Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You have onboarded a resource group named RG1 to Microsoft Entra Privileged Identity Management (PIM). A security policy states that any user who activates the Contributor role for RG1 must first perform multifactor authentication (MFA). Currently, eligible users can activate the role without MFA. You must enforce the policy while keeping users in an eligible state and without creating additional Conditional Access rules. What should you do?
Configure an access review for the Contributor role in RG1 and set Enforce MFA as an evaluation condition.
Create a new time-bound Active assignment of the Contributor role for each user and select Require MFA during assignment.
Edit the Contributor role settings for RG1 in PIM and enable the Require multifactor authentication on activation option.
Modify the global PIM security settings and enable multifactor authentication requirement for all privileged role activations.
In PIM, each Azure resource role has configurable settings that apply to every eligible assignment for that role scope. One of these settings, "On activation, require multifactor authentication," ensures that PIM checks for a valid MFA claim before a user can activate the role. If the current session token does not already contain an MFA claim, the user is prompted to complete MFA; if the claim is already present, the user is not asked again. Editing the Contributor role settings for RG1 and enabling this option therefore meets the policy requirement without moving users to active assignments or creating new Conditional Access rules. Access reviews, global PIM security settings, or separate active assignments would not target only the Contributor role in RG1 or would remove the just-in-time eligibility model.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra Privileged Identity Management (PIM)?
Open an interactive chat with Bash
How does 'Require multifactor authentication on activation' in PIM work?
Open an interactive chat with Bash
What is the difference between eligible and active assignments in PIM?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure identity and access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .