In this post, I’m sharing a quick review of the Secure Access with Azure Active Directory course, along with useful insights to support your prep for the AZ-500 certification exam.
Just completed this first course in the Microsoft Azure Security Engineer Associate Professional Certificate? You’re stepping into the core of identity and access management in Azure. This course introduces you to Azure Active Directory (Azure AD), covering everything from user and group management to multifactor authentication and hybrid identity configurations. If you’re aiming to build a secure cloud infrastructure, this course lays the foundation for managing access at enterprise scale — and I’ve got the review to help guide your next steps.
Table of Contents
Module quiz: Managing users in Azure Active Directory Quiz Answers
Question 1)
You have assigned Mike as the User Administrator for an administrative unit containing a group called Marketing Team. This group has 15 members, including Samantha. Which of the following are true regarding what Mike can do with the group and the group members as the User Administrator of the administrative unit? Select all that apply.
- Mike can reset the password of Samantha if he adds her directly as a member of the administrative unit.
- Mike can update the email address of Samantha if needed.
- Mike can change Samantha’s authentication method to multifactor authentication without adding her as a member of the administrative unit.
- Mike can change the name of the group.
Question 2)
An organization uses Azure AD to manage access to cloud applications. It has provided the following roles to its IT team members, John and Steffi.
John – Application Administrator for all enterprise applications
Steffi – Authentication Administrator
A human resource professional, Tara, requires access to the human capital management application registered in Azure AD.
Who can provide this access?
- John
- Steffi
- Either John or Steffi can provide Tara with the required access.
- John’s and Steffi’s approvals are required to provide Tara with the necessary access.
Question 3)
Imagine that you are responsible for managing access to resources, applications, and data in a company that uses Azure AD. You have been tasked with creating a group that will allow access to a specific SharePoint site for employees who work in the marketing department. You want members to be automatically added and removed from the group based on member attributes. Which group type and membership type should you use?
- Microsoft 365 group with dynamic user membership
- Security group with dynamic user membership
- Security group with assigned membership
- Microsoft 365 group with assigned membership
Question 4)
You work as the Azure security engineer in a retail organization called BuyForSure Inc. You have been asked to create the below users in Azure Active Directory:
James is a consumer who wants to buy sports equipment from BuyForSure Inc.
Tom works in Soles Inc. and supplies shoes to BuyForSure Inc.
Patricia has recently joined BuyForSure Inc. as a human resources manager.
Susan is a seasoned security engineer hired by BuyForSure Inc.
Who will you add as a guest user (B2B) in Azure Active Directory?
- Susan
- James
- Tom
- Patricia
Question 5)
A company has two directories—an on-premises Active Directory (AD) environment and an Azure AD tenant. The company is migrating some of its applications and services to Azure and creating an Azure AD Domain Services (Azure AD DS) managed domain to provide domain services for these resources in the cloud. The company also has a partner organization that provides access to a third-party application for its employees. The partner organization has its directory that the company does not manage. The company has set up a federation between its Azure AD tenant and the partner organization’s directory using Azure AD B2B collaboration.
Which of the following statements regarding the Azure AD Domain Services configuration in this scenario are true? Select all that apply.
- The partner organization’s directory users can access the resources that require domain services by authenticating through the Azure AD DS managed domain.
- You don’t need to manage, configure, or update the two Windows Server domain controllers deployed into your selected Azure region.
- The managed domain cannot authenticate users from the partner organization’s directory.
- You can create resources directly in the managed domain, which are synchronized to Azure AD automatically.
Question 6)
A company has offices in multiple countries and has implemented Azure Active Directory (Azure AD) to manage access to its cloud resources. The company wants to ensure that only users from Canada should have access to a specific human resources application. Which feature or service of Azure AD is best suited for the company to restrict access to resources based on user location in Azure AD?
- Azure AD Domain Services
- Azure AD Connect
- Azure AD Conditional Access policy
- Azure AD Identity Protection
Question 7)
In which of the following situations is Azure Active Directory Identity Protection most useful?
- You want to manage the identities and access of the consumers of your B2C application.
