Study Guide · SC-300

SC-300 Cheat Sheet

383 entries · 16 chapters · 4 domains

User and Hybrid Identities

Entra Tenant Configuration

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

An Entra role assignment is a definition plus a principal plus a scope

A Microsoft Entra role grant always binds three things: a role definition (a bundle of permissions), a security principal (a user, a role-assignable group, or a service principal), and a scope where they apply. Built-in role definitions are authored by Microsoft and have a fixed permission set you cannot edit; a custom role reuses the same preset permission list. You create the definition once and can assign it many times at different scopes.

Built-in Entra roles are free; custom roles need P1 per assignee

Using Microsoft Entra built-in roles costs nothing, but every user holding a custom role assignment requires Microsoft Entra ID P1. Granting access with a custom role is a two-step process: assemble a role definition from the preset permission list, then create a role assignment that binds it to a principal at a scope. Reach for a custom role only when no built-in role matches the least-privilege need.

Trap Assuming custom roles are free like built-in roles, or that they need P2; P2 buys PIM and eligible assignments, not the right to use a custom role.

2 questions test this
You cannot edit a built-in role; build a custom role instead

Built-in Microsoft Entra role definitions are fixed and cannot be modified. When a built-in role grants too much or too little, the answer is a custom role assembled from the same preset permission list, not an attempt to trim or extend a built-in one.

Trap Editing or cloning a built-in role's permissions to fit a narrower need; built-in definitions are read-only, so a custom role is the only path.

1 question tests this
Entra roles and Azure RBAC roles do not span each other by default

Microsoft Entra roles govern the directory (users, groups, apps, domains) via Microsoft Graph; Azure RBAC roles govern Azure resources (VMs, storage) via Azure Resource Manager. By default a Global Administrator has no access to Azure resources and an Owner cannot manage directory users. The only built-in bridge is a Global Administrator toggling Access management for Azure resources, which grants User Access Administrator at the Azure root scope.

Trap Expecting a Global Administrator to manage Azure subscriptions, or an Owner to manage directory users, without the Access management for Azure resources toggle.

Azure CLI cannot create Microsoft Entra role assignments

Entra directory role assignments are made through the Microsoft Entra admin center, Microsoft Graph PowerShell (New-MgRoleManagementDirectoryRoleAssignment), or the Microsoft Graph API. Azure CLI is not supported for Entra roles; az role assignment create targets Azure RBAC on Azure resources, a different system.

Trap Using az role assignment create to grant a directory role; that command is for Azure RBAC, not Microsoft Entra roles.

Entra role scope is tenant, an administrative unit, or one resource

A role assignment carries one of three scope types: tenant (org-wide, the default and broadest), an administrative unit, or a single Microsoft Entra resource. A resource scope can be a group, an enterprise application, or an app registration, which lets you grant management of one object without a tenant-wide grant.

Trap Picking a subscription or resource group as the resource scope; an Entra resource scope is a group, enterprise application, or app registration, never an Azure subscription or resource group (that is Azure RBAC).

A container scope grants the members; a resource scope grants the object

A role assigned at a container scope (the tenant or an administrative unit) grants permissions over the objects inside the container but not the container object itself. A role assigned at a resource scope grants permissions over that object only and does not reach through to a group's members. In Graph this shows in the scope string: /administrativeUnits/{id} means manage the AU's members, while a bare /{id} means manage that object itself.

Trap Assigning a role at a single group's resource scope and expecting it to reach that group's members; a resource scope grants the object only, so use an administrative unit (or add the users directly) to manage members.

1 question tests this
Entra effective permissions are the additive union across all scopes

A principal's effective Entra permissions are the union of every role assignment they hold at every applicable scope, so you compute access by adding grants together. A narrower assignment never subtracts from a broader one. To audit who has what, list role assignments in the admin center (downloadable as CSV) or via the List unifiedRoleAssignments Graph API.

Trap Assuming a narrow scoped assignment limits or overrides a broader tenant-scope grant the same user already holds; permissions only add.

An administrative unit contains only users, groups, or devices and cannot nest

An administrative unit (AU) is a Microsoft Entra container that holds only users, groups, or devices, used to scope a directory role to part of the org (for example a Helpdesk Administrator over one region). AUs cannot be nested, so model overlap by adding an object to multiple flat AUs (a user can be in both Seattle and Marketing). A user in no AU who is given a tenant-scoped role has tenant-wide scope.

Trap Trying to nest one administrative unit inside another; AUs are flat, so use multiple memberships for overlapping structure.

A group added to an AU brings the group, not its members

Adding a group to an administrative unit puts the group object in scope, so an AU-scoped User Administrator can rename the group and edit its membership, but cannot reset passwords or edit profiles of the users inside it. To manage those users, add them to the AU directly as members. This is the most tested AU subtlety.

Trap Adding only a group to an AU and expecting the scoped admin to reset its members' passwords; the members must be added to the AU directly.

3 questions test this
AUs price by role: P1 per admin, Free per member; dynamic membership needs P1

Creating administrative units is free, but using one requires Microsoft Entra ID P1 for each AU administrator assigned a role over the AU scope, and Microsoft Entra ID Free for each AU member. If you populate the AU with a dynamic membership rule, each AU member then requires P1. The Privileged Role Administrator creates AUs and assigns AU-scoped admins.

Trap Assuming every AU member needs Entra ID P1; members are Free, only the AU administrator needs P1 unless the AU uses a dynamic membership rule (then each member needs P1).

2 questions test this
Only user/group/device roles (plus matching custom roles) can be AU-scoped

An AU scope is offered only for roles whose permissions touch users, groups, or devices, such as User Administrator, Groups Administrator, Helpdesk Administrator, Authentication Administrator, License Administrator, and Cloud Device Administrator, plus any custom role with at least one user/group/device permission. AU-scoped permissions that act on users (password reset, auth methods) apply only to non-administrator targets within the AU.

Trap Expecting to AU-scope a tenant-wide role like Global Administrator, or expecting an AU-scoped Helpdesk Administrator to reset another admin's password; only user/group/device roles can be AU-scoped and they act on non-administrator targets only.

4 questions test this
A restricted management AU blocks even tenant admins from its objects

A restricted management administrative unit protects sensitive objects so only admins explicitly assigned at that AU scope can modify the contained objects' Entra properties. Even a tenant Global Administrator or Privileged Role Administrator is blocked from changing those objects unless they first self-assign a role at the AU scope, which is an auditable event. Those two roles can still manage the AU container itself.

Trap Using a regular administrative unit to protect executive accounts; a regular AU still lets tenant-scoped admins reach in, so only a restricted management AU walls them off.

3 questions test this
Restricted management AUs take users, devices, and security groups only

A restricted management administrative unit supports only users, devices, and security groups as members; Microsoft 365 groups, distribution groups, and mail-enabled security groups are not supported. The restricted-management flag must be set when the AU is created and is immutable afterward, so you cannot convert a regular AU into a restricted one or back.

Trap Adding a Microsoft 365 group to a restricted management AU, or expecting to flip an existing AU to restricted; the member types are limited and the flag is creation-time only.

Restricted management AU limits: 100 per tenant, excluded from governance, 30-min delete

A tenant allows at most 100 restricted management administrative units. Objects inside one cannot be managed by Microsoft Entra ID Governance features (PIM, entitlement management, lifecycle workflows, access reviews). Deleting a restricted management AU can take up to 30 minutes to lift protection from its former members. Only directory operations are blocked; related Microsoft 365 actions (Exchange mailbox, Intune policy, SharePoint, license assignment) still work. It needs P1 per AU admin, Free per member.

Trap Expecting PIM, access reviews, or entitlement management to manage objects inside a restricted management AU; those Entra ID Governance features cannot reach restricted-AU members.

The initial onmicrosoft.com domain cannot be changed or deleted

Every Microsoft Entra tenant ships with an initial domain like contoso.onmicrosoft.com that you cannot rename or delete. To give users friendly sign-in names, add your own DNS name as a custom domain and set it as the primary (default) domain so new users get UPNs like alain@contoso.com.

Trap Trying to delete or rename the onmicrosoft.com initial domain; you can only add a custom domain and mark it primary.

Verify a custom domain with a TXT or MX DNS record, in one directory only

To add a custom domain you create a TXT or MX DNS record (recommended TTL 3600 seconds) at your registrar, then select Verify in the Microsoft Entra admin center as at least a Domain Name Administrator. A given domain name can be verified in only one directory at a time, so to move it you must delete it from the old tenant first. Microsoft Entra ID and Microsoft 365 share the same tenant domain list.

Trap Using a CNAME record to verify domain ownership, or trying to verify a domain already verified in another tenant; verification is TXT or MX and exclusive to one directory.

3 questions test this
A domain cannot be deleted while objects still reference it

You cannot delete a custom domain from a tenant while users, groups, or applications still use that domain (for example in their UPNs). Reassign or remove the dependent objects first, then delete the domain. Because Entra ID and Microsoft 365 share the domain, the same dependency rule applies across both.

Trap Trying to delete a custom domain while users still carry UPNs on it; the delete is blocked until every dependent user, group, or app is reassigned off that domain first.

Company branding needs P1/P2 (or qualifying M365/SharePoint) and a branding admin role

Customizing the Microsoft Entra sign-in page (background, favicon, header/banner/square logos, sign-in text, footer, layout) requires Microsoft Entra ID P1 or P2, or Microsoft 365 Business Standard, or SharePoint Plan 1. The minimum role to configure it is Organizational Branding Administrator. There is one default sign-in experience plus optional per-browser-language overrides that replace the default for matching languages.

Trap Assuming Global Administrator is the role needed to customize branding, or that branding is free; the minimum role is Organizational Branding Administrator and it needs P1/P2 (or qualifying M365/SharePoint).

3 questions test this
Branding skips personal accounts and shows the guest's home-tenant brand

Company branding does not apply to personal Microsoft accounts. For B2B cross-tenant sign-ins the guest sees their own home tenant's branding, not the resource tenant's. External URLs in the sign-in experience render as non-clickable text, sign-in page text is capped at 1,024 Unicode characters, and custom CSS is unavailable for tenants created after January 5, 2026 (older tenants keep it).

Trap Expecting your organization's branding to appear when a B2B guest signs in; the guest sees their home tenant's branding instead.

3 questions test this
Tenant user settings gate app registration and group creation

By default a member user can register applications and create security and Microsoft 365 groups. User settings let you set Users can register applications, Users can create security groups, and Users can create Microsoft 365 groups to No. A User Administrator can still create groups even when end-user creation is turned off, so the switch limits ordinary members, not admins.

Trap Assuming turning off group creation also blocks a User Administrator; admins with the role can still create groups regardless of the setting.

Restricting tenant creation requires the Tenant Creator role

Setting Restrict non-admin users from creating tenants to Yes limits creation of new Microsoft Entra tenants to holders of the Tenant Creator role; otherwise any member user can create a tenant (and becomes its Global Administrator). Tenant creation is always recorded in the audit log under Create Company.

Trap Assuming Global Administrator is the role that lets a user still create tenants once the restriction is on; it is the Tenant Creator role that grants the exception, not Global Administrator.

Restrict access to the admin portal is friction, not a security control

The Restrict access to the Microsoft Entra admin center switch adds browsing friction for non-admins but is explicitly not a security measure: it does not block PowerShell or Microsoft Graph and does not apply to users with an admin role. To actually block non-admin access to management endpoints, use a Conditional Access policy targeting the Windows Azure Service Management API.

Trap Relying on the Restrict access to the Microsoft Entra admin center toggle as a security boundary; it leaves Graph and PowerShell open, so enforce with Conditional Access on the Windows Azure Service Management API.

Guest defaults and a BitLocker device setting live in tenant settings

Guest user defaults are governed by Guest user access restrictions, which can grant guests the same access as members or restrict them to only their own directory objects. A device setting can restrict users from self-service recovering BitLocker keys for their owned devices, forcing them to contact the helpdesk. These tenant-wide toggles shape what every guest or device owner inherits.

Trap Assuming guests get the same directory access as members by default; the default Guest user access restrictions level limits guests, and tightening it to own-objects-only is a deliberate setting.

PIM (P2) makes a role assignment eligible instead of active

With Microsoft Entra ID P2 and Privileged Identity Management, a role assignment can be eligible (the user activates it just-in-time and time-boxed) rather than active (permanent standing access). This is how privileged effective permissions are minimized at the high end; assigning a role to a role-assignable group instead of individuals requires Entra ID P1.

Trap Assuming Microsoft Entra ID P1 enables eligible, just-in-time PIM assignments; eligible (activate-on-demand) role assignments require P2 and PIM, while P1 only covers role-assignable groups.

An AU-scoped role manages only that AU's members, never tenant-wide settings

A role assigned at administrative-unit scope (for example User Administrator or Groups Administrator) applies its permissions only when managing the objects that are members of that AU. It cannot touch tenant-level configuration. The scope is a management boundary, not a visibility boundary: administrative units apply scope only to management permissions and do not prevent the admin from using default user permissions to browse other users, groups, or resources outside the AU.

Trap Assuming the AU scope hides or blocks read/browse access to objects outside the AU

4 questions test this
A dynamic administrative unit needs membershipType, membershipRule, and membershipRuleProcessingState

To create or convert an administrative unit to dynamic membership via the Microsoft Graph API (POST or PATCH /directory/administrativeUnits), set membershipType to Dynamic, supply the membershipRule expression, and set membershipRuleProcessingState to On to activate rule evaluation. Setting membershipRuleProcessingState to Paused stops updating membership dynamically while keeping the rule and current members.

Trap Omitting the /directory/ prefix on the v1.0 path; the documented v1.0 endpoint is /directory/administrativeUnits

5 questions test this
A dynamic administrative unit holds one object type, so users and devices need separate AUs

A dynamic membership rule for an administrative unit targets users OR devices, never both, and dynamic AUs do not support group rules. To automatically maintain both users and devices, create two AUs: one with a Dynamic User rule and one with a Dynamic Device rule. Dynamic AU membership requires one Microsoft Entra ID P1 license per unique member; you don't have to assign the licenses to those users, but the tenant must hold at least enough licenses to cover them.

Trap Trying to add groups to, or mix users and devices in, a single dynamic AU

2 questions test this

Users, Groups, and Devices

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Group type and membership type are two independent choices

An Entra group is defined by two separate axes: its type (Security or Microsoft 365) sets the purpose, and its membership type (Assigned or Dynamic) sets how members get in. You pick both when you create the group, so 'a dynamic security group' and 'an assigned Microsoft 365 group' are both valid combinations. Treating type and membership as one menu is the usual source of wrong answers.

Security groups hold devices; Microsoft 365 groups hold users only

A Security group manages access to resources, roles, and apps and can contain users, devices, service principals, and other groups (nesting). A Microsoft 365 group is for collaboration (shared mailbox, SharePoint, Planner) and can contain users only. So whenever you need to group devices or service principals, it has to be a Security group.

Trap Putting devices into a Microsoft 365 group; it accepts users only, so a device-targeting group must be a Security group.

1 question tests this
A dynamic group targets users OR devices, never both

When you want membership to fill automatically from attributes, you choose Dynamic User or Dynamic Device, and a single dynamic group can only be one of them. A device rule may reference device attributes only, so you cannot build a device group from the owner's department. 'All Sales staff' and 'All Windows laptops' are therefore two separate groups.

Trap Writing one dynamic rule that mixes user and device attributes to cover both; a dynamic group is users-only or devices-only, and device rules see device attributes only.

You cannot hand-edit a dynamic group's members

A dynamic group's membership is governed entirely by its rule, so an owner or admin cannot add or remove individual members the way they can in an Assigned group. To change who is in it you edit the rule, which requires the Groups Administrator, Intune Administrator, or User Administrator role. If you need manual control over exactly who is a member, use an Assigned group.

Trap Trying to remove one user directly from a dynamic group; only the rule controls membership, so you must change the rule or switch to an Assigned group.

Dynamic membership requires Microsoft Entra ID P1

Dynamic membership rules are a paid feature: every member who benefits needs a Microsoft Entra ID P1 license. The free Entra tier gives you Assigned groups only. A malformed rule, rather than erroring, simply leaves the group empty, so test the rule after editing.

Group-based licensing rides on a security group and needs P1 or M365 E3+

Group-based licensing attaches one or more product licenses to a security group; members are licensed automatically when they join and lose the license when they leave, and Entra recomputes within minutes. It requires Microsoft Entra ID P1 (or a qualifying Microsoft 365 Business Premium / Office 365 E3-and-higher plan) for every benefiting user, and you must hold at least one license per unique member of the group. You can disable individual service plans within a product when you assign it.

Group-based licensing only licenses first-level members

Group-based licensing does not flow through nested groups: only the direct, first-level members of the licensed group receive the license, and members of a sub-group do not. To license everyone, either flatten the membership or license each group directly. This is a favorite distractor because nesting works for access but not for licensing.

Trap Licensing a parent group and expecting members of nested sub-groups to inherit it; group-based licensing honors first-level members only.

Set a user's Usage location before assigning any license

A license cannot be assigned to a user until that user has a Usage location set, because some services are restricted by country; a user without one inherits the directory's location. Forget it and the license assignment fails. This is the first thing to check when a license assignment errors.

Trap Assigning a license to a freshly created user that has no Usage location; the assignment fails until the Usage location is set.

1 question tests this
License assignment moved out of the Azure portal and Entra admin center

Since September 1, 2024 the Microsoft Entra admin center and the Azure portal no longer expose license assignment in their UI; user and group license assignment is done in the Microsoft 365 admin center. Microsoft Graph and PowerShell still assign licenses, so scripted and bulk workflows are unaffected. An answer telling you to assign the license in the Azure portal UI is testing this change.

Trap Choosing 'assign the license in the Microsoft Entra admin center / Azure portal' UI; since September 2024 that UI is gone and assignment happens in the Microsoft 365 admin center (or Graph/PowerShell).

Custom security attributes attach only to users and service principals

Custom security attributes are business-defined key-value pairs you assign to Microsoft Entra objects, but the supported targets are users and enterprise applications (service principals) only. They are organized into attribute sets and typed as Boolean, integer, or string (single or multi-value, free-form or predefined), and you can use them to drive attribute-based access control (ABAC). Unlike directory extensions, which anyone who can read the object can read, custom security attributes hold sensitive data behind their own RBAC.

Global Administrator has no custom-security-attribute access by default

Custom security attributes are gated by a dedicated set of roles, and Global Administrator and other admin roles cannot read, define, or assign them until granted one. Attribute Definition Administrator is the minimum to create attributes; Attribute Assignment Administrator is the minimum to assign values; matching Reader roles grant read-only access. These can be scoped at the tenant or at a single attribute set.

Trap Assuming Global Administrator can read or assign custom security attributes; by default it has no access, so you must grant an Attribute Definition or Attribute Assignment role explicitly.

3 questions test this
Custom security attributes are free, with a 500-definition tenant cap

The custom security attributes feature is included free in all editions of Microsoft Entra ID, so it does not require P1 or P2. A tenant can hold up to 500 active attribute definitions. That free-tier status is worth remembering because so many other group and licensing features on this topic do require P1.

Register a device the user owns; join a device the org owns

Microsoft Entra registration (Workplace join) is for bring-your-own-device and mobile scenarios: the user keeps signing in with a personal or local account and only attaches a work identity for access. Microsoft Entra join is for organization-owned devices, where the user signs in with their Entra work account, and it suits cloud-only or hybrid organizations. Both produce a device object in Entra ID and both can be governed by Conditional Access; the deciding line is ownership and the sign-in account, not the operating system.

Trap Joining a user-owned personal device to get it work email and Conditional Access; personal devices should be Entra registered, and join is reserved for organization-owned hardware.

Entra join covers Windows 10/11 except Home, plus macOS and Linux

Microsoft Entra join supports all Windows 11 and Windows 10 devices except Home editions, Windows Server 2019+ VMs in Azure (Server Core excluded), macOS 13 or newer, and several Linux editions. It is provisioned through the Out-of-Box Experience, bulk enrollment, or Windows Autopilot. Windows Home cannot be Entra joined, which is a common distractor.

Trap Expecting to Microsoft Entra join a Windows Home edition device; Home editions are not supported, only Pro/Enterprise/Education and the listed macOS and Linux builds.

Hybrid join bridges an AD-domain device to the cloud

Microsoft Entra hybrid join takes a device that is already joined to on-premises Active Directory and also registers it with Entra ID, so it keeps Group Policy and on-premises AD authentication while gaining cloud SSO and Conditional Access. It is the migration option for organizations not yet ready for cloud-only Entra join, and it is configured through Microsoft Entra Connect. Reach for it when existing AD-domain-joined Windows devices must come under Conditional Access without re-imaging.

Joining or registering a device is not enrolling it in MDM

Device join and registration establish the device's identity in Entra ID, but they do not place the device under management policy. MDM enrollment, typically Microsoft Intune, is a separate step that enforces compliance like encryption and password rules. This is why a Conditional Access 'require compliant device' control can still block a device that is Entra registered but never enrolled.

Trap Assuming an Entra registered or joined device automatically satisfies a 'require compliant device' Conditional Access control; compliance comes from separate Intune enrollment, not from the device identity alone.

1 question tests this
Bulk user and group operations use a CSV template in the Entra admin center

The Microsoft Entra admin center provides Bulk create, Bulk invite, Bulk delete, and Bulk restore operations, each driven by a CSV template you download, fill in, and upload. Use it to onboard or offboard many users at once without scripting. For repeatable or pipelined automation you move to PowerShell or Microsoft Graph instead.

Automate Entra identity tasks with Microsoft Graph PowerShell, not the retired modules

The current PowerShell tooling for Entra users, groups, licensing, and devices is Microsoft Graph PowerShell (for example Connect-MgGraph, New-MgUser, New-MgGroup). The older MSOnline and AzureAD modules are deprecated and retired, so scripts built on Connect-AzureAD or the MSOnline cmdlets should be migrated. An exam answer naming AzureAD or MSOnline cmdlets is usually the wrong, dated choice.

Trap Reaching for the AzureAD or MSOnline PowerShell modules to script Entra changes; both are retired, and Microsoft Graph PowerShell (Connect-MgGraph, New-MgUser) is the supported tooling.

Synced users are edited on-premises, not in the cloud

A user that originates in on-premises Active Directory and flows up through Microsoft Entra Connect Sync or Cloud Sync is a synced user, with onPremisesSyncEnabled set and most properties read-only in Entra ID. You change a synced user's name, attributes, or group membership in on-premises AD, and the change syncs up. Cloud-only and guest (B2B) users, by contrast, are edited directly in Entra.

Trap Trying to edit a synced user's attributes directly in the Microsoft Entra admin center; synced properties are read-only in the cloud and must be changed in on-premises AD.

