyncSyncCycle.
• D. From the Microsoft Azure Active Directory Connect wizard, select Change user sign-in.
Correct Answer: A
You need to select Customize synchronization options to configure Azure AD Connect to sync the Adatum
organizational unit (OU).
Question #3Topic 5
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionHOTSPOT -
You need to meet the technical requirements for license management by the helpdesk administrators.
What should you create first, and which tool should you use? To answer, select the appropriate options
in the answer area.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage
Question #4Topic 5
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou need to resolve the issue of the sales department users.
What should you configure for the Azure AD tenant?
• A. the Device settings

• B. the Access reviews settings
• C. the User settings
• D. Security defaults
Correct Answer: C
Scenario: There are Sales department users in London and in Seattle.
* The users in the London office have the Microsoft 365 Phone System license unassigned.
* The users in the Seattle office have the Yammer Enterprise license unassigned.
Use the Active users page to unassign licenses.
When you use the Active users page to unassign licenses, you unassign product licenses from users.
Unassign licenses from one user.
1. In the admin center, go to the Users > Active users page.
2. Select the row of the user that you want to unassign a license for.
3. In the right pane, select Licenses and Apps.
4. Expand the Licenses section, clear the boxes for the licenses that you want to unassign, then select
Save changes.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/admin/manage/remove-licenses-from-users
Topic 6 - Testlet 2
Question #1Topic 6
Overview -
Litware, Inc. is a pharmaceutical company that has a subsidiary named Fabrikam, Inc.
Litware has offices in Boston and Seattle, but has employees located across the United States. Employees
connect remotely to either office by using a VPN connection.
Existing Environment. Identity Environment
The network contains an Active Directory forest named litware.com that is linked to an Azure Active
Directory (Azure AD) tenant named litware.com. Azure AD
Connect uses pass-through authentication and has password hash synchronization disabled.
Litware.com contains a user named User1 who oversees all application development.
Litware implements Azure AD Application Proxy.
Fabrikam has an Azure AD tenant named fabrikam.com. The users at Fabrikam access the resources in
litware.com by using guest accounts in the litware.com tenant.
Existing Environment. Cloud Environment
All the users at Litware have Microsoft 365 Enterprise E5 licenses. All the built-in anomaly detection
policies in Microsoft Cloud App Security are enabled.
Litware has an Azure subscription associated to the litware.com Azure AD tenant. The subscription
contains an Azure Sentinel instance that uses the Azure Active
Directory connector and the Office 365 connector. Azure Sentinel currently collects the Azure AD sign-ins
logs and audit logs.
Existing Environment. On-premises Environment
The on-premises network contains the servers shown in the following table.
Both Litware offices connect directly to the internet. Both offices connect to virtual networks in the Azure
subscription by using a site-to-site VPN connection. All on-premises domain controllers are prevented
from accessing the internet.
Requirements. Delegation Requirements
Litware identifies the following delegation requirements:
Delegate the management of privileged roles by using Azure AD Privileged Identity Management (PIM).
Prevent nonprivileged users from registering applications in the litware.com Azure AD tenant.
Use custom programs for Identity Governance.
Ensure that User1 can create enterprise applications in Azure AD.
Use the principle of least privilege.
Requirements. Licensing Requirements
Litware recently added a custom user attribute named LWLicenses to the litware.com Active Directory
forest. Litware wants to manage the assignment of Azure
AD licenses by modifying the value of the LWLicenses attribute. Users who have the appropriate value for
LWLicenses must be added automatically to a
Microsoft 365 group that has the appropriate licenses assigned.
Requirements. Management Requirements
Litware wants to create a group named LWGroup1 that will contain all the Azure AD user accounts for
Litware but exclude all the Azure AD guest accounts.
Requirements. Authentication Requirements
Litware identifies the following authentication requirements:
Implement multi-factor authentication (MFA) for all Litware users by using conditional access policies.
Exempt users from using MFA to authenticate to Azure AD from the Boston office of Litware.
Implement a banned password list for the litware.com forest.

Enforce MFA when accessing on-premises applications.
Automatically detect and remediate externally leaked credentials.
Requirements. Access Requirements

Litware identifies the following access requirements:
Control all access to all Azure resources and Azure AD applications by using conditional access policies.
Implement a conditional access policy that has session controls for Microsoft SharePoint Online.
Control privileged access to applications by using access reviews in Azure AD.
Requirements. Monitoring Requirements
Litware wants to use the Fusion rule in Azure Sentinel to detect multi-staged attacks that include a
combination of suspicious Azure AD sign-ins followed by anomalous Microsoft Office 365
activity.QuestionHOTSPOT -
You need to configure the assignment of Azure AD licenses to the Litware users. The solution must meet
the licensing requirements.
Hot Area:
Correct
Answer:
Question #2Topic 6
Overview -



activity.QuestionYou need to meet the authentication requirements for leaked credentials.
What should you do?
• A. Enable password hash synchronization in Azure AD Connect.

• B. Configure Azure AD Password Protection.
• C. Configure an authentication method policy in Azure AD.
• D. Enable federation with PingFederate in Azure AD Connect.
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
Question #3Topic 6
Overview -

You need to identify which roles to use for managing role assignments. The solution must meet the
delegation requirements.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
Question #4Topic 6
Overview -



You need to create the LWGroup1 group to meet the management requirements.
How should you complete the dynamic membership rule? To answer, select the appropriate options in
the answer area.
Hot Area:
Correct
Answer:
Topic 7 - Testlet 3
Question #1Topic 7
Overview -
and Seattle.

Project Plan 3
tenant.


days.
You need to meet the technical requirements for the probability that user identities were compromised.
What should the users do first, and what should you configure? To answer, select the appropriate options
in the answer area.
Hot Area:
Correct
Answer:
Reference:
protection-policies
Topic 8 - Testlet 4
Question #1Topic 8
Overview -

activity.QuestionYou need to configure the MFA settings for users who connect from the Boston office.
The solution must meet the authentication requirements and the access requirements.
What should you include in the configuration?
• A. named locations that have a private IP address range

• B. named locations that have a public IP address range
• C. trusted IPs that have a public IP address range
• D. trusted IPs that have a private IP address range
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Question #2Topic 8
Overview -


You need to support the planned changes and meet the technical requirements for MFA.
Which feature should you use, and how long before the users must complete the registration? To
Hot Area:
Correct
Answer:
Box 1: A Conditional Access policy

Box 2: 14 days -
Multi-factor authentication (MFA): multi-factor authentication is a type of authentication that requires
the use of two or more verification factors to gain access to a system. Azure MFA offers a 14 day grace
period after being initiated.
Reference:
https://www.syskit.com/blog/using-azure-conditional-access-when-security-defaults-isnt-enough/
Topic 9 - Testlet 5
Question #1Topic 9
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou need to meet the planned changes and technical requirements for App1.
• A. a policy set in Microsoft Endpoint Manager

• B. an app configuration policy in Microsoft Endpoint Manager
• C. an app registration in Azure AD
• D. Azure AD Application Proxy
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Topic 10 - Testlet 6
Question #1Topic 10
Overview -


You need to implement on-premises application and SharePoint Online restrictions to meet the
authentication requirements and the access requirements.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/sharepoint/app-enforced-restrictions https://docs.microsoft.com/en-
us/azure/active-directory/conditional-access/concept-conditional-access-session
Question #2Topic 10
Overview -


You need to configure app registration in Azure AD to meet the delegation requirements.
Hot Area:
Correct
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles
Question #3Topic 10
Overview -

How should the access be setup to the on-premises applications?
Hot Area:
Correct
Answer:
Box 1: Server2 -
Incorrect:
Not Server 1: If you've deployed Azure AD Password Protection Proxy, do not install Azure AD Application
Proxy and Azure AD Password Protection Proxy together on the same machine. Azure AD Application
Proxy and Azure AD Password Protection Proxy install different versions of the Azure AD Connect Agent
Updater service. These different versions are incompatible when installed together on the same machine.
Server1 runs the Azure AD application Proxy connector.
To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll
install the Application Proxy connector on the server. This connector server needs to connect to the
Application Proxy services in Azure, and the on-premises applications that you plan to publish.
Scenario:
Requirements. Authentication Requirements include:

Box 2: DC1 -
The Azure AD Password Protection proxy service is typically on a member server in your on-premises AD
DS environment. Once installed, the Azure AD
Password Protection proxy service communicates with Azure AD to maintain a copy of the global and
customer banned password lists for your Azure AD tenant.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-
premises-deploy https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-
add-on-premises-application
Question #1Topic 11
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou create a Log Analytics workspace.
You need to implement the technical requirements for auditing.
What should you configure in Azure AD?
• A. Company branding
• B. Diagnostics settings
• C. External Identities
• D. App registrations
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring
Question #2Topic 11
Overview -
and Seattle.

Project Plan 3
tenant.


days.
You need to implement the planned changes and technical requirements for the marketing department.
Hot Area:
Correct
Answer:
Reference:
organization
Question #3Topic 11
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou need to meet the planned changes for the User administrator role.
What should you do?
• A. Create an access review.

• B. Create an administrative unit.
• C. Modify Active assignments.
• D. Modify Role settings.
Correct Answer: C
Reference:
add-role-to-user?tabs=new
Question #4Topic 11
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou need to modify the settings of the User administrator role to meet the
technical requirements.
Which two actions should you perform for the role? Each correct answer presents part of the solution.
• A. Select Require justification on activation.

• B. Select Require ticket information on activation.
• C. Modify the Expire eligible assignments after setting.
• D. Set all assignments to Eligible.
• E. Set all assignments to Active.
Correct Answer: AE
Scenario: Configure the User administrator role to require justification and approval to activate.
A: Require justification.
You can require that users enter a business justification when they activate. To require justification,
check the Require justification on active assignment box or the
Require justification on activation box.
E: You can choose from two assignment duration options for each assignment type (eligible and active)
when you configure settings for a role.
You can choose one of these active assignment duration options:
Allow permanent active assignment: Global admins and Privileged role admins can assign permanent
active assignment.
Expire active assignment after: Global admins and Privileged role admins can require that all active
assignments have a specified start and end date.
Reference:
change-default-settings
Question #5Topic 11
Overview -
and Seattle.


Project Plan 3
tenant.

days.
compromised.QuestionYou need to resolve the issue of the guest user invitations.
What should you do for the Azure AD tenant?
• A. Configure the Continuous access evaluation settings.

• B. Configure a Conditional Access policy.
• C. Configure the Access reviews settings.
• D. Modify the External collaboration settings.
Correct Answer: C
Scenario: The helpdesk administrators spend too much time provisioning internal and guest access to the
Manage guest access with Azure AD access reviews.
With Azure Active Directory (Azure AD), you can easily enable collaboration across organizational
boundaries by using the Azure AD B2B feature. Guest users from other tenants can be invited by
administrators or by other users. This capability also applies to social identities such as Microsoft
accounts.
You also can easily ensure that guest users have appropriate access. You can ask the guests themselves or
a decision maker to participate in an access review and recertify (or attest) to the guests' access. The
reviewers can give their input on each user's need for continued access, based on suggestions from Azure
AD.
When an access review is finished, you can then make changes and remove access for guests who no
longer need it.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-
reviews
Question #6Topic 11
Overview -
and Seattle.

Project Plan 3
tenant.


days.
compromised.QuestionYou need to sync the ADatum users. The solution must meet the technical
requirements.
What should you do?
• A. From the Microsoft Azure Active Directory Connect wizard, select Customize synchronization
options.
• B. From PowerShell, run Set-ADSyncScheduler.
• C. From PowerShell, run Start-ADSyncSyncCycle.
• D. From the Microsoft Azure Active Directory Connect wizard, select Change user sign-in.
Correct Answer: A
You need to select Customize synchronization options to configure Azure AD Connect to sync the Adatum
organizational unit (OU).
Question #1Topic 12
Overview -


activity.QuestionYou need to configure the detection of multi-staged attacks to meet the monitoring
requirements.
What should you do?
• A. Customize the Microsoft Sentinel rule logic.

• B. Create a workbook.
• C. Add Microsoft Sentinel data connectors.
• D. Add an Microsoft Sentinel playbook.
Correct Answer: A
Question #2Topic 12
Overview -

activity.QuestionYou need to track application access assignments by using Identity Governance. The
solution must meet the delegation requirements.
• A. Modify the User consent settings for the enterprise applications.

• B. Create a catalog.
• C. Create a program.
• D. Modify the Admin consent requests settings for the enterprise applications.
Correct Answer: B
Reference:
overview

SC 300 v25.3.2 - 395 1jf9da

Uploaded by

Copyright:

Available Formats

SC 300 v25.3.2 - 395 1jf9da

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC 300 v25.3.2 - 395 1jf9da

Uploaded by

Copyright:

Available Formats

ClouCertified Practice Tests https://cloudcertified.

SC-300 Microsoft Identity and Access Administrator

• A. Group1 and Group4 only

shown in the following table.

Which users will be emailed a passcode?

Which objects can you add as members to Group3?

• A. User2 and Group2 only

The groups are configured as shown in the following table.

• A. Run the New-AzADUser cmdlet.

All the users work remotely.

Connectivity from the on-premises domain to the internet is lost.

• A. User1 and User3 only

You have the Device Settings shown in the following exhibit.

User1 has the devices shown in the following table.

Select and Place:

• A. Run the New-AzureADMSInvitation cmdlet.

• A. displayName, identityIssuer, usageLocation, and userType

• A. Configure Sign-in options from the Settings app.

Box 1: A user risk policy -

Box 2: A sign-in risk policy -

Box 3: A sign-in risk policy -

Box 1: User1 and User2 only.

Box 2: User1, User2, and User3 -

• A. Configure Sign-in options from the Settings app.

• A. Configure Azure AD Application Proxy in the Contoso West tenant.

NOTE: Each correct selection is worth one point.

You have an Azure subscription.

NOTE: Each correct selection is worth one point.

NOTE: Each correct selection is worth one point.

User5 is assigned the User administrator role for Au1.

For which users can User5 reset passwords?

• A. User1, User2, and User3

Which users will be added to the group?

You have an Azure AD tenant that contains a user named User1.

User1 needs to manage license assignments and reset user passwords.

Which role should you assign to User1?

What should you use?

• A. the Set-MsolUserLicense cmdlet

E5 licenses to a group that includes all the users.

What should you use?

• A. the Set-AzureADGroup cmdlet

You need to configure Azure AD Connect to meet the following requirements:

• User sign-ins to Azure AD must be authenticated by an Active Directory domain controller.

NOTE: Each correct selection is worth one point.

What should you use?

• A. the Groups blade in the Azure Active Directory admin center

You have an Active Directory forest that syncs to an Azure AD tenant.

Solution: You configure conditional access policies.

Does this meet the goal?

You have a Microsoft 365 E5 subscription.

You create a user named User1.

Solution: You assign the Exchange Administrator role to User1.

Does this meet the goal?

You have a Microsoft 365 E5 subscription.

You create a user named User1.

Solution: You assign the User Administrator role to User1.

Does this meet the goal?

Existing Environment. Existing Environment

Existing Environment. Microsoft 365/Azure Environment