- You want to mandate multifactor authentication for all users above a specified level in the organization hierarchy.
- You want to automatically force a user to reset their password if the system detects a suspicious login from an unusual location.
- Your company wants to leverage existing on-premises identity investments to manage access to cloud-based SaaS applications.
Question 8)
Let us say you want to assign licenses to a group of users in your organization’s Azure Active Directory (Azure AD) tenant. What happens when you assign licenses to this group of users and some of them have not specified their usage location in Azure AD?
- The users without a specified usage location are assigned licenses for all services in all locations.
- This action cannot be performed until you manually update the usage location for the users.
- The users without a specified usage location inherit the location of the Azure AD organization.
- The users without a specified usage location are automatically assigned a default usage location.
Question 9)
You have been asked to restore a user account that was recently deleted from your organization’s Azure Active Directory (Azure AD) tenant. You need to be aware of the potential impact on license usage when restoring a user. What happens to a user’s license when you restore a deleted user account in Azure AD?
- The user’s licenses are restored, but only if there are available seats for those licenses.
- The user’s licenses are restored, even if no seats are available for those licenses.
- The user’s licenses are not restored with the account.
- The user’s licenses are restored, but only if the license has been re-purchased since the user’s deletion.
Question 10)
Imagine a scenario where your organization’s policy restricts users from registering applications in Azure Active Directory (Azure AD) without approval. You want to enforce this policy and prevent all users from registering applications but still grant this ability to application developers. How can you prevent all users from registering applications in Azure AD while still granting the ability to application developers?
- Set the “Users can register applications” option to “No,” then remove the specific individuals from the application developer role.
- Set the “Users can register applications” option to “Yes” in Azure AD User Settings, and then add the specific individuals to the application developer role.
- Set the “Users can register applications” option to “Yes,” and remove the specific individuals from the application developer role.
- Set the “Users can register applications” option to “No,” then add specific individuals to the application developer role.
Module quiz: Managing authentication in Azure Active Directory Quiz Answers
Question 1)
An electronics chain that has stores across the globe has adopted Azure Active Directory. Its employees need to access internal and external resources. Which authentication method offers the highest usability, availability, and security?
- Password and voice call verification
- Password
- Password and SMS verification
- Hardware token OTP
Question 2)
Suppose a pharmaceutical company has recently moved from an on-premises Active Directory to Azure Active Directory (AD). It has synchronized user accounts from an on-premises AD DS environment using Azure AD Connect. Instead of the on-premises password policy, it wants to apply the Azure AD password policy. Which of the following policies should it enable?
- Azure AD Connect policy
- Powershell policy
- Azure AD global password policy
- Enforce Cloud password policy
Question 3)
A public health company uses Azure Active Directory (AD) for the identity and access management of its users. Presently, if users forget their passwords, they must reach out to the IT help desk to reset their passwords. Which of the following features of Azure AD can the company use to reduce help desk involvement?
- Azure AD conditional access
- Multifactor authentication
- Azure AD Connect
- Self-service password reset
Question 4)
Suppose you work as a Security Engineer Associate in a financial consultancy. The employees do not have designated personal computers. You use multifactor authentication for authenticating your users. In a recent survey, employees have mentioned they often get frustrated with the additional security layer on top of remembering their passwords.
Which options can you use to provide your users with a more convenient and secure authentication method?
- FIDO2 security keys
- Windows Hello for Business
- Phone call verification
- SMS verification
Question 5)
Suppose you have implemented Azure Active Directory (Azure AD) multifactor authentication in your organization. You do not want specific users to receive Azure AD multifactor authentication requests.
When configuring multifactor authentication settings, which option will you use to stop these users from receiving multifactor authentication requests?
- Account lockout
- Report suspicious activity
- Block/unblock users
- Fraud alert
Question 6)
Suppose there is a clothing company. The company is moving from an on-premises Active Directory to Azure Active Directory (Azure AD). It has internal and external applications that its employees must be able to access. Some of these applications are on-premises, and some are in the cloud. You are working as a security engineer in this company. You have set up hybrid identity for the employees.
