Manage Identity & Access (Entra ID)

You need to require all members of the Helpdesk group to use multi-factor authentication only when they sign in from outside the corporate network. Which Microsoft Entra ID feature should you use?

• A A password protection policy
• B Security defaults
• C Conditional Access policy with a named location condition ✓
• D Per-user MFA settings in the legacy portal

Answer: Conditional Access lets you scope MFA to specific conditions such as a named location, so MFA is enforced only when users sign in from outside trusted IP ranges. Security defaults apply MFA broadly and cannot be scoped by location.

A Global Administrator wants to grant a user the ability to elevate to the User Administrator role only when needed, with approval and a time limit. Which Microsoft Entra ID capability provides this?

• A Administrative units
• B Access reviews
• C Privileged Identity Management (PIM) ✓
• D Entitlement management

Answer: Privileged Identity Management provides just-in-time, time-bound, and approval-based activation of privileged roles, reducing standing access. Access reviews and entitlement management address recertification and package-based access, not on-demand role elevation.

You want an Azure VM to authenticate to Azure Key Vault to retrieve a secret without storing any credentials in code or configuration. What should you configure?

• A A system-assigned managed identity for the VM ✓
• B An app registration with a certificate uploaded to the VM
• C A service principal with a client secret stored in the VM
• D A shared access signature for the Key Vault

Answer: A system-assigned managed identity gives the VM an identity in Microsoft Entra ID whose credentials are managed by Azure, so no secrets are stored in code or config. Key Vault access is then granted to that identity.

Which Microsoft Entra ID feature lets you recertify group memberships on a recurring schedule so that stale access is removed?

• A Identity Protection
• B Conditional Access
• C Continuous access evaluation
• D Access reviews ✓

Answer: Access reviews let reviewers periodically attest to whether users still need their group memberships or access, automatically removing access that is no longer approved. The other features address sign-in risk and policy enforcement.

You must block legacy authentication protocols such as POP and IMAP for all users because they cannot enforce MFA. What is the recommended approach in Microsoft Entra ID?

• A Disable the accounts that use those protocols
• B Enable a password protection custom banned list
• C Create a Conditional Access policy that blocks legacy authentication clients ✓
• D Configure a sign-in risk policy set to high

Answer: A Conditional Access policy can target the legacy authentication clients condition and block them, closing a common bypass of MFA. Risk policies and password protection do not selectively block legacy auth protocols.

A user account in Microsoft Entra ID is flagged because the same account signed in from two distant locations within a short period. Which feature detected this risk?

• A Microsoft Entra ID Protection ✓
• B Azure Policy
• C Microsoft Defender for Cloud Apps proxy
• D Microsoft Purview

Answer: Microsoft Entra ID Protection detects risk events such as atypical or impossible travel and surfaces them as user or sign-in risk. It can feed Conditional Access risk-based policies.