Domain 1.2: Authentication and Authorization

A healthcare enterprise is migrating its infrastructure to Azure. They have strict compliance requirements regarding administrative access. You need to design an identity solution that meets the following requirements: - Administrators must only have elevated privileges when actively performing tasks (Just-In-Time access). - Administrators must provide a business justification and receive approval before gaining elevated privileges. - Administrators must be forced to use Multi-Factor Authentication (MFA) when activating their elevated roles. - The solution must apply to Azure Resource Manager (ARM) roles (e.g., Owner, Contributor). Which combination of services should you recommend?

Woodgrove Bank is developing two new web applications hosted on Azure App Service: 1. Partner Portal: Used by 50 external vendor companies. Vendors must sign in using their own corporate Microsoft 365 or Azure AD credentials. 2. Customer Portal: Used by 500,000 retail banking customers. Customers must be able to sign up using their email addresses, social media accounts (Facebook, Google), or local credentials. You need to recommend the appropriate identity solutions for these applications. Which TWO solutions should you recommend? (Select TWO)

A global manufacturing company with 20,000 employees uses an on-premises Active Directory Domain Services (AD DS) environment. They are migrating to Microsoft 365 and Azure. The Chief Security Officer (CSO) mandates the following identity requirements: - Users must use the same password on-premises and in the cloud. - Authentication to cloud services must be evaluated against on-premises Active Directory password policies (e.g., time restrictions, account lockout) in real-time. - Passwords (even in hashed form) must NEVER be synchronized to or stored in the cloud. - The solution must support high availability. Which hybrid identity authentication method should you design?

Your organization is implementing a Zero Trust security model and wants to eliminate the use of passwords for employee authentication to Microsoft Entra ID. You need to recommend passwordless authentication methods that are natively supported by Microsoft Entra ID. Which TWO methods should you recommend? (Select TWO)

A company is migrating a legacy application to Azure Virtual Machines. The application relies heavily on LDAP read/write operations, NTLM authentication, and requires virtual machines to be joined to an Active Directory domain. The company does not want to deploy, manage, or patch any domain controller virtual machines in Azure, nor do they want to set up a VPN to their on-premises network. Which identity service should you recommend?

A defense contractor is migrating to Microsoft 365 and Azure. They have a strict security policy stating that no user password hashes, even in synchronized or encrypted form, can ever be stored in the cloud. They require Single Sign-On (SSO) for their 10,000 employees. The on-premises Active Directory must be the sole authority for authentication. If the on-premises internet connection fails, users should NOT be able to authenticate to cloud services. Which hybrid identity authentication method should you recommend?

You are designing an identity governance solution for a large enterprise using Microsoft Entra ID (Azure AD). The security team requires that any user attempting to access the Azure Portal to perform administrative tasks must: 1. Be prompted for Multi-Factor Authentication (MFA). 2. Provide a business justification. 3. Have their access automatically revoked after 4 hours. Which combination of services should you implement?

Your company frequently collaborates with external vendors. You use Microsoft Entra External ID (B2B collaboration) to grant vendor identities access to internal Azure resources and applications. The compliance team has raised concerns about 'stale' guest accounts. They require a solution that: - Automatically asks vendors to verify if they still need access every 90 days. - Automatically removes access if the vendor does not respond. - Allows internal project managers to approve or deny continued access. Which TWO features should you configure to meet these requirements? (Select TWO)

A manufacturing company wants to eliminate passwords for their factory floor workers who access shared kiosks. The workers do not have corporate mobile phones. You need to recommend a passwordless authentication method that is highly secure, phishing-resistant, and does not require a mobile device. Which TWO authentication methods meet these requirements? (Select TWO)

You are migrating a legacy application to Azure Virtual Machines. The application relies heavily on LDAP read/write operations and NTLM/Kerberos authentication. The company has already synchronized their on-premises Active Directory to Microsoft Entra ID (Azure AD) using Entra Connect. They want to decommission their on-premises domain controllers and do not want to manage any domain controller VMs in Azure (IaaS). Which service should you recommend to support the legacy application?