Which of the following resources will the employees be able to access?
- Only applications that are on-premises
- All cloud applications and some on-premises applications
- On-premises and cloud applications
- Only cloud applications
Question 7)
A fast-growing fast-food chain will integrate its on-premises directory with Azure AD. For what purpose can the company use Azure Active Directory Connect?
- Fraud detection
- Update the on-premises password policy as per the Azure AD password policy
- Implement pass-through authentication
- Deploy additional infrastructure for federation
Question 8)
A nuclear energy company is moving from an on-premises Active Directory to Azure Active Directory. It has a security requirement to immediately enforce on-premises user account states, password policies, and sign in hours. Which of the following authentication methods should it use?
- Password hash synchronization
- Pass-through authentication
- Federation
- On-premises authentication
Question 9)
Suppose a company switches from Active Directory Federation Services (AD FS) to pass-through authentication (PTA). Which of the following should it keep in mind during the transition?
- All passwords should be saved in the cloud
- Azure AD Connect should be deployed to check the password policy
- There should be no wait time before shutting down AD FS infrastructure
- There should be a wait time before shutting down AD FS infrastructure
Question 10)
Suppose a company is implementing hybrid identity for its users. It wants Azure Active Directory to handle sign in completely in the cloud. It does not want to enforce user-level AD security policies during sign in.
Which of the following authentication methods would be suitable for this company?
- Password hash synchronization
- Federation
- Pass-through authentication
- Password hash synchronization or pass-through authentication
Graded assessment: Secure Access with Azure Active Directory Quiz Answers
Question 1)
You plan to implement Azure Active Directory administrative units in your organization, which has offices in Canada and Australia. Identify the valid implementations of administrative units. Select all that apply.
- You have created two administrative units, one for Canada and the other for Australia, to restrict role permissions based on the two geographical locations of your organization.
- You added users as members of multiple administrative units. For example, some users are part of the Canada and Sales administrative units.
- You assigned Azure free license for each administrative unit admin.
- You have created an administrative unit called “Sales” and then created nested administrative units called “Canada” and “Australia.”
Question 2)
You work as an Azure security engineer for a retail organization that sells clothing and accessories online. The organization uses an app that allows customers to buy products online. You want Olivia from your team to create and manage the built-in policies associated with buying products online. What role will you assign to Olivia?
Apply the rule of least privilege. This rule states that you should provide users and applications only the access and permissions they need to do their job and no more.
- B2C User Flow Administrator
- Security Administrator
- Conditional Access Administrator
- Billing Administrator
Question 3)
As an Azure security engineer in a university, you plan to use Azure Active Directory (Azure AD) groups to manage users requiring the same access and resource permissions. Identify the valid implementations of groups. Select all that apply.
- You created a dynamic group called “Chemistry members and devices” and added all faculty members and devices in the Chemistry department.
- You created a “Computer Science” security group to add members requiring access to department-specific resources.
- You created a Microsoft 365 group with the IT and Social Sciences department members to provide collaboration opportunities such as access to shared files.
- You created a Microsoft 365 group with all the devices used in the Computer Science department.
Question 4)
You work as an Azure security engineer in a healthcare organization. Here are the roles you have assigned to some members of your organization:
Jessy: Global Administrator
Mona: Privileged Authentication Administrator
Suman: User Administrator
Stella: User Administrator
Ashok: Conditional Access Administrator
With respect to deleting users in your organization, which options are correct? Select all that apply.
- Suman can delete the user Stella.
- Jessy and Mona can delete the users Suman, Stella, and Ashok
- Ashok can delete the users Stella and Suman.
- Stella can delete the user Mona.
Question 5)
Your company uses on-premises Active Directory Domain Services (AD DS) for managing user identities and permissions. Recently, you adopted Azure Active Directory (Azure AD) to support your cloud-based applications and services. However, you noticed that users were required to maintain separate identities and access rights for on-premises and cloud environments, which led to confusion and inconsistencies. Which solution directly addresses the issue of inconsistent identities?
