Hotspot Question
You have a Microsoft Entra tenant that contains 1,000 users. The users are assigned Microsoft Entra Suite licenses.
You perform the following actions:
* Deploy Global Secure Access.
* Create a Global Secure Access security profile named Profile1.
* Create the following Conditional Access policies:
- Name: CApolicy1
- Target resources: All internet resources with Global Secure
Access
- Name: CApolicy2
- Session:
-- Use Global Secure Access security profile: Profile1
To which Global Secure Access traffic forwarding profiles is CAPolicy1 linked, and to which profile does Profile1 apply? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.


You have a Microsoft Entra tenant.
You configure self-service password reset (SSPR) by using the following settings:
- Require users to register when signing in: Yes
- Number of methods required to reset: 1
What is a valid authentication method available to users?
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity.
While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
You have an Azure subscription that contains a user named User1 and an Azure key vault named Vault1.
You need to ensure that User1 can read the metadata of certificates, keys, and secrets stored in Vault1. The solution must follow the principle of least privilege.
Which role should you assign to User1?
Hotspot Question
You have a Microsoft Entra tenant that contains the identities shown in the following table.

Group1 has the following configurations:
- Owners: User1, User4
- Members: User1, Managed2, Group2
You create an access review that has the following settings:
- Name: Review1
- Review scope: Select Teams + Groups
- Group: Group1
- Scope: All users
- Select reviewers: Group owner(s)
The Fallback reviewers setting is NOT configured.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.


You have a Microsoft Entra tenant.
You need to ensure that users are prevented from consenting to high-privilege permission requests for enterprise applications. The solution must ensure that the users can consent to low- risk permission requests.
What should you modify first?
You have an Azure subscription that contains a user named User1 and two resource groups named RG1 and RG2.
You need to ensure that User1 can perform the following tasks:
- View all resources.
- Restart virtual machines.
- Create virtual machines in RG1 only.
- Create storage accounts in RG1 only.
What is the minimum number of role-based access control (RBAC) role assignments required?
Hotspot Question
You have an Azure AD tenant.
You perform the tasks shown in the following table.

On April 5, an administrator deletes App1, App2, App3, and App4.
You need to restore the apps and the settings.
Which apps can you restore on April 16, and which settings can you restore for App4 on April 16?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.


Explanation:
After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties.
Box 1: App1, App2, App3, and App4
Box 2: App roles, Users and groups, client secrets, and Self-service
https://learn.microsoft.com/en-us/entra/identity-platform/howto-restore-app
You have a Microsoft 365 subscription.
You deploy a third-party web gateway named Gateway1.
You need to integrate Gateway1 with Microsoft Defender for Cloud Apps. The solution must meet the following requirements:
- Ensure that data flows automatically to Defender for Cloud Apps.
- Minimize administrative effort.
What should you do first?
Hotspot Question
Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains computers that run Windows 11.
You have a Microsoft 365 E5 subscription.
You plan to enable hybrid join and enroll the computers in Microsoft Intune.
You need to recommend the software that should be deployed to the domain, and the actions that should be performed in Intune.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.


Explanation:
Box 1: The Intune Connector for Active Directory
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server requirements
* The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
* The server hosting the Intune Connector must have access to the Internet and Active Directory.
Box 2: Modify the mobile device management (MDM) User scope
Set up Windows automatic MDM enrollment
1. Sign in to the Azure portal and select Microsoft Entra ID.
2. In the left hand pane, select Manage | Mobility (MDM and WIP) > Microsoft Intune.
3. Make sure users who deploy Microsoft Entra joined devices by using Intune and Windows are members of a group included in MDM User scope.
4. Use the default values in the MDM Terms of use URL, MDM Discovery URL, and MDM Compliance URL boxes, and then select Save.
Reference:
https://learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid
You have an Azure subscription that contains a user named User1.
The App registration settings for the Azure AD tenant are configured as shown in the following exhibit.

User1 builds an ASP.NET web app named App1.
You need to ensure that User1 can register App1. The solution must use the principle of least privilege.
Which role should you assign to User1?
A company has a hybrid environment with both on-premises Active Directory and Microsoft Entra ID. An IT administrator notices that users are not syncing anymore from the on-premises directory to the cloud.
You need to make sure that Active Directory and Microsoft Entra ID are in sync.
What is the first step you should take to troubleshoot the issue?
You have a Microsoft 365 tenant.
All users have mobile phones and laptops.
The users frequently work from remote locations that do not have Wi-Fi access or mobile phone connectivity. While working from the remote locations, the users connect their laptop to a wired network that has internet access.
You plan to implement multi-factor authentication (MFA).
Which MFA authentication method can the users use from the remote location?
You have a Microsoft Entra tenant named contoso.com that contains an enterprise application named App1.
A contractor uses the credentials of [email protected].
You need to ensure that you can provide the contractor with access to App1. The contractor must be able to authenticate as [email protected].
What should you do?
You have 2,500 users who are assigned Microsoft Office 365 Enterprise E3 licenses. The licenses are assigned to individual users.
From the Groups blade in the Azure Active Directory admin center, you assign Microsoft Office
365 Enterprise E5 licenses to a group that includes all users.
You need to remove the Office 365 Enterprise E3 licenses from the users by using the least amount of administrative effort.
What should you use?