A healthcare organization with 10,000 employees uses on-premises Active Directory. They are migrating to Microsoft 365 and Azure. The Chief Information Security Officer (CISO) has established the following strict identity requirements: - Users must experience Single Sign-On (SSO) when accessing cloud apps from domain-joined devices. - Authentication must be evaluated against on-premises Active Directory security policies (e.g., account lockout, permitted logon hours) in real-time. - Due to strict compliance regulations, user password hashes MUST NOT be synchronized to the cloud under any circumstances. - The solution must support high availability. Which hybrid identity authentication method should you recommend?

An enterprise company is implementing a Zero Trust security model for its Azure environment and Microsoft 365 applications. The security team mandates that any user attempting to access the Azure Portal must meet BOTH of the following conditions: 1. The user must successfully complete Multi-Factor Authentication (MFA). 2. The user's device must be managed by Microsoft Intune and marked as compliant with corporate security baselines. Which TWO components must you configure to enforce these requirements? (Select TWO)

A global logistics company frequently collaborates with hundreds of external partner organizations. Partners need access to specific internal web applications hosted on Azure App Service. The company wants to use Microsoft Entra B2B collaboration. However, the IT department is concerned about 'guest account sprawl'—where partner accounts remain active long after a project ends, posing a security risk. You need to design a solution that automatically asks internal project managers to verify if their external partners still need access every 90 days. If the manager does not respond, the partner's access should be automatically revoked. Which Microsoft Entra feature should you recommend?

An enterprise has 50 Azure subscriptions organized under a Management Group hierarchy. The security policy dictates that no user should have standing (permanent) administrative access to any subscription. When developers need 'Contributor' access to troubleshoot production issues, they must request it. The request must require justification, be approved by a manager, and automatically expire after 4 hours. You need to design a solution to meet these requirements with the least administrative effort. What should you recommend?

A small business is migrating to Microsoft 365 and Azure. They have a single on-premises Active Directory forest with 200 users. They want to synchronize their on-premises users to Microsoft Entra ID so users can authenticate to cloud services using their existing on-premises passwords. They do not have any complex security requirements, legacy federation, or multiple forests. Which tool should you recommend to synchronize the identities?

CASE STUDY: Tailspin Toys Tailspin Toys is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure (500 servers across 5 data centers) and Azure (20 subscriptions with 100+ VMs and various PaaS services). Their annual IT budget is $50 million, with plans to migrate 70% of workloads to Azure within 2 years. Business Requirements: The company needs to reduce IT costs by 30%, improve disaster recovery (current RTO: 24 hours -> target: 2 hours), enhance security posture to meet ISO 27001 and SOC 2 compliance, and enable remote work for 80% of employees. All solutions must support future growth of 20% annually. Technical Constraints: Some legacy applications cannot be modified and must run on Windows Server 2012. Network connectivity requires 10 Gbps throughput to Azure with <20ms latency. GDPR compliance mandates that EU customer data must remain in European Azure regions. You need to design the identity and access management solution to support the remote work requirement while meeting the strict security compliance standards. Which TWO features should you include in your design? (Select TWO)

Fabrikam Inc. uses Microsoft Entra ID (Azure AD). They collaborate with external partners who need access to Fabrikam's internal SharePoint Online sites and custom Azure web apps. Security policies dictate that external partners must use Multi-Factor Authentication (MFA). However, Fabrikam does not want to manage the MFA registration lifecycle for these external users, preferring that the partners use their own organization's MFA claims if they have already authenticated strongly. Which feature should you configure?

You are designing a privileged access strategy for your Azure environment. Currently, 15 administrators have permanent 'Owner' role assignments on the root Management Group. This violates the principle of least privilege. You need to design a solution using Microsoft Entra Privileged Identity Management (PIM) to secure these administrative roles. Which THREE configurations should you include in your PIM design? (Select THREE)

A financial institution is designing a hybrid identity solution. They use on-premises Active Directory and want to synchronize identities to Microsoft Entra ID. Security policies strictly prohibit any form of user password hashes from being synchronized to or stored in the cloud. However, users must be able to sign in to Microsoft 365 and Azure using their on-premises Active Directory credentials. The solution must provide high availability for authentication even if a single on-premises server fails. Which authentication method should you recommend?

Your company wants to eliminate passwords for all employee authentications to Azure and Microsoft 365 to mitigate phishing attacks. You need to design a passwordless authentication strategy. The solution must support employees who work entirely from personal mobile devices (BYOD) and do not have company-issued laptops or hardware security keys. Which passwordless authentication method should you recommend?

A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently use an on-premises Active Directory Domain Services (AD DS) forest. The Chief Security Officer (CSO) mandates the following strict requirements: 1. User passwords or password hashes MUST NOT be synchronized to the cloud under any circumstances. 2. Users must experience Single Sign-On (SSO) from their domain-joined corporate devices. 3. If the on-premises internet connection fails, users must not be able to authenticate to cloud services. 4. The solution must not require inbound ports to be opened on the corporate firewall. Which hybrid identity solution should you design?

Your organization uses Microsoft Entra ID Premium P2. You are designing a Conditional Access strategy to protect access to the Azure Portal. The security team requires that if a user's sign-in is evaluated as 'High Risk' by Microsoft Entra ID Protection, the user must not be blocked immediately. Instead, they must be forced to prove their identity securely and remediate the risk themselves without contacting the helpdesk. Which control should you configure in the Conditional Access policy?

Contoso Ltd collaborates with multiple external partner organizations. You are designing a governance solution for Microsoft Entra B2B guest users. The business requirements are: 1. Guest users must legally agree to Contoso's data handling policies before accessing any resources. 2. Guest user access must be automatically revoked if they no longer need access, without requiring manual IT intervention. 3. The solution must minimize administrative overhead for the Contoso IT team. Which TWO features should you implement? (Select TWO)

You are designing an administrative access strategy for Azure resources using Microsoft Entra Privileged Identity Management (PIM). You have a resource group named 'RG-Production'. A team of developers needs the 'Virtual Machine Contributor' role on this resource group to troubleshoot issues, but they should only have this access when actively working on an approved support ticket. You need to ensure that when developers activate the role, a manager must explicitly approve the activation. Furthermore, the developers must provide the support ticket number during activation. How should you configure the PIM role settings for 'Virtual Machine Contributor' on 'RG-Production'?

Your company is migrating several legacy applications to Azure Virtual Machines. These applications rely on LDAP read/write operations, NTLM authentication, and require servers to be joined to an Active Directory domain. The company has already synchronized their on-premises Active Directory to Microsoft Entra ID using Entra Connect. The CIO wants to decommission the on-premises domain controllers and avoid deploying new IaaS domain controllers in Azure to minimize management overhead (patching, backups). Which TWO actions should you take to support the legacy applications? (Select TWO)

A healthcare company uses Microsoft Entra ID (Azure AD). They need to implement a security policy that requires Multi-Factor Authentication (MFA) only when users access the Azure Portal from outside the corporate network or when Microsoft Entra ID Protection detects a medium or high sign-in risk. Which feature should you design?

Your organization collaborates with 50 external partner companies. You need to grant partner employees access to an internal Azure App Service web app. The solution must ensure that partner access is automatically reviewed every 90 days, and access is revoked if the partner employee leaves their respective company. What should you recommend?

You are designing a privileged access strategy for Azure subscriptions. Administrators must not have standing access to the 'Owner' role. When they need 'Owner' access, they must request it, provide a justification, and receive approval from a manager. The access must automatically expire after 4 hours. Which TWO components are required to implement this? (Select TWO)

A company with strict security policies requires that user passwords must never be synchronized to the cloud, not even in a hashed format. They want to implement Single Sign-On (SSO) for Microsoft 365 and Azure applications using their on-premises Active Directory. Which hybrid identity authentication method should you recommend?

Your organization wants to eliminate passwords for all employees accessing Azure resources from their corporate Windows 11 laptops. You need to recommend a passwordless authentication method that is natively integrated into the Windows operating system. What should you recommend?

You are designing an identity solution for external partners. Partners must use their own credentials. Before accessing applications, they must accept an NDA, and their access must be reviewed every 90 days. Which THREE features should you use? (Select THREE)

You need to secure administrative access to Azure subscriptions. Admins should only have Owner rights when actively performing tasks, and they must provide a justification. What should you implement?

Your company wants to eliminate passwords for employee authentication to Microsoft Entra ID. Which of the following is a supported passwordless authentication method?

An enterprise requires hybrid identity. Security policy dictates that no password hashes can be synchronized to the cloud, but users must experience seamless single sign-on. Which TWO components should you configure? (Select TWO)

You need to automatically block user logins if their credentials are found on the dark web. Which service provides this risk-based signal to Conditional Access?