- Use federated authentication
- Use Azure AD Identity Protection
- Use Azure AD Connect
- Create an Azure AD Conditional Access policy
Question 6)
You are the Azure security engineer in My Org, Inc., which has an Azure Active Directory (Azure AD) tenant with the same name. Your company is a small setup with about 80-90 employees. What information can you get from the Identity Secure Score feature of Azure Active Directory (Azure AD)? Select all that apply.
- The score reveals the number of Azure AD premium features you use.
- You can see how your tenant score compares with similar-sized organizations, a company with 1-100 employees.
- The Identity Secure Score dashboard displays a score from 1 to 5, representing how well you match Microsoft’s recommendations and best practices for tenant security.
- You can view a graph showing how your score has changed over time.
Question 7)
You work in a financial services company and want to provide a secure and seamless digital experience to its customers. The company has multiple applications that require authentication, including a banking portal, a trading platform, and a mobile app. What is the appropriate solution that you can use to allow customers to create and manage their own accounts using social identities, such as Facebook or Google, or their email addresses?
- Azure Active Directory B2C
- Azure Active Directory Identity Protection
- Azure Active Directory Domain Services
- Azure Active Directory B2B
Question 8)
A user in your organization has been moved out of the Human Resources (HR) department. This user inherited licenses for some HR applications as part of the HR department group. With your License Administrator privileges, you try removing the user’s license. However, you cannot directly remove the licenses from the user’s account. What can be a possible cause for this?
- The user may not have a specified usage location.
- You cannot directly remove the licenses a user inherits from a group.
- You should assign the user another application license before you can remove the existing licenses.
- You cannot remove the license with License Administrator privileges.
Question 9)
Your organization has recently undergone a restructuring. As part of the restructuring, the management has merged several departments. Based on this, you identified a few user accounts as redundant and decided to remove them from the Azure AD tenant. You are planning to do a permanent deletion of these accounts immediately. Is this a good approach?
- No, do not immediately do a permanent deletion. You will have to create a new user and manually enter all the previous information if you permanently delete a user erroneously.
- No, do not immediately do a permanent deletion. You cannot permanently delete users without a 30-day window.
- Yes, do a permanent deletion immediately. If there is a need to restore some user accounts, the Global Administrator can restore the permanently deleted users.
- Yes, do a permanent deletion immediately. If there is a need to restore some user accounts, the Microsoft customer support team can restore the permanently deleted users.
Question 10)
Ryan and Susan are administrators in your organization. Ryan has created a group called “UX Consultants,” and Susan has created a group called “Application Developers.” Which of the following is true regarding their default permissions? Select all that apply.
- Ryan and Susan can add other owners for their respective groups.
- Ryan can manage Susan’s group and vice versa.
- Ryan and Susan do not have permission to manage their respective groups’ properties, such as the name and group membership.
- Ryan and Susan are automatically added as owners of the UX Consultants and Application Developers groups, respectively.
Question 11)
As an Azure security engineer, you are deciding on the proper authentication method for accessing a sensitive application with confidential data. Which authentication methods will be most appropriate? Select all that apply.
- Security questions
- FIDO2 security keys
- Email address authentication
- Windows Hello
Question 12)
Here are the Azure AD passwords of three users using non-education Azure AD tenants. Which ones meet the Azure AD password policy? Select all that apply.
User 1: Avy@156K
User 2: shar$note
User 3: 56APP&h
User 4: 3Jkyu#85
- User 1
- User 3
- User 4
- User 2
Question 13)
Your organization supports self-service password reset (SSPR) and mandates multifactor authentication. A cloud-only user who is a non-administrator has raised a complaint that they cannot do a self-service password reset. What could be a possible issue? Select all that apply.
- The two-gate policy is not enforced.
- SSPR writeback is not deployed
- The user does not have SSPR enabled.
- The user does not have multifactor authentication defined on their account.
Question 14)
A company has allowed their employees’ mobile phones to become a passwordless authentication method. Users can authenticate themselves to any platform or browser by completing a multi-step process that involves receiving a notification on their mobile device, verifying the displayed number on their phone with the one on the screen, and confirming their identity using either a biometric or a PIN.
