| Create users and groups |
- Questions test how to automate group membership, both during bulk user import and through dynamic membership rules. You need to understand how dynamic group rules evaluate user attributes to determine membership, including how group type and license requirements affect whether a user qualifies for a given dynamic group.
- Questions present an incomplete dynamic membership rule expression and ask you to fill in the correct user attribute property, logical operator, and comparison operator — you need to know which user object properties correspond to department and country, which operator combines two conditions (and vs or), and which operator performs an exact match on a string value.
|
| Manage user and group properties |
- Questions cover group naming policies — you need to know how naming policies are configured for Microsoft 365 groups and which admin roles have permission to assign custom security attributes.
- Questions also test which identity types support custom security attribute assignment — given a mix of users, groups, and service principals, you need to identify which types are valid targets for a custom security attribute.
- Questions test how to add a custom domain to an Entra tenant so that users can have a custom email suffix — you need to know the correct sequence of steps, including adding the domain, creating a DNS record to prove ownership, and verifying the domain.
- In a hybrid environment, questions test which user attributes can be modified directly from Entra ID versus which are read-only because they are synced from on-premises. Users with on-premises sync enabled cannot have certain attributes edited from the cloud side.
- Questions test how to assign an administrative role to a user — you need to know which blade in the user account properties is used to assign directory roles such as User Administrator.
- Questions present the Default user role permissions panel and ask which two settings to change to meet a specific set of restrictions — for example, preventing standard users from creating service principals requires toggling the "Users can register applications" setting, and restricting Azure resource management to PowerShell or Microsoft Graph requires changing the administration center access setting. You need to be able to read this panel and identify the correct numbered settings.
|
| Manage licenses in Microsoft Entra ID |
- Questions test how group-based license assignment works — including whether a license can be directly removed from a user who received it through group membership, how nested group membership affects license inheritance, and whether a user can be assigned an additional license that depends on an existing one.
- Questions test which group types are valid targets for license assignment — not all group types in Entra ID are eligible.
- Questions also test which users and groups can be deleted — a user or group cannot be deleted if they have a license directly assigned or if they receive one through group membership (including nested inheritance).
|
| Manage external users |
- Questions test how to restrict B2B guest invitations to specific external domains. You need to know which settings panel and which specific configuration option controls allowlist/blocklist behaviour for collaboration with partner organisations.
- Questions test entitlement management access packages — given a scenario with connected and non-connected external organisations, you need to determine whether users from each organisation can be assigned to a specific access package based on its policy configuration.
- Questions also test the external user lifecycle settings — given a configured review frequency and an expiry period, you need to determine when group membership ends and when the guest account is removed from the tenant. These are two distinct events governed by separate settings.
|
| Configure self-service password reset (SSPR) |
- Questions test which identity types SSPR can be scoped to, and how SSPR authentication requirements apply differently depending on a user's role — certain privileged roles are subject to different SSPR policies.
- Questions also test which admin roles have the permission to configure SSPR — not all authentication-related admin roles are authorized to modify SSPR settings, and you need to know which specific roles qualify.
- Questions test which group types are valid targets for scoping SSPR enablement — not all group types in Entra ID can be used to define the SSPR-enabled population.
- Questions present a configured SSPR policy with specific authentication methods enabled and a required number of methods — given a user's group membership and role, you need to determine whether that user can complete a password reset using a particular method or combination of methods.
- Questions also test whether a specific admin role can configure SSPR security question settings — administrators are subject to different SSPR rules and certain configuration options are not available to them regardless of their role.
- Questions test which specific SSPR settings panels to configure for a given set of requirements — for example, enabling SSPR for all users and setting the number of security questions required at registration are controlled by different settings sections, and you need to know which panel handles each task.
|
| Manage built-in Azure roles |
- Given a specific task, you need to identify the correct built-in role that satisfies all requirements under least privilege — questions present multiple plausible roles and you need to know which one covers the required actions without granting unnecessary permissions.
- Questions also test the distinction between management-plane roles and data-plane access — for example, a role that grants the ability to view storage account keys is different from a role that grants read access to the data itself.
- Questions test which section of a custom role definition controls which actions are permitted on data operations (such as signing in to a VM) — requiring you to know the difference between actions, notActions, dataActions, and notDataActions.
- Questions also test the correct scope at which to assign a role when managing a specific resource — for example, assigning Network Contributor at the resource level versus the resource group level when least privilege is required.
- Questions test how to define a custom role for a specific resource type under least privilege — you need to know which action string grants all operations on a resource type (wildcard) versus which strings grant only read or write, and choose the most restrictive option that still satisfies the stated requirement.
- Questions test the distinction between broad roles (such as Contributor) and purpose-specific roles (such as Logic App Contributor) for creating a specific resource type — you need to know whether either or both satisfy the requirement, or only one.
- Questions test which role to assign when a user needs to delegate role assignments for a specific resource — Contributor alone does not grant this ability, and you need to know which role specifically enables role assignment delegation.
|
| Assign roles at different scopes |
- You are given a complex scenario with management groups, subscriptions, resource groups, and individual resources — each with different role assignments — and asked to determine what a specific user can or cannot do. Understanding how role assignments inherit down the resource hierarchy is essential.
- Questions test whether a role can be assigned to a user indirectly through group nesting — you need to know which group types support nested membership for Azure role assignment purposes, and whether nesting a group into another group results in the inner group's members inheriting the role.
- Questions test the interaction between Azure deployment stacks and role-based access — when a resource is deployed with a DenyDelete deny settings mode, even a user with the Owner role on that resource cannot delete it, because the deployment stack's deny assignment overrides RBAC. You need to know that modify operations (such as changing an IP address space) are not blocked by DenyDelete and proceed based on normal role permissions.
|
| Interpret access assignments |
- Questions test your ability to read a custom role JSON definition — given a role with explicit actions and notActions, you need to determine whether a specific operation is permitted.
- Questions also present users with multiple roles assigned at different scopes and ask what actions they can or cannot perform on a specific resource — requiring you to reason through the combined effect of all role assignments.
- Accessing data through the Azure portal may require more than one role — a data-plane role alone may be insufficient without an accompanying management-plane role.
- Questions also test attribute-based access control (ABAC) — given a requirement to restrict blob access based on index tags, you need to identify the correct mechanism to include in the solution.
- Questions present a JSON role assignment list with roles assigned at different scopes (subscription, resource group, resource) and ask which users hold a specific role for a specific resource — you need to combine direct assignments at the resource level with inherited assignments from higher scopes to determine the full set of users with that role.
- Questions present a user with a management-plane role (such as Reader or Storage Account Contributor) and ask what data-plane operations they can perform — management-plane roles do not grant access to blob or file data; only data-plane roles (such as Storage Blob Data Contributor) or an account access key enable data-level operations. Conversely, a user with an access key bypasses RBAC entirely and can read any content in the account regardless of their role assignments.
|
| Implement and manage Azure Policy |
- Given a policy with a specific effect (such as appending a tag), you need to determine which resources are affected and what tags they will have after creation — policies apply to new resources and do not retroactively modify existing ones, and resource groups are not affected the same way individual resources are.
- Questions test the full range of valid assignment scopes (management groups, subscriptions, resource groups, and individual resources) and which scopes can be specified as exclusions.
- Questions also present a complete policy configuration — including scope, exclusions, and effect — and ask you to determine the net real-world outcome, requiring you to combine all three elements to reason about where the policy applies and where it does not.
- Questions test whether a built-in policy definition can meet a specific enforcement requirement, or whether a custom policy definition is required — you need to know when built-in policies are sufficient versus when the requirement demands a custom definition.
- Questions test which role to assign to users who need to perform specific policy management tasks — creating initiative definitions and assigning initiatives are different operations that may require different roles, and you need to know which built-in role grants each capability and at which scope.
- Questions present a complex tag policy scenario — given a subscription-scoped append tag policy with a specific resource excluded, tags manually assigned to resources, and tags inherited from resource groups, you need to determine the complete set of tags on each resource. Resource groups are not appended to by tag policies scoped at the subscription level; individual resources in scope receive the appended tag; excluded resources do not. Tags are not automatically inherited from parent scopes unless configured to do so.
- Questions test the effect of append policies on existing versus new resources — an append policy only applies tags to newly created resources; resources that already existed when the policy was assigned retain only their manually assigned tags. A newly deployed resource in the same resource group will receive both the manually applied resource group tag (if tag inheritance is configured) and the policy-appended tag.
- Questions test how conflicting policies interact across management group scopes — a "not allowed resource types" policy at the Tenant Root Group blocks creation for all descendant subscriptions; a narrower "allowed resource types" policy at a child management group does not override the parent's deny. You need to reason through the effective outcome for a subscription in a specific management group by combining all policies inherited from ancestor scopes.
|
| Configure resource locks |
- Questions test how resource locks affect the ability to move resources between resource groups. Given a scenario with locks of different types applied at both the resource and resource group level, you need to determine which resources can and cannot be moved based on the lock type in place.
- Questions test the full scope of where resource locks can be applied — given a hierarchy showing a tenant root group, management group, subscription, resource group, and individual resource, you need to identify which levels support lock assignment.
|
| Manage resource groups |
- Questions test what prevents a resource group from being deleted — given a resource group containing a mix of resource types including a Recovery Services vault with active backups, you need to identify which specific dependency must be removed first before deletion can succeed.
- Questions test whether a resource can be moved to a resource group in a different subscription — given source and destination resource groups with different lock types applied, you need to determine which moves are permitted and which are blocked by the lock configuration.
|
| Manage subscriptions |
- Questions test whether a new VM deployment can succeed given existing subscription quotas and current usage — you need to understand how quota limits apply at the VM family and regional level, and how the status of existing VMs (running vs deallocated) affects consumed quota.
- Questions also test the behaviour of Azure Budgets — given a budget with defined thresholds and an action group, you need to determine what happens when costs reach those thresholds. Budgets send notifications only; they do not stop or deallocate resources regardless of whether the budget is exceeded.
- Questions test which resource hierarchy levels support tag assignment — given a list that includes tenant root group, management group, subscription, resource group, and individual resources, you need to identify which ones are valid tagging targets. Management groups are notable because they do not support tags.
- Questions test the scope at which co-administrator access can be assigned — given a choice between a management group, subscription, resource group, and individual VM, you need to identify which is the only valid scope for this classic role assignment.
|
| Configure management groups |
- Management group questions are embedded within role scope scenarios. You need to understand how roles assigned at a management group level flow down to child subscriptions and resource groups, and how to reason through access across a multi-level hierarchy.
- Questions test management group structure rules — specifically whether a subscription can be moved from one management group to another, and what constraints govern that move. A subscription can generally be moved to any management group in the same tenant as long as the requester has the appropriate permissions.
|