Conditional Access application filters work only with String custom security attributes

To target applications dynamically with a Conditional Access policy, tag them with a custom security attribute and add a filter for applications under Target resources (Select resources, then Edit filter). Conditional Access filters for applications only work with custom security attributes of type String; other data types such as Boolean are not supported by the policy filter even though they can be defined. Filters are evaluated at token-issuance runtime, not configuration, so newly tagged apps are covered automatically without editing the policy.

Trap Selecting a non-String attribute (for example Boolean) for the filter; only String is supported

4 questions test this
Deleted users are soft-deleted for up to 30 days and managed via /directory/deletedItems

A deleted user remains available in a soft-deleted state for up to 30 days, and after 30 days it is permanently deleted. Using the Microsoft Graph API: list deleted users with GET /directory/deletedItems/microsoft.graph.user, restore one with POST /directory/deletedItems/{id}/restore, and permanently remove one with DELETE /directory/deletedItems/{id}. After a permanent delete the account cannot be recovered.

Trap Sending DELETE to /users/{id} again to purge it instead of DELETE /directory/deletedItems/{id}

3 questions test this
Block sign-in without deleting by setting accountEnabled to false

To stop a user from signing in while keeping the account, send PATCH /users/{id} with accountEnabled set to false; this is exactly what the Block sign in toggle does in the admin center. For an app running without a signed-in user, User.EnableDisableAccount.All plus User.Read.All is the least privileged combination of application permissions to update accountEnabled.

Trap Deleting the account or removing licenses when only a sign-in block was needed

3 questions test this
Configuring Intune forces device registration to All and removes the None option

Enrollment with Microsoft Intune or mobile device management for Microsoft 365 requires device registration. If you've configured either of these services, the Users may register their devices with Microsoft Entra ID setting is set to All and None becomes unavailable.

Trap Expecting to disable registration with None while Intune is configured

3 questions test this
Add a group member with New-MgGroupMember using -GroupId and -DirectoryObjectId

The New-MgGroupMember Microsoft Graph PowerShell cmdlet adds a member to a group. Pass the target group's object ID to -GroupId and the user's (or directory object's) object ID to -DirectoryObjectId. It maps to the POST /groups/{group-id}/members/$ref Microsoft Graph API.

Trap Reaching for retired AzureAD module cmdlets like Add-AzureADGroupMember instead of the Graph cmdlet

3 questions test this
Get-MgSubscribedSku: ConsumedUnits are assigned, PrepaidUnits.Enabled are purchased

Get-MgSubscribedSku reports each licensing plan's ConsumedUnits (licenses already assigned to users) and PrepaidUnits.Enabled (active purchased licenses). Licenses still available to assign equal PrepaidUnits.Enabled minus ConsumedUnits.

Trap Reading ConsumedUnits as the licenses remaining rather than the licenses already assigned

4 questions test this
Creating a user via Graph requires five properties including passwordProfile

POST /users (and the New-MgUser cmdlet) requires accountEnabled, displayName, mailNickname, userPrincipalName, and passwordProfile at a minimum. In PowerShell, supply -PasswordProfile a hash table containing a Password key (and optionally ForceChangePasswordNextSignIn). Creating a user needs the User.ReadWrite.All (or Directory.ReadWrite.All) permission.

Trap Omitting mailNickname, which is required even though it is easy to overlook

4 questions test this

External Identities

Read full chapter
  • A B2B guest authenticates at home and carries a #EXT# UPN
  • Widen a guest's access with roles, not by changing userType
  • External collaboration settings vs cross-tenant access settings are different planes
  • The default guest invite setting lets anyone, including guests, invite
  • The Guest Inviter role can invite even when invites are locked to admins
  • The default guest access level gives limited directory visibility
  • Collaboration restrictions are an allowlist or a blocklist, never both
  • Bulk-invite guests with the CSV template, keeping its first two rows intact
  • Outbound and inbound access settings are configured separately
  • Trust settings are inbound-only and off by default
  • B2B collaboration is on by default and direct connect is blocked by default
  • Automatic redemption suppresses the prompt only when both sides enable it
  • B2B direct connect exists only for Teams shared channels and is mutual
  • Cross-tenant sync is a one-way push configured in the source tenant
  • Cross-tenant sync moves only internal members, never the source's guests
  • Cross-tenant sync needs Entra ID P1 in the source per user
  • Cross-tenant sync is not a migration tool
  • Direct federation lets a partner sign in with their own SAML or WS-Fed IdP
  • A federated SAML IdP must send a persistent NameID and an email claim
  • Domainless federation routes by Issuer URI, and only one is allowed per tenant
  • Tenant restrictions are independent of inbound, outbound, and trust settings
  • Move the federated IdP up the redemption order to use it first
  • New-MgInvitation needs the SignIns module and a required InviteRedirectUrl
  • A B2B invitation never expires and the guest is added to the directory immediately

Unlock with Premium — includes all practice exams and the complete study guide.

Hybrid Identity

Read full chapter
  • Sync choice and sign-in choice are independent decisions
  • Password hash sync syncs a hash of a hash, never the plaintext password
  • Enable password hash sync as the backup even when it is not your primary method
  • PHS does not enforce on-premises account changes instantly
  • Pass-through authentication validates passwords on-premises with outbound-only agents
  • Deploy three PTA agents for high availability; a tenant supports 12 max
  • Seamless SSO rides on PHS or PTA; it is not a separate authentication method
  • Seamless SSO uses the AZUREADSSO account; roll its Kerberos key every 30 days
  • Federation (AD FS) validates passwords on-premises and is the last-resort method
  • Cloud Sync is the lightweight, cloud-managed sync; choose it by default
  • Cloud Sync caps at 150,000 objects per AD domain
  • Cloud Sync supports groups up to 50,000 members; Connect Sync up to 250,000
  • Device sync and Hybrid Azure AD Join require Connect Sync, not Cloud Sync
  • Both sync tools run a sync cycle every two minutes
  • Use staged rollout to pilot cloud auth before converting domains
  • Staged rollout does not support nested or dynamic membership groups
  • Convert domains from federated to managed with Update-MgDomain
  • Domain conversion to managed can take up to 60 minutes
  • Connect Health monitors AD FS; PHS needs no health monitoring
  • PTA agents and Cloud Sync agents both rely on outbound connections over Azure Service Bus
  • Keeping AD FS for SAML/WS-Fed apps does not block converting domains to managed
  • Group scoping in Cloud Sync and cross-tenant sync includes only direct members
  • The Seamless SSO autologon URL must be in the Local intranet zone for Kerberos to flow
  • Override sync attribute flow with a higher-precedence custom rule, never by editing out-of-box rules
  • The provisioning agent needs a domain-joined Windows Server 2016/2019/2022 (not Server Core)

Unlock with Premium — includes all practice exams and the complete study guide.

Authentication and Access

Authentication Methods

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Enable and scope every method in the Authentication methods policy

The Authentication methods policy in Microsoft Entra ID is the single tenant-wide place to turn each method on or off and target it to specific users and groups, covering passkey (FIDO2), Microsoft Authenticator, certificate-based authentication, Temporary Access Pass, SMS, voice, OATH tokens, and email OTP. It is the modern replacement for legacy per-user MFA and Security Defaults, with a migration toggle to move off them. Plan from this policy first to decide who registers which strong method, then enforce when MFA is required separately in Conditional Access.

Trap Using legacy per-user MFA's Enabled/Enforced state to require MFA today; that control predates Conditional Access and is being retired in favor of the Authentication methods policy plus Conditional Access.

1 question tests this
Choose a phishing-resistant method when the scenario demands the most secure sign-in

Microsoft's phishing-resistant tier is a fixed list: Windows Hello for Business, passkeys (FIDO2 security keys and synced passkeys), passkeys in Microsoft Authenticator, Platform Credential for macOS, and certificate-based authentication. They resist remote phishing because the credential is cryptographically bound to the device and cannot be replayed from a stolen password or code. Authenticator push and passwordless phone sign-in are strong but still phishable, so they sit one tier below.

Trap Treating Microsoft Authenticator push approval as phishing-resistant; it is strong MFA but a real-time phishing or MFA-fatigue attack can still defeat it, so it is not in the phishing-resistant tier.

2 questions test this
SMS, voice, and OATH codes are the weakest accepted factors

SMS, voice call, and OATH one-time codes are the lowest tier Entra accepts and should be a fallback only, used when phones are restricted or stronger methods are unavailable. They are vulnerable to SIM-swap, interception, and phishing because the secret travels to the user and can be relayed. OATH tokens (hardware or software TOTP generators) are second-factor only and never serve as a primary credential.

A Temporary Access Pass bootstraps passwordless without a password

A Temporary Access Pass (TAP) is a time-limited passcode an admin issues so a new or locked-out user signs in once and registers a strong method such as a passkey or Windows Hello for Business, never using a password. It is the canonical onboarding and recovery path because it lets you stand up phishing-resistant credentials before the user has any. For federated domains a TAP is preferred over federation, so the user authenticates in Entra ID rather than being redirected to the on-premises identity provider.

4 questions test this
Know the TAP policy defaults: 1h/8h/1h lifetime, 8 characters, reusable

The TAP policy ships with a minimum lifetime of 1 hour, a maximum of 8 hours, a default of 1 hour, and a default length of 8 characters; all lifetimes can be configured from 10 minutes up to 30 days (43,200 minutes) and length from 8 to 48 characters. One-time use defaults to False, meaning a TAP is reusable within its validity unless you enforce one-time use tenant-wide. An Authentication Policy Administrator manages the policy, while an Authentication Administrator or Privileged Authentication Administrator creates individual passes.

A one-time TAP must finish passwordless registration within 10 minutes

When a user signs in with a one-time (single-use) TAP to register a passwordless method like a FIDO2 key or phone sign-in, the registration must complete within 10 minutes of sign-in. A reusable multi-use TAP has no such window and can be entered again during its validity, which is why long device-enrollment flows often use either two single-use passes or one multiuse pass. This 10-minute limit reflects MFA enforcement during credential registration, not the TAP lifetime itself.

Trap Assuming a one-time TAP stays usable for its full lifetime to register a passkey; passwordless registration with a single-use TAP must finish within 10 minutes of sign-in or it fails.

A TAP can be issued to internal guests but not external guests

You can add a Temporary Access Pass to an internal guest (a user object whose UserType is Guest but who has methods registered in your tenant), but adding one to an external guest account returns an error. An external guest instead signs in to the resource tenant with a TAP issued by its home tenant, and only if cross-tenant access settings are configured to trust MFA from that home tenant. So a TAP is a same-tenant onboarding tool, not a way to bootstrap an external partner.

Trap Issuing a TAP to an external guest to onboard a partner; external guest accounts are rejected, and their MFA must come from their home tenant under cross-tenant access trust.

A passkey (FIDO2) is the flagship phishing-resistant first factor

A passkey based on FIDO2 can be a hardware security key, a synced passkey, or a passkey stored in Microsoft Authenticator, and all forms are phishing-resistant and capable of primary (first-factor) authentication. The credential is a device-bound key pair verified cryptographically, so there is no shared secret an attacker can phish. Enable it in the Authentication methods policy and target the populations that need the strongest sign-in.

Certificate-based authentication presents a smart card directly to Entra ID

Certificate-based authentication (CBA) lets users authenticate with an X.509 certificate or smart card directly against Microsoft Entra ID, with no AD FS in the path, as a phishing-resistant first factor. It is the natural choice when an organization already operates a PKI and wants to reuse those certificates. CBA is configured in the Authentication methods policy along with certificate-authority and username-binding settings.

Trap Assuming certificate-based authentication still requires AD FS; modern Entra CBA validates the certificate directly in the cloud without a federation server.

Windows Hello for Business binds a TPM key unlocked by a PIN or biometric

Windows Hello for Business provisions an asymmetric key pair, preferably protected by the device TPM, that is unlocked by a local PIN or biometric gesture which never leaves the device. Because the password is not used in the sign-in, it is phishing-resistant; the PIN is device-local, not a network secret. A user with a registered passkey can even use Windows Hello for Business as a step-up MFA credential.

Trap Thinking the Windows Hello PIN is a weaker password sent to Entra ID; the PIN only unlocks a local TPM-bound key and is never transmitted, which is why Hello is phishing-resistant.

SSPR registers at least one method but admins are forced to two

Self-service password reset (SSPR) requires each user to register at least one authentication method, and the admin policy then requires one or two registered methods to perform a reset. Accounts holding an Azure administrator role are automatically forced onto a stronger two-method reset policy regardless of the tenant setting. SSPR cuts helpdesk password tickets by letting users reset their own password after verifying with their registered methods.

1 question tests this
SSPR is free, but password writeback for synced users needs Entra ID P1

The SSPR feature itself is available on Microsoft Entra ID Free, but password writeback, which carries a cloud password reset back to on-premises Active Directory for federated, pass-through-authentication, or password-hash-synced users, requires Microsoft Entra ID P1. Without writeback a hybrid user's reset would not reach their on-premises account. So a scenario that resets passwords for synced users implies the P1 writeback requirement.

Trap Picking SSPR alone for synced on-premises users without enabling password writeback; the cloud reset would not flow back to their AD account, and writeback requires Entra ID P1.

1 question tests this
SSPR is password recovery, not a Conditional Access MFA factor

SSPR exists to let a user reset a forgotten password, which is recovery, and it never satisfies a Conditional Access requirement for multifactor authentication at sign-in. MFA, SSPR, and Password Protection are three separate controls: MFA adds a factor, SSPR restores access, and Password Protection enforces password quality. Keep them distinct when a question offers SSPR as a way to meet an MFA requirement.

Trap Selecting SSPR to satisfy a Conditional Access MFA grant; SSPR is recovery, so it cannot count as the second factor a sign-in policy demands.

The global banned password list is automatic and cannot be disabled

Microsoft Entra Password Protection applies a global banned password list, built from Microsoft's own attack telemetry, to every tenant automatically with nothing to enable, and it cannot be turned off or viewed. It blocks known weak base terms and their variants at password change or reset. For cloud-only users the global list is covered by Microsoft Entra ID Free.

3 questions test this
A custom banned password list holds up to 1,000 base terms and needs P1

On top of the global list you can add a custom banned password list of up to 1,000 organization-specific base terms such as brand, product, and location names, which are combined with the global list at validation. Add only key base terms, not every variant, because the algorithm expands them automatically. The custom list requires Microsoft Entra ID P1 or P2.

Trap Adding every weak variant like Contoso!1 and Contoso@London to the custom list; you list only the base term Contoso, and normalization plus fuzzy matching block the variants, within a 1,000-term cap.

1 question tests this
Password Protection scores a password and needs at least 5 points to pass

Password Protection normalizes a new password (lower-cases it and undoes substitutions like 0 to o, 1 to l, $ to s, @ to a), fuzzy-matches it against the banned lists at an edit distance of 1, substring-matches the user and tenant name for terms at least four characters, then scores it: each banned term found is one point and each leftover character is one point. The password is accepted only if it totals at least 5 points. So a password packed with banned terms and few extra characters is rejected even if it is long.

2 questions test this
Extend Password Protection to AD DS with the DC agent and proxy (P1)

To enforce the same banned-password rules on on-premises password changes, install the Microsoft Entra Password Protection DC agent on domain controllers plus the proxy service that relays policy from Entra ID. This on-premises deployment requires Microsoft Entra ID P1, and you can run it in Audit mode to log what would be blocked before switching to Enforced mode. Tenant-name substring matching is skipped when validating on a domain controller.

Trap Expecting cloud Password Protection to cover on-premises AD password changes automatically; you must deploy the DC agent and proxy on-premises (Entra ID P1) for domain password changes to obey the rules.

Audit mode logs banned passwords before Enforced mode blocks them

On-premises Microsoft Entra Password Protection supports an Audit mode that evaluates and logs which password changes would be rejected without actually blocking them, and an Enforced mode that blocks them. Run Audit first to gauge user impact, then move to Enforced once you understand the blast radius. The mode is a setting pushed from Entra ID through the proxy to the DC agents.

Microsoft Entra Kerberos issues a partial TGT for hybrid passwordless SSO

Microsoft Entra Kerberos gives passwordless users (FIDO2 or Windows Hello for Business) single sign-on to on-premises Active Directory resources by creating an AzureADKerberos computer object that appears as a read-only domain controller but maps to no physical server. Microsoft Entra ID uses it to issue a partial Kerberos ticket-granting ticket (TGT) at sign-in, which the on-premises AD completes for resource access. Without it, a Microsoft Entra joined user can sign in but loses SSO to AD-secured resources like file shares.

2 questions test this

Cloud Kerberos trust, powered by Microsoft Entra Kerberos, is Microsoft's recommended deployment model for hybrid Windows Hello for Business because it skips the certificate infrastructure that key trust and certificate trust require. You enable Microsoft Entra Kerberos, then set the Use Windows Hello for Business and Use cloud trust for on-premises authentication policies. It is the lowest-overhead path to phishing-resistant Windows sign-in with on-premises SSO.

Trap Choosing certificate trust for a new hybrid Windows Hello rollout to get on-premises SSO; it needs PKI, whereas cloud Kerberos trust delivers the same SSO without certificate plumbing and is the recommended model.

Certificate trust overrides cloud Kerberos trust if its policy is enabled

If the Use certificate for on-premises authentication policy is enabled on a device, certificate trust takes precedence over cloud Kerberos trust, so cloud Kerberos trust silently will not apply. There is also no direct migration path from certificate trust to cloud Kerberos trust; you must delete the Windows Hello container (certutil -deletehellocontainer) and re-provision. Leave the certificate policy Not configured on machines you want on cloud Kerberos trust.

Trap Enabling cloud Kerberos trust while the certificate-for-on-premises-auth policy is still on; certificate trust wins, so cloud Kerberos trust never takes effect on that device.

Disable the account and revoke sessions to contain a compromise

When an account is compromised, the immediate containment action is to disable the account to block new sign-ins and revoke its refresh tokens and sessions (for example Revoke-MgUserSignInSession) so issued tokens stop working and the user must reauthenticate. Resetting the password alone does not invalidate existing refresh tokens, so the attacker keeps access until those tokens expire. Method rotation and investigation come after containment, not before.

Trap Resetting the compromised user's password as the first and only response; a password reset does not revoke existing refresh tokens, so you must also revoke sessions to cut the attacker's live access.

3 questions test this
Security Defaults is all-or-nothing; granular control needs Conditional Access

Security Defaults is a free, tenant-wide on/off baseline that forces all users to register and use MFA, with no per-group scoping and no per-app conditions. The moment you need to require MFA for some users, apps, or risk conditions but not others, you turn Security Defaults off and use the Authentication methods policy with Conditional Access. The two cannot run together with Conditional Access policies enabled.

Trap Keeping Security Defaults to apply MFA only to admins or only to risky sign-ins; Security Defaults has no scoping, so granular requirements need Conditional Access instead.

2 questions test this
Limit which FIDO2 key models register with key restrictions and AAGUIDs

In a Passkey (FIDO2) passkey profile, set Enforce key restrictions to Yes and add the approved models' Authenticator Attestation GUIDs (AAGUIDs) to an allow or block list. Key restrictions set the usability of specific models or providers for both registration and authentication, so if you remove an AAGUID you previously allowed, users who already registered that method can no longer use it for sign-in. Attestation enforcement is different: it is checked only at registration, so users who registered a passkey without attestation aren't blocked from sign-in if you set Enforce attestation to Yes later.

Trap Enforce attestation (verifies the vendor at registration) is a separate control from key restrictions (the AAGUID allow/block list). Tightening attestation later does not block already-registered keys, but tightening key restrictions does — removing an allowed AAGUID stops previously registered keys of that model from signing in.

4 questions test this
Restrict one app to a single FIDO2 vendor with a custom authentication strength

A custom authentication strength (Authentication methods > Authentication strengths) lets you pick an exact method combination and, in the Passkeys (FIDO2) advanced options, allow only specific AAGUIDs. Require it in a Conditional Access policy targeting one app so only the approved key model satisfies that app, while the built-in Phishing-resistant MFA strength (which also accepts Windows Hello for Business and Microsoft Entra certificate-based authentication) still applies elsewhere.

Trap The built-in Phishing-resistant MFA strength is predefined and can't be modified or narrowed to one vendor or one method; when the scenario says only a specific FIDO2 model is allowed, you need a custom strength with the AAGUID, not the built-in tier.

4 questions test this

Conditional Access

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A Conditional Access policy is an if-then statement: assignments then access controls

Read every Conditional Access policy as "if these signals match, then enforce these controls." The assignments are the if (users, target resources, network, conditions), and the access controls are the then (grant or block, plus session controls). All assignments in one policy combine with AND, so each one you add narrows the policy; an over-scoped policy with too many conditions simply never fires.

Trap Assuming an assignment you add only adds reach; every assignment ANDs, so adding one more condition can stop a policy from ever matching.

When several policies match a sign-in, all of them must be satisfied

Multiple Conditional Access policies can apply to one sign-in, and the user must satisfy every applicable policy, not just one. If one policy requires MFA and another requires a compliant device, the user does both. A Block grant in any matching policy overrides all the grants, so block always wins.

Trap Treating policies as OR so satisfying one is enough; they AND across policies, and a single Block policy denies regardless of what others would grant.

2 questions test this
Grant controls AND by default; choose 'require one' to OR them

Inside one Grant block, 'Require all the selected controls' ANDs them (MFA and compliant device) and is the default for multiple controls, while 'Require one of the selected controls' ORs them (compliant device or MFA). The phase-2 prompt order is fixed: MFA, then compliant device, then hybrid joined, then approved client app, then app protection policy, then password change, then terms of use.

3 questions test this
Require authentication strength is the granular replacement for Require MFA

Require authentication strength names an allowed set of methods (for example phishing-resistant MFA) rather than 'any second factor,' so reach for it on high-value targets and admin actions. Plain Require multifactor authentication accepts any registered second factor. Authentication strengths let one grant control demand specifically phishing-resistant credentials.

Trap Using Require multifactor authentication when the requirement is phishing-resistant; plain MFA accepts SMS or a push, so you need Require authentication strength to force FIDO2 or certificate-based methods.

5 questions test this
Require compliant device (Intune) is not the same as Require hybrid joined

Require device to be marked as compliant trusts an Intune compliance evaluation and works across Windows, macOS, iOS, and Android; Require Microsoft Entra hybrid joined device only checks that the device is joined to both on-premises AD and Entra, with no health assessment. A stem about 'managed and healthy' wants compliant; one about 'domain-joined corporate Windows' wants hybrid joined.

Trap Choosing Require hybrid joined device when the goal is Intune-managed and healthy; hybrid join proves domain membership but performs no compliance check, so a non-compliant domain device still passes.

Block legacy authentication by targeting the legacy client-app condition

Legacy authentication protocols cannot perform MFA, so they are the most common path around an MFA policy. Block them with a Conditional Access policy whose client-apps condition selects the legacy/other clients and whose grant control is Block. This closes the bypass that an MFA-for-all-users policy alone leaves open.

Filter for devices targets devices by attribute rules like trustType and extensionAttribute

Filter for devices is a condition that includes or excludes devices by a rule over device-object attributes: trustType (AzureAD = Entra joined, ServerAD = hybrid joined, Workplace = registered), isCompliant, deviceOwnership (Personal or Company), model, operatingSystem, and the customer-set extensionAttribute1 through extensionAttribute15. The privileged-access-workstation pattern blocks access except where device.extensionAttribute1 equals SAW.

Use a negative operator in a device filter to catch unregistered devices

For an unregistered device every attribute is null, so a positive operator (Equals, In, StartsWith) never matches it and the filter does not apply. To target unregistered devices, use a negative operator (NotEquals, NotIn, NotStartsWith), which evaluates true against the null value. This is why PAW exclusion rules are written with -ne rather than -eq.

Trap Writing a device filter with a positive operator to catch unmanaged devices; an unregistered device has null attributes, so only a negative operator applies the rule to it.

Target resources includes apps, two user actions, and authentication context

Target resources (formerly cloud apps) has three flavors: cloud apps (Microsoft and Entra-integrated apps), user actions, and authentication context. Only two user actions exist: Register security information and Register or join devices. Group Microsoft 365 services under the Office 365 app instead of targeting Exchange or SharePoint individually, because their dependencies otherwise leave coverage gaps.

Trap Targeting Exchange Online or SharePoint Online individually for an M365 MFA policy; service dependencies mean only the Office 365 grouping covers all the related metadata and child services.

3 questions test this
Risk is a condition Conditional Access consumes, not something it computes

Conditional Access can use sign-in risk and user risk as conditions, but the scoring comes from Microsoft Entra ID Protection, which is why risk-based conditions require Entra ID P2. Conditional Access itself is a P1 capability. So a policy can act on 'High user risk,' but only ID Protection decides what counts as high.

Trap Assuming Conditional Access detects risk on its own; it only reads a risk level supplied by Entra ID Protection, and that pairing is what needs Entra ID P2.

Session controls shape the granted session, starting with sign-in frequency

Once grant controls are satisfied, session controls apply. Sign-in frequency overrides the default rolling 90-day session with a fixed hours/days interval or 'Every time' for sensitive actions. Persistent browser session governs 'Stay signed in?'. App-enforced restrictions pass device state to Exchange Online and SharePoint Online only. Conditional Access App Control routes the session through Microsoft Defender for Cloud Apps.

4 questions test this
Sign-in frequency 'Every time' does not log a user out on browser close

Sign-in frequency 'Every time' forces reauthentication when the session is evaluated, factoring in five minutes of clock skew, not whenever the browser closes and reopens. Before enabling sign-in frequency, disable 'Remember MFA on trusted devices' or the two settings prompt users unexpectedly. The default user sign-in frequency is a rolling window of 90 days.

Trap Believing 'Every time' reauthenticates on every browser restart; it re-prompts only on session evaluation with a five-minute clock-skew buffer, so closing and reopening the browser does not necessarily prompt.

6 questions test this
Continuous access evaluation revokes still-valid tokens on critical events

CAE turns token issuance into a two-way conversation so a resource can reject a non-expired token in near real time. Critical event evaluation needs no Conditional Access policy and works in any tenant, firing on: user deleted or disabled, password changed or reset, MFA enabled for the user, admin revokes all refresh tokens, and high user risk from ID Protection. The resource returns a 401 plus claim challenge and the client bypasses its cache.

Trap Shortening token lifetimes to enforce a disablement faster; Microsoft replaced that 'blunt object' approach with CAE, which revokes on the critical event instead of waiting for expiry.

7 questions test this
CAE sessions use long-lived tokens up to 28 hours, not shorter ones

Because CAE evaluates risk and policy continuously, CAE-aware sessions stop honoring static token lifetimes and the access token grows to long-lived, up to 28 hours. Revocation is driven by critical events, not a clock, so the long token improves stability without weakening security. Without CAE-capable clients the default access token lifetime stays 1 hour.

Trap Assuming CAE shortens token lifetime; it lengthens it to up to 28 hours because critical events, not expiry, now drive revocation.

5 questions test this
CAE only enforces IP-based named locations and falls back past 5,000 ranges

CAE has insight only into IP-based named locations, not country/region locations or MFA-trusted-IPs; coming from those, CAE will not enforce the location change. If the sum of all IP ranges in location policies exceeds 5,000, Entra falls back to a one-hour token for the location-change flow while still enforcing other events. CAE also does not support guest users, and Strict Location Enforcement removes the standard tolerance for an allowed-egress-IP mismatch.

Trap Configuring a country/region named location and expecting CAE to enforce a move in real time; CAE only understands IP-based named locations.

2 questions test this
Authentication context protects a single resource or action, with IDs c1 to c99

An authentication context is a tag (display name plus a read-only ID in the range c1 to c99, up to 99 per tenant) that you select as a target resource in a Conditional Access policy and then attach to a specific resource: a SharePoint site, a Microsoft Purview sensitivity label, a Defender for Cloud Apps session policy, a custom app, or a PIM role's On activation setting. You must tick 'Publish to apps' or the context is invisible to downstream resources.

Trap Creating an authentication context but leaving 'Publish to apps' unchecked; an unpublished context cannot be assigned to any resource and the protection never takes effect.

10 questions test this
Protected actions step up specific Entra permissions at action time

Protected actions attach a Conditional Access authentication context to a small set of high-impact Entra permissions, enforcing the policy when the user performs the action rather than at sign-in or role activation. The protectable set includes managing Conditional Access policies (create/delete/basic update), cross-tenant access settings, hard-deleting directory objects, and managing named locations. The intended pattern is to require phishing-resistant MFA before deleting a CA policy. Protected actions need Entra ID P1.

1 question tests this
Protected actions add a requirement to a permission, they do not decide who holds it

Protected actions apply an access requirement (such as step-up MFA) to performing a permission; they are not an authorization control and do not block a permission based on identity or group membership. Who can do something is a role-assignment decision. Protected actions differ from PIM role activation, which enforces a policy when a user activates a role; the two combine for stronger coverage.

Trap Using protected actions to stop a specific user or group from holding a permission; that is an authorization decision made by role assignment, while protected actions only add a step-up requirement to performing the action.

Report-only mode evaluates and logs a policy without enforcing it

Report-only is a policy state (alongside On and Off) that evaluates the policy on each sign-in and logs what it would have done without enforcing grant or session controls, so users are never prompted or blocked. Review impact in the sign-in log's Report-only tab, the Conditional Access insights workbook (needs Entra ID P1 and a Log Analytics workspace), or the Policy impact view. It is the standard way to measure blast radius before turning a policy On.

8 questions test this
Report-only result values: Success, Failure, User action required, Not applied

A report-only policy logs one of four results per sign-in: Report-only: Success (controls already satisfied), Report-only: Failure (conditions matched but a non-interactive control or block was not satisfied), Report-only: User action required (conditions matched but the user would have been prompted, and report-only never prompts), and Report-only: Not applied (conditions did not match). Report-only does not work for the User Actions scope.

Trap Reading 'Report-only: User action required' as a failure; it means the conditions matched and the policy would have prompted the user, but report-only mode suppresses the prompt.

Create policies from templates, which start in report-only by default

Policy templates deploy Microsoft-recommended policies grouped into categories (Secure foundation, Zero Trust, Remote work, Protect administrator, Emerging threats), and each template is created in report-only mode by default. A template's user exclusion only excludes the policy's creator, so after creating one you must edit it to exclude your other break-glass accounts. You can export a template's JSON and re-import it for programmatic deployment.

Trap Assuming a template already excludes all your emergency accounts; it excludes only the creating admin, so you must add break-glass exclusions after creating it.

3 questions test this
Always exclude break-glass and service accounts from every policy

Exclude emergency-access (break-glass) accounts and service principals from every Conditional Access policy so a misconfiguration cannot lock out all administrators. A break-glass account that is itself caught by a faulty MFA or device policy defeats its purpose. Service accounts are noninteractive and should be replaced with managed identities where possible, with workload-identity Conditional Access used to target service principals.

Trap Applying a require-MFA-for-all-admins policy without excluding the break-glass account; if the policy misfires, the recovery account is locked out along with everyone else.

1 question tests this
Conditional Access policy changes take up to a day; revoke sessions to apply now

Group membership and policy changes can take up to a day (optimized to about two hours for some policy updates) to propagate to resources like Exchange Online and SharePoint Online. To apply a change immediately to a user, revoke their sessions with Revoke-MgUserSignInSession in Microsoft Graph PowerShell or Revoke Session on the user's profile, which forces fresh evaluation on the next token request.

Trap Waiting for a policy or group-membership change to apply on its own when it must take effect immediately; revoke the user's sessions to force re-evaluation rather than waiting up to a day for propagation.

Conditional Access policies apply only to built-in directory roles

When you target directory roles in a Conditional Access policy, only built-in roles are honored; the policy is not enforced for administrative-unit-scoped or custom roles. Policies targeting roles or groups are also evaluated only when a token is issued, so a user newly added to a targeted role is not subject to the policy until their next token, not retroactively.

Trap Expecting a Conditional Access policy that targets a custom or administrative-unit-scoped role to enforce; only built-in directory roles are supported as a target.

2 questions test this
Persistent browser session control requires All resources as the target

The persistent browser session control (Never persistent / Always persistent) can only be saved when target resources is set to All resources (formerly All cloud apps). Browser session persistence is governed by a single authentication session token shared across all tabs in the browser, so it can't be scoped to one app; the control requires selecting all cloud apps as a condition.

Trap Sign-in frequency can target specific apps, but persistent browser session cannot; the fix when the control won't save is to widen target resources to All resources, not to change the session control.

4 questions test this
Token protection covers only specific native apps, not browsers

Require token protection for sign-in sessions cryptographically binds the session token to the device (using the device-bound Primary Refresh Token) to stop token replay. It currently supports native applications only — browser-based applications are not supported. Enforcement is generally available on Windows 10+ devices that are Entra joined, hybrid joined, or registered (preview on iOS/iPadOS and macOS), and it can be enforced for Exchange Online, SharePoint Online, and Microsoft Teams (plus Azure Virtual Desktop and Windows 365 on Windows). Because browsers aren't covered, the policy should target the Mobile apps and desktop clients client-app condition.

Trap Browser sessions are unaffected by token protection (not supported); if users report the web app is unprotected while the desktop app is protected, that is expected behavior, not a misconfiguration.

4 questions test this
Use the What If tool to simulate which policies apply before a real sign-in

The Conditional Access What If tool evaluates which policies would apply to a chosen user under conditions you specify (device platform, IP address or country, app) without the user signing in and without enforcing anything. It includes both enabled and report-only policies and explains why policies do not apply. It does not test for Conditional Access service dependencies (for example a Teams sign-in that also depends on Exchange Online), so a user can still be blocked by a dependency policy the tool reports as not applying.

Trap What If ignores service dependencies; if it shows no blocking policy yet the user is still blocked, suspect a policy on a dependent service (such as Exchange Online behind Teams).

6 questions test this
Exempt the office from MFA by excluding trusted named locations

To require MFA only off the corporate network, set the network condition to include Any location and exclude All trusted locations, then define the office IP ranges as a named location and select Mark as trusted location. The All trusted locations exclusion applies only to locations that carry the trusted designation, so an unmarked named location still triggers MFA. Sign-ins from trusted named locations also improve the accuracy of Microsoft Entra ID Protection's risk calculation.

Trap Creating the named location is not enough; if users on the corporate network are still prompted, the named location was not marked trusted and therefore is not covered by the All trusted locations exclusion.

3 questions test this
Prepare for CAE strict location enforcement with the CAE Insights workbook

Before enabling strictly enforce location policies for continuous access evaluation, use the Continuous Access Evaluation Insights workbook to find sessions where the IP address seen by Microsoft Entra ID differs from the IP address seen by the resource, then add all known organizational egress IPs to IP-based named locations. Split-tunnel network configurations cause these mismatches and will otherwise block users once strict enforcement is on.

Trap The discrepancy is between Entra ID's detected IP and the IP address (seen by resource) value; compare against your named locations and add egress IPs first rather than disabling the policy.

3 questions test this
Block only sensitive files with a Defender for Cloud Apps inspection session policy

To allow access but block only files containing sensitive data, use the Conditional Access App Control session control with a Defender for Cloud Apps session policy whose session control type is Control file download (with inspection) or Control file upload (with inspection), then set the action to Block. Content inspection scans the file and blocks only matches, leaving non-sensitive transfers allowed. Block activities is the control type for in-session actions like print and copy.

Trap Setting Control file download (with inspection) with a Block action and no file filter blocks every download, including non-sensitive ones; selective blocking requires the inspection-based file filter so only sensitive matches are blocked.

6 questions test this
Trust inbound MFA so guests satisfy auth strength with home-tenant credentials

When an authentication strength policy applies to external Microsoft Entra users, enable Trust multifactor authentication from Microsoft Entra tenants in your inbound cross-tenant access settings. The resource tenant then accepts MFA claims completed in the guest's home tenant, so acceptable home-tenant methods satisfy the strength without forcing the guest to register new credentials in your tenant.

Trap Without inbound MFA trust, B2B guests can't satisfy the strength with their home-tenant MFA; the fix is the cross-tenant trust setting, not changing or relaxing the authentication strength.

3 questions test this

ID Protection

Read full chapter
  • User risk scores the account; sign-in risk scores one sign-in
  • Risk is reported on a four-level scale
  • Build risk responses as risk-based Conditional Access, not the legacy policies
  • High user risk requires secure password change; medium/high sign-in risk requires MFA
  • Keep user-risk and sign-in-risk conditions in separate policies
  • A secure password change must run through the risky-user remediation flow
  • Users must register for MFA before they can self-remediate
  • The MFA registration policy gives a 14-day grace period
  • Leaked credentials is always High and needs password hash sync for on-prem
  • Real-time detections can block live; offline detections raise risk after the fact
  • Investigate risk from the Risky users, Risky sign-ins, and Risk detections reports
  • Drive and export risk through Microsoft Graph and diagnostic settings
  • P2 unlocks full risk detail; Free and P1 see only a generic label
  • Workload identities are scored separately and cannot self-remediate
  • Remediate a risky workload identity by rotating credentials to certificates
  • Managed identities are out of scope for ID Protection risk
  • Risk-based Conditional Access for service principals needs Workload Identities Premium
  • Always exclude break-glass and service accounts from risk policies
  • Confirm compromised and confirm safe train the risk engine

Unlock with Premium — includes all practice exams and the complete study guide.

Global Secure Access

Read full chapter
  • Global Secure Access is the umbrella; Internet Access and Private Access are the products
  • Profiles are evaluated Microsoft first, then Private, then Internet
  • The Microsoft Entra traffic profile is a hidden, always-on system profile
  • Only the Microsoft 365 profile ships in P1/P2; Internet and Private need an add-on
  • The GSA client needs an Entra joined, hybrid-joined, or registered device
  • Private Access is client-only; a remote network can never carry it
  • Private Access publishes apps with Quick Access or per-app access
  • Private network connectors give Private Access its reach, with no inbound ports
  • Compliant Network, Tenant Restrictions, source IP restoration live only on the Microsoft profile
  • Bypassed Microsoft traffic is never picked up by the Internet profile
  • Internet Access is the SWG; pair it with the Microsoft profile for full coverage
  • Remote networks onboard a branch without a client but need 50+ combined licenses
  • Use GSA Administrator to enable profiles and CA Administrator to link policies
  • Deliver a Global Secure Access security profile to users through Conditional Access
  • Enable CA Signaling before using the compliant network check

Unlock with Premium — includes all practice exams and the complete study guide.

Workload Identities and Apps

Workload Identities

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A managed identity is a service principal Azure manages the credentials for

In Microsoft Entra ID the workload identities are applications, service principals, and managed identities. A managed identity is a special type of service principal whose certificate Azure issues, stores, and rotates, so there is no secret for you to handle or leak. Your code obtains a Microsoft Entra access token for the identity and presents it to any service that supports Entra authentication, and managed identities cost nothing extra.

Use the weakest identity that does the job for a workload

Pick a workload identity from where the code runs and what it is. Use a managed identity when the workload runs on an Azure resource that supports one, because nothing can be stolen. Use an app registration with a service principal when the workload runs outside Azure or needs API permissions and consent. Reserve a user account for a human and a group managed service account (gMSA) for on-premises Windows services authenticating to on-prem Active Directory.

Trap Using a user account with a stored password to run an unattended service or daemon; user accounts are for humans, and a workload should use a managed identity or service principal instead.

1 question tests this
A gMSA authenticates to on-prem AD, not to Microsoft Entra

A group managed service account (gMSA) is a Windows account in Active Directory Domain Services whose password Active Directory creates and rotates automatically. It secures on-premises Windows services that authenticate over Kerberos to on-prem AD. It issues no Microsoft Entra token, so it is never the right choice for an Azure resource calling another Azure service.

Trap Choosing a managed service account for an Azure-to-Azure call; a gMSA only works against on-prem Active Directory, so a managed identity is the Azure answer.

System-assigned managed identity lives and dies with its resource

A system-assigned managed identity is enabled directly on one Azure resource, and Azure creates a service principal tied to that resource's lifecycle. Only that resource can request tokens with it, and when you delete the resource Azure deletes the identity automatically. It can never be shared with another resource, so each resource that needs one gets its own.

5 questions test this
User-assigned managed identity is standalone and sharable

A user-assigned managed identity is created as its own Azure resource and managed separately from anything that consumes it. The same identity can be attached to many resources, and its lifecycle is independent, so it survives until you delete it explicitly even when no resource uses it. Microsoft recommends user-assigned as the default managed-identity type for most scenarios.

Trap Assuming a user-assigned identity disappears when its last resource is deleted; it is a standalone resource you must delete yourself.

1 question tests this
Pre-create a user-assigned identity when access is needed during deployment

A user-assigned identity and its role assignments can be created before the resource that consumes them, so a deployment that needs access while provisioning succeeds. A system-assigned identity does not exist until its resource exists, so its role assignments cannot be granted in advance, and a deployment that needs access during creation can fail. This pre-provisioning ability is a common reason to choose user-assigned.

Trap Relying on a system-assigned identity for access that must exist before the resource is deployed; the identity is created with the resource, so the role assignment cannot be made in time.

Share one user-assigned identity to collapse role assignments

When several resources do the same job and need the same permissions, attaching one shared user-assigned identity means a role is assigned once instead of per resource. Microsoft's example: four virtual machines reaching two storage accounts need eight role assignments with system-assigned identities but only two with a shared user-assigned identity. Fewer distinct identities and assignments cuts management overhead.

1 question tests this
User-assigned avoids the Entra object-creation rate limit on bursty deploys

Creating many resources quickly, each with its own system-assigned identity, can exceed the Microsoft Entra object-creation rate limit and fail with HTTP 429. A single pre-created user-assigned identity needs only one service principal, so it sidesteps the limit. This makes user-assigned the recommendation for ephemeral or rapidly recycled compute.

Trap Giving every node in a rapidly scaling fleet its own system-assigned identity; the burst of Entra object creations can hit the rate limit and return HTTP 429.

A deleted system-assigned identity still counts toward limits for 30 days

Deleting a resource removes its system-assigned identity, but the identity keeps counting toward your Microsoft Entra directory object limit until it is fully purged after 30 days. Rapidly creating and deleting resources with system-assigned identities can therefore push you toward that limit even though the identities look gone. A shared user-assigned identity avoids the churn.

Choose system-assigned when you must audit the specific resource

Use a system-assigned identity when the requirement is to log which specific resource carried out an action rather than which identity, since a shared user-assigned identity cannot tell two resources apart in the logs. Also choose system-assigned when permissions should be removed automatically as the resource is deleted. These two cases are where system-assigned beats the otherwise-recommended user-assigned.

A resource can carry both a system-assigned and user-assigned identity

Resources that support managed identities can have a system-assigned identity and one or more user-assigned identities at the same time. This lets you apply shared permissions through a user-assigned identity while keeping resource-specific permissions on the system-assigned one. The code chooses which identity to use when it requests a token.

Creating a managed identity grants nothing until you assign an RBAC role

A managed identity has no access until you assign it an Azure RBAC role at the scope of the target, for example Storage Blob Data Reader on a storage account. Creating or enabling the identity and granting the role are two separate steps. Skipping the role assignment is the most common cause of a managed-identity call returning 403 Forbidden.

Trap Enabling a managed identity and expecting it to reach the target without a role assignment; with no RBAC role at the target scope the call returns 403.

5 questions test this
Code fetches a managed-identity token from the local IMDS endpoint

Code on an Azure resource gets a Microsoft Entra token by calling the Azure Instance Metadata Service at http://169.254.169.254/metadata/identity/oauth2/token with the header Metadata: true and a resource parameter naming the target audience. The endpoint is link-local and answers only from inside that resource, so no credential leaves the host. Microsoft Entra ID returns a JWT access token, and the SDK's DefaultAzureCredential or MSAL normally makes this call for you.

2 questions test this
Name the client ID when a resource has multiple user-assigned identities

When a resource carries more than one user-assigned identity, a token request must include the client_id (or resource/object ID) of the identity you want, because Azure cannot otherwise tell which one to use. A request that omits it on a multi-identity resource is ambiguous and fails. A single-identity resource needs no client_id.

Trap Omitting client_id when requesting a token on a resource with several user-assigned identities; the request is ambiguous and fails until you specify which identity.

2 questions test this
Managed-identity tokens are cached, so role changes take hours

A managed identity's token is cached by the Azure infrastructure for roughly 24 hours, and group or role-membership claims live inside that token, so changing a managed identity's group or role membership can take hours to take effect and cannot be forced to refresh sooner. To make permission changes apply quickly, assign the role directly to a user-assigned identity instead of adding or removing it from a Microsoft Entra group.

Trap Removing a managed identity from an Entra group to revoke access immediately; the cached token keeps the old claims for hours, so assign permissions directly to the identity when changes must be instant.

Deleting a managed identity leaves its role assignments behind

Role assignments are not removed automatically when a managed identity is deleted; the orphaned assignment shows as Identity not found in the portal and keeps consuming the per-subscription role-assignment limit until you delete it by hand. Cleanup of a managed identity therefore means removing both the identity and its dangling role assignments.

Trap Deleting a managed identity and assuming its role assignments went with it; they remain as Identity not found and still count against the role-assignment limit.

4 questions test this
External workloads use an app registration, not a managed identity

A managed identity only works on an Azure resource, so a workload running outside Azure (GitHub Actions, another cloud, or Kubernetes off Azure) cannot use one. Such a workload authenticates as a service principal from an app registration, and workload identity federation lets it exchange an external token for a Microsoft Entra token with no stored secret. A client secret or certificate is the fallback when federation is not available.

Trap Trying to assign a managed identity to compute that runs outside Azure; managed identities only attach to Azure resources, so an app registration with federation is the credential-free choice.

3 questions test this
Managed identity as a federated credential is capped at 20 per app

A managed identity can act as a federated identity credential (FIC) on a Microsoft Entra application through workload identity federation, which keeps the app credential-free. There is a limit of 20 federated identity credentials when managed identities are used as the FIC on a single Entra application. Beyond that you split across applications.

Virtual Machine Contributor plus Managed Identity Operator to wire an identity to a VM

Enabling a system-assigned identity on a VM (or attaching any identity) needs Virtual Machine Contributor on the VM, with no extra directory role. Attaching a user-assigned identity additionally needs Managed Identity Operator on that identity (it holds the assign/action permission). Creating a user-assigned identity needs Managed Identity Contributor.

Trap thinking Virtual Machine Contributor alone is enough to attach a user-assigned identity

5 questions test this
Key Vault data-plane access needs Key Vault Secrets User and the right permission model

To let a managed identity read secrets, grant the least-privileged data-plane role Key Vault Secrets User (RBAC model) or, under the Vault access policy model, an access policy with Get (and List). RBAC roles such as Key Vault Secrets User only take effect when the vault uses the Azure RBAC permission model; on a vault using access policies they grant nothing and reads return Forbidden.

Trap assigning Owner or Contributor (management-plane) and expecting it to grant data-plane secret reads, or mixing an RBAC role with the access-policy model

6 questions test this
Deleting a user-assigned identity leaves a stale reference on each resource

Deleting a user-assigned managed identity does not remove it from the resources it was assigned to; the stale reference remains on every VM and must be cleaned up manually (for example with az vm identity remove). After deletion the identity can no longer obtain tokens, so dependent code stops authenticating.

Trap expecting the reference to be removed automatically from assigned VMs when the identity is deleted

3 questions test this
Each federated identity credential matches one exact subject; add more or use flexible FIC

Subject matching for a federated identity credential is exact, so one credential trusts exactly one subject (for example repo:org/repo:environment:Production). To trust an additional branch or environment, add another credential; when you hit the 20-credential-per-identity limit, use a flexible federated identity credential whose claims-matching expression covers many subjects with a single credential.

Trap trying to wildcard or list multiple branches inside one ordinary credential's subject value

3 questions test this

Enterprise Applications

Read full chapter
  • The enterprise application is the service principal, not the app's definition
  • Deleting the enterprise app removes only your tenant's instance
  • Prefer SAML or OIDC federation for SSO whenever the app supports it
  • App registered via App registrations is already OIDC and hides the SSO blade
  • Password-based SSO replays a stored credential for legacy form apps
  • Linked SSO is just a launch tile, so Conditional Access cannot apply
  • Application Proxy opens no inbound ports; the connector dials outbound only
  • Application Proxy is for remote users, not internal corporate-network users
  • App Proxy backend SSO uses KCD, headers, SAML, or password by app type
  • App Proxy pre-authentication is what enables Conditional Access
  • Assignment required Yes limits an app to assigned users only
  • Group-based app assignment needs P1/P2 and does not cascade to nested groups
  • App roles ride in the token roles claim; absent role means Default Access
  • Cloud App Admin or App Admin (or SP owner) assigns users to enterprise apps
  • User consent acts for one user; admin consent acts for the whole org
  • Three user consent settings: disable, verified-publisher, or allow all
  • Enable the admin consent workflow so blocked users can request approval
  • Admin consent for privileged permissions needs Privileged Role Admin or Global Admin
  • Application collections organize the My Apps launcher but grant no access
  • App provisioning (SCIM) auto-creates and deactivates accounts in the SaaS app
  • Classify permissions as Low impact to let users consent under the verified-publisher setting
  • Know the SCIM provisioning lifecycle: on-demand, soft-delete on unassign, four-week quarantine
  • Pick the Delegated Login Identity that matches the backend's on-prem identity format
  • Blocking an admin consent request creates a disabled service principal
  • Scope app management to one app with ownership or an app-scoped role assignment
  • My Apps visibility is separate from whether a user can sign in

Unlock with Premium — includes all practice exams and the complete study guide.

App Registrations

Read full chapter
  • An app registration creates one application object in its home tenant
  • The application object is the template; the service principal is the per-tenant instance
  • A single-tenant app has one service principal; a multitenant app gains one per consenting tenant
  • Deleting an app registration deletes its home-tenant service principal, and restore does not bring it back
  • Registering through the portal auto-creates the service principal; Microsoft Graph does not
  • signInAudience sets who can sign in, from single tenant to personal accounts
  • A redirect URI is a reply location, not the Application ID URI
  • Application (client) ID is shared; object ID is per object
  • Delegated permissions act on behalf of a user and never exceed the user's own access
  • Application permissions act as the app with no user and grant tenant-wide access
  • Application permissions require admin consent; users can consent only to their own delegated data
  • Delegated permissions can be static or dynamic; application permissions are static only
  • Federated credentials remove stored secrets by trusting an external OIDC token
  • Certificates are preferred over client secrets; secrets are test-only
  • A client secret is capped at 24 months and its value shows only once
  • Use a managed identity, not an app-registration secret, when the app runs on Azure
  • App roles you define are emitted in the token's roles claim
  • allowedMemberTypes decides whether an app role goes to users, applications, or both
  • Define app roles in App registrations, assign them in Enterprise applications
  • Assigning an app role via a group does not emit the roles claim for a service principal
  • App roles travel with the app and beat groups for multitenant authorization
  • scp carries delegated permissions; roles carries application permissions
  • Pre-authorize a client under Expose an API to suppress the consent prompt
  • The Application ID URI defaults to api://{clientId} and prefixes every scope
  • Disable an app role (isEnabled=false) before you can delete it

Unlock with Premium — includes all practice exams and the complete study guide.

Defender for Cloud Apps

Read full chapter
  • Match the Defender for Cloud Apps job to its connection method
  • Cloud discovery scores apps against a 31,000+ app catalog on 90+ risk factors
  • Snapshot reports are manual uploads; continuous reports are auto-forwarded
  • Feed continuous discovery via Defender for Endpoint, a log collector, an SWG, or the API
  • Discovery data refreshes four times a day, so it is near-current, not live
  • Unsanctioning an app generates a block script, not just a label
  • App connectors govern an app through its provider API, after the fact
  • Connector data scans run every 12 hours plus near real time on change
  • Multi-instance connectors work for Salesforce but not Microsoft 365 or Azure
  • App-enforced restrictions make the app self-limit, with no proxy
  • Conditional Access app control is a reverse proxy for real-time browser control
  • Deploy Conditional Access app control from a Conditional Access policy, not from the proxy console
  • A proxied session shows a .mcas.ms URL suffix
  • Access policy blocks the session at sign-in; session policy controls activity inside it
  • Session policies block download, protect on download, or block upload
  • Session controls cover browsers only, not desktop or native clients
  • Conditional Access app control policies act at the app level, not per file
  • OAuth app governance surveys delegated consent, scored High, Medium, or Low
  • Banning an OAuth app disables its enterprise application and revokes access
  • OAuth app policies automate revoke or alert on consent criteria
  • Built-in OAuth anomaly policies catch misleading names and malicious consent
  • Pick app-enforced restrictions, CA app control, or the API connector by where enforcement must happen

Unlock with Premium — includes all practice exams and the complete study guide.

Identity Governance

Entitlement Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Entitlement management needs the Entra ID Governance tier, not Free or P1

Access packages, catalogs, and connected organizations are part of Microsoft Entra ID Governance, so they require the Microsoft Entra ID Governance or Microsoft Entra Suite subscription for every governed user, including requestors and approvers. A few individual capabilities operate with Microsoft Entra ID P2, but a Free or P1-only tenant cannot run the access-package machinery. Terms of use is the one exception, needing only Entra ID P1.

Trap Assuming Microsoft Entra ID P2 alone unlocks access packages; the access-package feature requires the ID Governance tier, and only a few sub-capabilities work on P2.

An access package bundles resource roles people request, instead of admins hand-assigning each

An access package is a named bundle of resource roles a person needs, drawn from three resource types: membership in Entra security and Microsoft 365 groups (and their Teams), assignment to enterprise applications, and membership in SharePoint Online sites. A requestor asks for the package once and Entra provisions every role inside it as a single time-limited assignment. Because licensing, Azure RBAC, and Entra roles can ride on a group inside the package, one request can deliver far more than the three literal resource types.

The hierarchy is catalog, then access package, then assignment policy

A catalog is the container and delegation boundary that holds resources plus the access packages built from them. An access package lives in exactly one catalog and lists the resource roles it grants. An assignment policy attaches to an access package and is the only object that sets the rules: who can request, approval stages, duration, and whether an access review recertifies. One access package can carry several policies.

1 question tests this
Only cloud-created groups go in a catalog; on-prem AD and distribution groups cannot

A resource must be in a catalog before any access package can grant a role on it, and groups must be cloud-created (Entra security or Microsoft 365 groups). A group synced from on-premises Active Directory cannot be added because Entra cannot edit its membership, and an Exchange Online distribution group cannot be added either. The fix is to create a cloud security group or configure group writeback, not to change a permission.

Trap Trying to add an on-premises AD-synced security group as a catalog resource; Entra cannot modify its membership, so you must use a cloud-created group or group writeback.

1 question tests this
A single assignment policy serves internal OR external identities, never both

Each assignment policy names one audience: For users in your directory, For users not in your directory, or None (administrator direct assignments only). A single policy cannot mix internal employees and external partners, so collaboration scenarios need two policies on the same access package, one per audience. When multiple policies apply to a requestor, they pick which policy to request against.

Trap Assuming one policy can grant the same access package to both employees and external partners; internal and external audiences each need their own policy on the package.

1 question tests this
Delegate with catalog-scoped roles, not tenant-wide power

Entitlement management has tenant-wide roles (Catalog creator, Connected Organization Administrator) and per-catalog roles (Catalog owner, Catalog reader, Access package manager, Access package assignment manager). A Catalog creator builds and owns new catalogs but cannot see catalogs it does not own; an Access package manager creates and edits packages and policies in one catalog; an Access package assignment manager can only add or remove users on existing packages. Pick the narrowest role that covers the task.

2 questions test this
Identity Governance Administrator is the delegated admin role, not User Administrator

To grant a delegated administrator broad entitlement-management rights at the tenant level, assign the Identity Governance Administrator directory role. The User Administrator role can no longer create catalogs or manage access packages in catalogs it does not own, so it is the deprecated answer for these tasks. Global Administrator and Identity Governance Administrator can manage all of entitlement management by default.

Trap Reaching for User Administrator to configure catalogs or access packages; that role can no longer create catalogs or manage packages it does not own, so use Identity Governance Administrator.

Adding a resource to a catalog needs both a catalog role and permission over the resource

Outside of Global Administrator, adding a group, app, or site to a catalog requires a directory role that can administer the resource plus the Catalog owner role on that catalog. For example, Groups Administrator plus Catalog owner adds groups; SharePoint Administrator plus Catalog owner adds sites; Application Administrator plus Catalog owner adds apps. A resource owner can add their own resource with just Catalog owner.

2 questions test this
Approval runs one to three stages; any deny in a stage terminates the request

An assignment policy can require up to three approval stages. Only one approver in a stage needs to approve for the request to advance, but if any approver in a stage denies it first, or no one acts, the request terminates and access is not granted. Approvers can be specific users or groups, the requestor's Manager, or, for external requestors, an Internal sponsor or External sponsor; an approver cannot approve their own request.

Trap Assuming all approvers in a stage must approve; only one approver per stage is needed to advance, but a single denial in the stage ends the request.

5 questions test this
A stage decision timeout auto-denies; alternate-approver forwarding needs at least a four-day timeout

Each approval stage has a Decision must be made in how many days setting, and a request not approved in that window is automatically denied, forcing the user to re-request. Fallback approvers receive the request when the manager cannot be resolved from the Manager attribute. Alternate approvers receive it when the primary approvers do not act, but enabling alternate approvers requires the request timeout to be at least four days, because forwarding can only happen a day after the request starts.

Trap Confusing fallback approvers with alternate approvers; fallback covers a missing manager, while alternate approvers receive a forwarded request only after the primary approvers fail to act.

3 questions test this
Pair an assignment duration with a recurring access review to keep access from drifting

An assignment policy's lifecycle settings set an expiration (a duration, or no expiration) and can require a recurring access review that recertifies the assignments the package handed out. Reviewers confirm or revoke each assignment on the configured cadence. Combining a finite duration with a recurring review is how standing access is kept from lingering past need.

A connected organization names a partner whose users may request access

A connected organization is an external organization you have a relationship with, specified one of four ways: another Microsoft Entra directory in any Microsoft cloud, a non-Microsoft directory federated via SAML/WS-Fed, a domain whose users authenticate with email one-time passcode, or a Microsoft account such as live.com. A not-in-directory policy can then scope requests to specific connected organizations or all configured connected organizations.

Connected organizations are configured or proposed, and only configured ones count for all-configured policies

A configured connected organization was created or approved by an admin and is in scope for any policy targeting all configured connected organizations. A proposed organization is auto-created when an All users policy approves someone who belongs to no existing connected organization; it is not in scope for all-configured policies and can only be used by policies that target it specifically. Leaving a proposed social-identity org marked configured can silently widen who an all-configured policy admits.

Trap Treating a proposed connected organization as in scope for an all configured connected organizations policy; only configured organizations are, and proposed ones must be targeted specifically.

3 questions test this
An approved external request invites a B2B guest automatically, with no invite email

When a not-in-directory policy approves an external requestor and the catalog is Enabled for external users, entitlement management uses the B2B invite process to create a guest account but sends no invitation email; the user instead gets the access-delivered email. The B2B allow/blocklist still applies, so a blocked domain cannot be invited until the list is updated. The catalog setting only governs self-service requests, not direct admin assignment.

By default an external user is blocked and removed 30 days after losing their last assignment

The lifecycle of external users setting controls cleanup when a B2B guest brought in by entitlement management loses their last access package assignment. The default is to block sign-in and remove the account after 30 days; you can change Number of days before removing external user from directory (set 0 to delete immediately), or block without removing, or do neither. It only governs guests that entitlement management invited or that were converted to governed, so a pre-existing guest is left in place.

Trap Assuming the lifecycle cleanup deletes any guest who loses access; it only removes guests that entitlement management invited or that were explicitly converted to governed, leaving pre-existing guests untouched.

3 questions test this
Enabled for external users gates self-service requests, not direct admin assignment

The catalog setting Enabled for external users (Yes by default on a new catalog) decides whether users from connected organizations can self-request the catalog's packages. It is not required for an administrator to directly assign an external user to a package; that path is governed by the access package's own policy. To lock down external self-service, set this to No and avoid not-in-directory request policies.

1 question tests this
Terms of use is a PDF enforced through Conditional Access, separate from the access package

A terms of use (ToU) policy is a PDF you upload and present at sign-in; the user must accept it before the targeted apps load. It is enforced as a Conditional Access grant control, not as a setting on an access package, so you scope it with Conditional Access assignments. You can require users to expand the document, demand per-device acceptance, and report on who accepted or declined.

Trap Looking for a terms of use toggle inside the access package or catalog; ToU is a separate object enforced through a Conditional Access grant control.

2 questions test this
Terms of use needs only Entra ID P1, and a tenant holds at most 40 policies

Unlike the rest of entitlement management, terms of use requires only Microsoft Entra ID P1, a lower bar than the ID Governance tier. A tenant can hold no more than 40 terms of use policies. You can set consents to expire on a schedule or after a fixed number of days, localize the PDF per language, and upload a new version, but you cannot modify an already-uploaded document.

Trap Assuming terms of use needs the ID Governance license like access packages; it works on Entra ID P1, and the tenant cap is 40 ToU policies.

Use Privileged Identity Management for admin-role elevation, not an access package

Entitlement management grants standing, time-limited assignments to resources like groups, apps, and sites. For just-in-time activation of privileged Entra or Azure admin roles (eligible then activate), use Privileged Identity Management instead. The two are complementary: PIM elevates admin roles on demand, while access packages bundle and time-box resource access.

Trap Reaching for an access package to give just-in-time elevation of an admin role; that is Privileged Identity Management, since access packages grant standing resource assignments, not eligible-then-activate role elevation.

Requestor justification and custom questions feed approvers their decision context

A policy can require requestor justification and collect custom requestor questions (short text, multiple choice, or long text) that are shown to approvers to inform the decision. You can also require approver justification, which is visible to other approvers and to the requestor. Catalog resources can additionally require attributes that the requestor must answer before the request can be submitted.

1 question tests this
Only an Identity Governance Administrator can create an automatic assignment policy

An automatic assignment policy assigns an access package by an attribute-driven membership rule (like a dynamic group), adding or removing assignments as the attribute changes. Creating one needs at least the Identity Governance Administrator role; catalog owners and access package managers can manage everything else but cannot add this policy type.

Trap Catalog owner or Access Package Manager looks sufficient because they manage the package, but neither can create an automatic assignment policy.

4 questions test this
Separation of duties blocks a request by marking access packages or groups incompatible

On an access package's Separation of duties tab you list incompatible access packages or incompatible security groups. A user who already holds an assignment to an incompatible package, or is a member of an incompatible group, is then blocked from requesting that package. Configure the incompatibility on the package you want to protect.

Trap This is request-time prevention only, not a Conditional Access or access-review control.

5 questions test this
Require reaccept on updated terms of use does not prompt until the current session expires

To force re-acceptance you edit the terms, select Update for the language, upload the new PDF, and enable Require reaccept. Users who already accepted are not prompted for the new version until their existing session expires, so they keep working under the old acceptance until then.

Trap It is not an enforcement bug; deleting and recreating the terms (or creating a new one) is the way to force an immediate prompt.

2 questions test this

Access Reviews

Read full chapter
  • Access reviews recertify access that already exists, they don't grant it
  • Access reviews require an Entra ID Governance license, not just P2
  • What you review decides where you create it
  • A PIM role review recertifies standing assignments; PIM activation approves elevation in real time
  • Pick the reviewer to match accountability: owner, manager, designated user, or self
  • Self-review is the weakest reviewer choice
  • Group owners can't run their own reviews until an admin delegates it
  • Fallback reviewers cover users with no manager or groups with no owner
  • Scope a review to inactive users with a Days inactive threshold up to 730
  • Decision helpers recommend Deny for inactive users and peer outliers
  • Auto apply removes denied users automatically; without it an admin must click Apply
  • If reviewers don't respond sets the default for un-reviewed users only
  • Remove access plus auto-apply can strip everyone if reviewers go silent
  • Denied guests: remove membership, or block 30 days then delete
  • A reviewer's Deny doesn't remove access until the review is applied
  • Don't know keeps access and is recorded in the audit log
  • Monitor a review through Completed, Applying, Result applied
  • Apply can't change on-prem-synced, dynamic, or nested-group membership
  • Multi-stage reviews chain two or three reviewer sets, later stage overwrites
  • Recurring reviews re-snapshot membership each instance
  • Use Review History to produce a downloadable report of reviewer decisions across reviews
  • Changes to a recurring review apply to the current instance or the whole series depending on where you edit
  • Block-and-remove for denied guests requires the Select Teams + groups scope, not All M365 groups

Unlock with Premium — includes all practice exams and the complete study guide.

Privileged Identity Management

Read full chapter
  • PIM gives an eligible holder the same access as active, just not all the time
  • PIM requires Microsoft Entra ID P2 (Microsoft Entra ID Governance)
  • Assignment has two axes: type (eligible/active) and duration (permanent/time-bound)
  • Activation maximum duration is 1 to 24 hours
  • Role settings (PIM policies) are per role and inherited by every assignment
  • Use authentication context, not plain require-MFA, to force a fresh prompt at activation
  • The authentication-context MFA backstop does not fire if the CA policy is off or report-only
  • Require ticket information is informational only and never validated
  • Require approval to activate needs named approvers, or admins become default approvers
  • MFA on active assignment is enforced at creation, not at use
  • PIM covers three scopes: Entra roles, Azure resources, and PIM for Groups
  • Managing Entra-role PIM and Azure-resource PIM needs different roles
  • PIM for Groups makes group membership or ownership eligible to grant access downstream
  • Each PIM-enabled group has two policies: one for membership, one for ownership
  • A group need not be role-assignable to be PIM-enabled, but only 500 can be role-assignable
  • For JIT into SharePoint, Exchange, or Purview, use PIM for Entra roles, not PIM for Groups
  • PIM for Azure resources manages RBAC roles at a chosen scope
  • PIM audit history is kept 30 days; route to Azure Monitor for longer
  • Resource audit shows all activity for a resource; My audit shows your own
  • Recertify privileged roles with access reviews of eligible and active assignments
  • Create two or more break-glass accounts as cloud-only and non-federated
  • Assign break-glass accounts permanent active Global Administrator, not eligible
  • Exclude break-glass accounts from Conditional Access policies that block or restrict
  • Monitor break-glass sign-ins and validate the accounts at least every 90 days
  • PIM for Azure resources role settings are per resource and not inherited down scopes
  • Service principals and managed identities can only get active PIM assignments, never eligible
  • A PIM activation is resolved by the first approver, who cannot self-approve, within a fixed 24-hour window

Unlock with Premium — includes all practice exams and the complete study guide.

Identity Monitoring

Read full chapter
  • Match the log to the verb: change, sign-in, or provision
  • Sign-in logs split into four sign-in types
  • Provisioning logs show per-object created, skipped, or failed
  • Default log retention is 7 days Free, 30 days P1 and P2
  • Risky sign-ins retention is the field that stretches to 90 days on P2
  • Retention changes are not retroactive
  • Long-term retention and KQL both require routing to Log Analytics or storage
  • A diagnostic setting routes log categories to an external destination
  • Choose Log Analytics when you need to analyze or alert
  • Choose a storage account for cheap, indefinite archive
  • Choose an event hub to stream to a non-Microsoft SIEM
  • Each Entra resource allows at most five diagnostic settings
  • Entra logs become KQL tables named for their category
  • Filter sign-in success on ResultType where 0 is success
  • A log-search alert is a scheduled KQL query plus an action group
  • Workbooks need logs already routed to Log Analytics
  • Identity Secure Score is a posture percentage refreshed every 24 hours
  • Secure Score actions are scored binary or proportionally
  • Reading Identity Secure Score needs at least Global Reader
  • Secure Score measures adoption, not breach probability
  • Entra audit logs are separate from the Microsoft 365 unified audit log
  • A diagnostic setting's destination must already exist before you create the setting

Unlock with Premium — includes all practice exams and the complete study guide.