Which authentication method enables this?
- Microsoft Authenticator app
- FIDO2 security keys
- Windows Hello for Business
- Hardware token
Question 15)
You have been assigned as the Azure security engineer for an organization that wants to enhance its security posture. You have enabled Account lockout settings in Azure Active Directory as below:
Number of multifactor authentication denials to trigger account lockout: 3
Minutes until account lockout counter is reset:15
Minutes until account is automatically unblocked:30
An employee attempts to sign in to their Azure account using a PIN as a multifactor authentication method. However, they accidentally mistype the PIN. Which statement below is true in this case?
- The account will be locked for 15 minutes after three wrong PIN entries.
- The account will be locked for 3 minutes after the first wrong entry of the PIN.
- The account will be locked for 30 minutes after each wrong entry of the PIN.
- The account will be locked for 15 minutes after the first wrong entry of the PIN.
Question 16)
You are working as an Azure security engineer in a shipping company that has recently adopted Azure Active Directory (Azure AD). Many applications used by this company are on the cloud. However, the transportation and warehouse management applications are still on-premises. You would like to provide users with an integrated experience by enabling them to use a hybrid identity to access both on-premises and cloud applications. You prefer an authentication method that does not need complex on-premises deployments or network configuration. You want the password authentication to happen against the on-premises Active Directory. Which authentication method will you use?
- Federated authentication
- Azure AD pass-through authentication
- Azure AD password hash synchronization
- Token-based authentication
Question 17)
Imagine that you are an Azure security engineer. You have received employee complaints about issues related to on-premises Active Directory (AD) synchronization with Azure AD. Which tool would you use to get the required data to find the root cause of these synchronization issues?
- Azure AD Connect Health
- Azure AD Domain Services
- Azure AD Connect
- Azure AD Privileged Identity Management
Question 18)
An organization uses the following systems and applications for various functions:
Warehouse operations – an on-premises system
Employee collaboration – Microsoft Teams
Project management – a software as a service application
Customer relationship management – Microsoft Dynamics 365
Which system or application the organization uses is most suited for federated authentication?
- The system used for managing warehouse operations
- Microsoft Dynamics 365
- Microsoft Teams
- Software as a service application for project management
Question 19)
The IT department of your organization has been receiving complaints from users about remembering multiple sets of credentials to access on-premises and cloud resources. Your team has installed Azure AD Connect to synchronize the on-premises Active Directory (AD) to Azure AD. You have already installed Azure AD Connect using the express path. Which statement is true regarding the use of pass-through authentication to address the users’ issue?
- In this scenario, you can enable pass-through authentication by selecting the change user sign-in task on Azure AD Connect and then selecting pass-through authentication as the method to sign in.
- You can enable pass-through authentication only during Azure AD Connect installation.
- Pass-through authentication will not enable users to access both on-premises and cloud-based applications using the same credentials.
- In this scenario, you can enable pass-through authentication by selecting the custom installation path and pass-through authentication as the sign on method on the user sign-in page.
Question 20)
Review the authentication decision tree and identify the authentication method that should be in the place of the question mark.
- Password Hash Sync
- Pass-through authentication
- Federation
- Seamless single sign-on
You might also like: Microsoft Azure Data Scientist Associate (DP-100)
Review
I recently finished the Secure Access with Azure Active Directory course on Coursera, and it’s a solid introduction to identity and access management within Microsoft Azure. Spread across three focused modules, the course covers key concepts such as Azure AD roles, managing users and groups, configuring multifactor authentication, and deploying Azure AD Connect for hybrid identity setups.
What stood out most was the clear walkthrough of setting up secure access policies — including role-based access control (RBAC), single sign-on (SSO), and passwordless authentication. Whether you’re dealing with cloud-only environments or hybrid systems, the course balances theoretical understanding with practical steps you can immediately apply.
If you’re beginning your AZ-500 journey or aiming to enhance your identity management skills in Azure, this course is a must. It’s a great starting point for securing modern enterprise environments and positions you well for the more advanced security topics covered in the rest of the certification series.