Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

6.3.1. Identity and Access Questions

Question 1

You have a Microsoft Entra tenant. Users have both Windows and non-Windows devices. All users have smartphones.

You plan to implement Microsoft Entra Multi-Factor Authentication (MFA).

You need to ensure that MFA is used to authenticate users to Azure resources. The solution must be implemented without any additional cost.

Which three MFA methods should you implement?

  • A. Security questions
  • B. OATH software tokens
  • C. SMS verification
  • D. The Microsoft Authenticator app
  • E. Voice call verification
Answer: C, D, and E

Explanation: Microsoft Authenticator app, SMS verification, and voice call verification only require a smartphone—which all users have. OATH software tokens require third-party app purchase. FIDO2 keys require hardware purchase. Security questions are not an MFA method.

Question 2

You need to grant a user the ability to assign users to enterprise applications in Microsoft Entra ID. The user should not be able to create or modify application registrations.

Which role should you assign?

  • A. Application Administrator
  • B. Cloud Application Administrator
  • C. Application Developer
  • D. Privileged Role Administrator
Answer: B

Explanation: Cloud Application Administrator can manage enterprise applications including user assignments but cannot create app registrations. Application Administrator can do both. Application Developer can only create registrations. Privileged Role Administrator manages role assignments, not applications.

Question 3

You have a custom role that allows users to restart virtual machines. Users report they cannot restart VMs.

What is the most likely cause?

  • A. Users need the Virtual Machine Administrator Login role
  • B. The custom role is missing the Microsoft.Compute/virtualMachines/read permission
  • C. The custom role needs to include the Microsoft.Compute/virtualMachines/delete permission
  • D. Users need to activate the role through PIM
Answer: B

Explanation: Custom roles require read permissions to interact with resources. Without Microsoft.Compute/*/read, users cannot see VMs to restart them. The restart action alone is insufficient.

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications