Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your company uses Microsoft Entra ID (Azure AD). You must require users to perform multi-factor authentication (MFA) when they sign in to the Azure portal from any network except the company headquarters. Headquarters public IP ranges are already configured as a trusted named location. Which Conditional Access configuration should you implement?
Target all users, assign All cloud apps, include All locations, and grant access only if the device is marked compliant.
Target all users, assign the Azure Resource Manager cloud app, include only the trusted named location, and grant access only if multi-factor authentication is satisfied.
Target all users, assign the Microsoft Azure Management cloud app, include All locations but exclude the trusted named location, and grant access only if multi-factor authentication is satisfied.
Enable Security defaults for the tenant to automatically require MFA for administrator roles.
The requirement applies only to access to the Azure portal and other management endpoints, and MFA must be enforced everywhere except the trusted headquarters network.
Selecting the Microsoft Azure Management cloud app focuses the policy on the Azure portal, Azure PowerShell, CLI, and REST API endpoints. Including All locations and then excluding the trusted named location guarantees that any sign-in originating outside the headquarters addresses is evaluated by the policy, while sign-ins from the trusted network are ignored. Granting access with Require multi-factor authentication satisfies the need to prompt for MFA.
Using All cloud apps would unnecessarily apply the rule to every SaaS and PaaS application. Requiring a compliant device does not meet the stated MFA requirement. Enabling Security defaults adds several baseline protections, but it cannot target a specific cloud app or exempt a named location, so it would still prompt users at headquarters and would not meet the scenario constraints. Scoping the policy to Azure Resource Manager alone misses portal traffic that is covered by the broader Microsoft Azure Management identifier and therefore would not fully protect the portal.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Conditional Access in Microsoft Entra ID?
Open an interactive chat with Bash
What is a trusted named location in Conditional Access?
Open an interactive chat with Bash
Why is the Microsoft Azure Management cloud app important in this scenario?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure identity and access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .