1500 Questions | MS-500: Identity & Access Administrator

Configure AD FS and Azure AD for Single Sign-On (30%): Implementing SAML-based SSO, WS-Federation, and managing the architecture between on-premises environments and the cloud.

Plan and implement a Hybrid Identity infrastructure (20%): Expert-level configuration of Azure AD Connect and monitoring environment health via Azure AD Connect Health.

Implement and manage Azure AD for Enterprise (15%): Setting up enterprise services and managing complex Azure AD group structures.

Implement Azure AD Authentication and Authorization (15%): Deploying high-security measures including Multi-Factor Authentication (MFA), Conditional Access policies, and Identity Protection.

B. Password Hash Synchronization (PHS)

C. Federation with AD FS

D. Certificate-based authentication

E. Azure AD Domain Services

F. Personal Microsoft Accounts

Correct Answer: B

Explanation:

A (Incorrect): PTA requires a connection to on-premises agents to validate passwords. If the servers are offline, users cannot sign in.

C (Incorrect): AD FS relies on the availability of the on-premises Federation servers. If they are offline, authentication fails unless a complex failover is in place.

D (Incorrect): This is an authentication factor, but it does not address the password availability requirement during an on-premises outage.

E (Incorrect): This is a managed domain service for VMs, not a primary method for syncing standard user identities for general SaaS sign-in.

F (Incorrect): Personal accounts are not used for synchronized corporate directory identities.

Question 2: You are configuring a Conditional Access policy. You want to require MFA only when a user is accessing a specific Enterprise Application from an untrusted IP range. What is the first component you should define in the policy?

B. The Named Location

C. The Grant Control

D. The Session Control

E. The Cloud App

F. The Device Platform

Correct Answer: B

Explanation:

A (Incorrect): While users are part of the policy, the specific logic for "untrusted ranges" relies on the Location definition.

C (Incorrect): Grant controls (like "Require MFA") are the result of the policy, not the condition identifying the network risk.

D (Incorrect): Session controls manage the experience after access is granted (like sign-in frequency).

E (Incorrect): The Cloud App is the target, but the "untrusted IP" logic is handled by the Location condition.

F (Incorrect): This filters by OS (Windows/iOS), not by network location.

Question 3: A company wants to invite external vendors to collaborate on a SharePoint site using their own corporate identities. Which Azure AD feature should I configure to manage this with the least administrative effort?

B. Azure AD B2B Collaboration

C. Managed Identities

D. Active Directory Trust Relationships

E. Dynamic Groups

F. Application Proxy

Correct Answer: B

Explanation:

A (Incorrect): B2C is for customer-facing applications (like retail apps), not for corporate collaboration between partners.

C (Incorrect): Managed Identities are for Azure resources (like VMs) to authenticate to other services, not for human users.

D (Incorrect): Traditional forest trusts are an on-premises concept and are far more complex than B2B invitations.

E (Incorrect): Dynamic groups help organize users but don't facilitate the external invitation process itself.

F (Incorrect): Application Proxy is for publishing on-premises apps to the cloud, not for identity collaboration.

You can retake the exams as many times as you want.

This is a huge original question bank built to reflect current exam objectives.

You get support from instructors if you have questions regarding complex hybrid scenarios.

Each question has a detailed explanation for every option.

Mobile-compatible with the Udemy app so you can study on the go.

30-days money-back guarantee if you're not satisfied.