Microsoft Entra for Microsoft (SCI) Fundamentals

This page covers the Microsoft Entra domain of the Microsoft (SCI) Fundamentals certification. Master Cybersecurity offers 75 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    What should you use to ensure that the members of an Azure Active Directory group use multi-factor authentication (MFA) when they sign in?
    1. A. Azure role-based access control (Azure RBAC)
    2. B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
    3. C. Azure Active Directory (Azure AD) Identity Protection
    4. D. a conditional access policy
    Explanation

    The correct answer is: D. a conditional access policy.

    To ensure that members of an Azure AD group use MFA when they sign in, you configure a Conditional Access policy that includes that group in the user scope and has the grant --Require multifactor authentication.-- Azure RBAC (A) applies to Azure resources, not to sign-in. PIM (B) is for time-bound role activation. Identity Protection (D) can enforce MFA based on risk; for --members of a group must use MFA,-- Conditional Access is the direct and standard approach. So the answer is a conditional access policy.

  2. Question 2

    What does Conditional Access evaluate by using Azure Active Directory (Azure AD) Identity Protection?
    1. A. user actions
    2. B. group membership
    3. C. device compliance
    4. D. user risk
    Explanation

    The correct answer is: D. user risk.

    Conditional Access can use signals from Azure AD Identity Protection, including user risk. You can create policies that require MFA, block sign-in, or force password change when a user is flagged as low, medium, or high risk (e.g., leaked credentials, impossible travel). User actions (A), group membership (B), and device compliance (C) are also used in Conditional Access, but the question specifically asks what Conditional Access evaluates using Identity Protection--and Identity Protection supplies user risk (and sign-in risk) as signals. So the answer is user risk.

  3. Question 3

    What is a function of Conditional Access session controls?
    1. A. enforcing device compliance
    2. B. enforcing client app compliance
    3. C. enable limited experiences, such as blocking download of sensitive information
    4. D. prompting multi-factor authentication (MFA)
    Explanation

    The correct answer is: C. enable limited experiences, such as blocking download of sensitive information.

    Conditional Access session controls limit what users can do during a session rather than blocking sign-in. Examples include: application-enforced restrictions (e.g., restrict copy/paste and download in supported apps), sign-in frequency, and persistent browser session. Blocking download of sensitive information is a session-level restriction. Enforcing device compliance (A) and client app compliance (B) are typically grant or require conditions (e.g., require compliant device), not session controls. Prompting for MFA (D) is a grant control, not a session control. So the function of session controls described here is C--enable limited experiences such as blocking download.

  4. Question 4

    What can you use to ensure that all the users in a specific group must use multi-factor authentication (MFA) to sign to Azure Active Directory (Azure AD)?
    1. A. Azure Policy
    2. B. a communication compliance policy
    3. C. a Conditional Access policy
    4. D. a user risk policy
    Explanation

    The correct answer is: C. a Conditional Access policy.

    To require that all users in a specific group use MFA to sign in to Azure AD, you use a Conditional Access policy. You target the policy to that group (users) and add the grant --Require multifactor authentication.-- Azure Policy (A) governs Azure resource configuration. A communication compliance policy (B) is a Microsoft Purview feature for supervising communications. A user risk policy (D) refers to Identity Protection risk policies, which are risk-based rather than group-based. Conditional Access is the standard way to enforce MFA for a group. So the answer is a Conditional Access policy.

  5. Question 5

    What should you use to associate the same identity to more than one Azure virtual machine?
    1. A. an Azure AD user account
    2. B. a user-assigned managed identity
    3. C. a system-assigned managed identity
    4. D. an Azure AD security group
    Explanation

    The correct answer is: B. a user-assigned managed identity.

    When you need the same identity on more than one Azure VM (or other resource), you use a user-assigned managed identity. You create one user-assigned managed identity and assign it to multiple VMs; they all use that single identity to access Azure services (e.g., Key Vault, Storage). An Azure AD user account (A) could be used for sign-in but is not the recommended pattern for app/service identity across VMs. A system-assigned managed identity (C) is unique per resource--each VM would have its own, so you cannot --associate the same identity-- to multiple VMs. An Azure AD security group (D) is for grouping users or other principals, not for use as a single identity across VMs. So the answer is user-assigned managed identity.

Other Microsoft (SCI) Fundamentals domains

Practice all 75 Microsoft Entra questions · Browse Microsoft (SCI) Fundamentals