You have a Microsoft Entra tenant that uses Microsoft Entra Permissions Management and contains the accounts shown in the following table: https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/AZ-500/page_399_img_3.jpg Which accounts will be listed as assigned to highly privileged roles on the Azure AD insights tab in the Entra Permissions Management portal?

Admin1. Admin2, and Admin3 only

Admin2. Admin3, and Admin4 only

Admin1. Admin2, Admin3. and Admin4

View AZ-500 Exam Questions

Q: 1

DRAG DROP You are implementing conditional access policies. You must evaluate the existing Azure Active Directory (Azure AD) risk events and risk levels to configure and implement the policies. You need to identify the risk level of the following risk events: Users with leaked credentials Impossible travel to atypical locations Sign ins from IP addresses with suspicious activity Which level should you identify for each risk event? To answer, drag the appropriate levels to the correct risk events. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

High
Low
Medium

Discussion

Leo W. Jan 30, 2026 10:28 am

Impossible travel to atypical locations = Medium, Users with leaked credentials = High, Sign ins from IP addresses with suspicious activity = Medium.

Leaked creds are flagged as high risk because it's a confirmed compromise. Impossible travel and suspicious IPs tend to be medium since they can trigger on legit activity (like VPN or shared proxies). Pretty sure this matches what MS expects but open to other ideas if anyone's gotten different in practice.

Ryan I. Jan 13, 2026 11:10 pm

Impossible travel to atypical locations: Medium, Users with leaked credentials: High, Sign ins from IP addresses with suspicious activity: Medium. I don't think Low makes sense here-it's a common distractor. Leaked creds are always flagged highest according to exam reports. Disagree?

Drew Q. Jan 21, 2026 10:43 am

Impossible travel = Low, Leaked credentials = High, Suspicious IP = Low. Seen similar in official guide and exam practice.

DirectLead5832 Jan 12, 2026 2:41 pm

I think the right mapping is: Impossible travel = Medium, Leaked credentials = High, Suspicious IP = Medium. Leaked creds are always High since that's a direct compromise, but impossible travel and suspicious IPs are usually only Medium. That Low option is a common trap here.

Drew N. Jan 19, 2026 11:31 pm

Not quite sure on this but mine is: Impossible travel = Medium, Leaked creds = High, Suspicious IP = Medium.

LaylaM Jan 24, 2026 5:56 am

Nice and clear structure here. My mapping: Impossible travel to atypical locations = Low, Users with leaked credentials = High, Sign ins from IP addresses with suspicious activity = Low

Be respectful. No spam.

Correct Answer:

Answer Area Impossible travel to atypical locations:: C. Medium Users with leaked credentials:: A. High Sign ins from IP addresses with suspicious activity:: C. Medium

Explanation

Azure Active Directory (Azure AD) Identity Protection categorizes risk detections into different levels to help administrators prioritize and automate responses.

Users with leaked credentials is considered a High risk because it indicates that a user's valid credentials (username and password) have been exposed publicly on the dark web or through a data breach. This means an attacker has the direct ability to access the account, representing a severe and immediate threat.
Impossible travel to atypical locations is classified as a Medium risk. This detection is triggered when two sign-ins from the same user occur from geographically distant locations in a time frame that is physically impossible. While highly suspicious, it's not rated as high because factors like using VPNs or misconfigured client reporting can sometimes cause false positives.
Sign ins from IP addresses with suspicious activity is also a Medium risk. This event is triggered when a sign-in originates from an IP address associated with malicious activity, such as botnets or traffic from anonymous proxies (like Tor). This is a strong indicator of a potential attack, but it doesn't definitively prove the specific user's account is compromised, as malicious IP addresses can be part of a shared network.

References

Microsoft Entra ID Protection Documentation, "What are risk detections?": This official document provides a detailed list of user and sign-in risk detections and their corresponding risk levels.

Leaked credentials is explicitly listed as a user risk detection with a Risk level of High.

Impossible travel is listed as a sign-in risk detection with a Risk level of Medium.

Malicious IP address (the specific detection for "suspicious activity") is listed as a sign-in risk detection with a Risk level of Medium.

Q: 2

DRAG DROP You have an Azure Sentinel workspace that has an Azure Active Directory (Azure AD) data connector. You are threat hunting suspicious traffic from a specific IP address. You need to annotate an intermediate event stored in the workspace and be able to reference the IP address when navigating through the investigation graph. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Add the query to Favorites.
From the Azure Sentinel workspace, run an Azure Log Analytics query.
In a Jupyter notebook, create a reference to the IP address.
Add a bookmark and assign a tag.
Add a bookmark and map an entity.
From Azure Monitor, run an Azure Log Analytics query.
Select a query result.

Q: 3

You have an Azure subscription that contains an Azure App Services web app named WebApp1. WebApp1 is accessed by users in multiple Azure regions. You need to secure access to WebApp1. The solution must meet the following requirements:

* Protect against common web vulnerabilities.

* Optimize the routing of traffic from different regions.

What should you use?

Options

Correct Answer:

Explanation

Azure Front Door is a global, scalable entry-point that uses the Microsoft global edge network to create fast, secure, and widely scalable web applications. The solution requires both protection against common web vulnerabilities and optimized routing for global traffic. Azure Front Door Premium tier meets these requirements by providing global load balancing to route traffic to the lowest latency backend. It also includes a fully managed Web Application Firewall (WAF) that protects applications from common exploits and vulnerabilities, such as SQL injection and cross-site scripting. This combination of features in a single service directly addresses all the stated needs.

Why Incorrect

A. Azure Application Gateway: This is a regional load balancer. While it includes a WAF, it cannot optimize traffic routing for users across multiple global regions as effectively as a global service.

B. Azure Content Delivery Network (CDN): A CDN is primarily designed to cache and serve static content from edge locations. It does not provide the required comprehensive WAF protection or dynamic traffic routing capabilities.

C. Azure Firewall: This is a stateful network firewall designed to protect Azure Virtual Network resources. It operates at Layers 3 and 4 and is not a Web Application Firewall (WAF) for protecting against web-based attacks.

References

1. Microsoft Documentation

"What is Azure Front Door?": "Azure Front Door is a global

scalable entry-point that uses the Microsoft global edge network... Azure Front Door works at Layer 7 (HTTP/S layer) ... Key features include: ... Global load balancing ... Web Application Firewall (WAF)".

2. Microsoft Documentation

"Azure Front Door tier comparison": This document explicitly lists the features of the Standard and Premium tiers. The table shows that the Premium tier includes "Full-featured Web Application Firewall (WAF)" with "Bot protection

" "Managed rule sets

" and "Custom rules."

3. Microsoft Documentation

"What is Azure Web Application Firewall on Azure Front Door?": "Azure Web Application Firewall (WAF) on Azure Front Door provides centralized protection for your web applications. WAF defends your web services against common exploits and vulnerabilities."

4. Microsoft Documentation

"What is Azure Application Gateway?": "Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. It's a regional service and all resources including the gateway are placed in a single virtual network." This confirms its regional scope

making it unsuitable for global traffic optimization.

Q: 4

HOTSPOT You have an Azure subscription that contains the Azure Firewall policies shown in the following table. The subscription contains the firewalls shown in the following table. The subscription contains the virtual networks shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Your Answer

Correct Answer:

YOU CAN USE URL FILTERING ON THE NETWORK RULES FOR VNET1.

YOU CAN USE AN INTRUSION DETECTION AND PREVENTION SYSTEM (IDPS) TO MONITOR MALICIOUS ACTIVITY ON VNET2.

IF YOU CONFIGURE PEERING BETWEEN VNET1 AND VNET3, ENCRYPTED OUTBOUND TRAFFIC FROM VNET3 WILL BE INSPECTED.

Explanation

URL filtering on VNet1: Azure Firewall's URL filtering is an Application Rule feature, not a Network Rule feature. Since VNet1 is associated with FW1, which uses Policy2, and Policy2 is a Premium policy, URL filtering is available. However, the statement asks about applying it to network rules, which is incorrect. URL filtering is a function of application rules, not network rules.

IDPS on VNet2: VNet2 is associated with FW2. FW2 is a Premium tier firewall. The Premium tier of Azure Firewall includes an IDPS, which can be used to monitor malicious activity. The statement is therefore true.

Encrypted traffic inspection: Azure Firewall can inspect encrypted traffic, but only if TLS inspection is enabled. For this to work, the client (VNet3 in this case) must trust the firewall's certificate authority, and the traffic must be routed to the firewall. The question implies that peering alone will cause encrypted traffic to be inspected. Peering simply allows connectivity; it doesn't automatically enable traffic routing through the firewall or TLS inspection. VNet3 has no firewall associated with it, so its traffic will not be inspected unless specifically routed and configured for TLS inspection, which isn't guaranteed by just peering.

References

Microsoft Azure Documentation. (2023). What is Azure Firewall Premium? Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/firewall/premium-features

Specifically, the section on "TLS Inspection" and "IDPS" confirms these features are part of the Premium tier.

Microsoft Azure Documentation. (2023). Azure Firewall Rules. Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/firewall/rule-processing

This document clarifies the distinction between Network rules and Application rules, with URL filtering being a function of Application rules.

Microsoft Azure Documentation. (2023). Azure Virtual Network Peering. Microsoft Docs. Retrieved from https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

This source explains that VNet peering provides connectivity but does not automatically route traffic through a firewall. Specific user-defined routes (UDRs) are needed for this purpose.

Q: 5

You have an Azure AD tenant. You plan to implement an authentication solution to meet the following requirements:

• Require number matching.

• Display the geographical location when signing in.

Which authentication method should you include in the solution?

Options

Discussion

Robin Jan 21, 2026 1:30 am

Option C TAP (B) is tempting but it doesn't provide number matching or show geo info, unlike Authenticator.

Priya V. Jan 29, 2026 7:55 pm

C imo, Microsoft Authenticator is the only one here with both number matching and the geo location prompt during sign-in. SMS and TAP (B) don't show those context features, and FIDO2 keys (D) don't do number matching either. Pretty sure that's what MS wants for secure MFA now, but happy to hear if someone has seen something different in production.

Emma S. Jan 13, 2026 1:52 am

C

Microsoft Authenticator handles both number matching and geolocation prompts. Nice clear wording in the question, makes it easy to spot that only C covers both requirements.

SofiaS Jan 14, 2026 5:21 am

C , best fit for number matching and geo location. Official docs and practice tests both mention Microsoft Authenticator app supports those features, not SMS or TAP. If anyone's used another method for this, let me know.

Sean Jan 18, 2026 6:32 am

Yeah this is C. Only the Microsoft Authenticator app gives both number matching and location info during sign-in as required.

Parker F. Jan 21, 2026 1:37 pm

I don't think it's B, pretty sure TAP doesn't show number matching or geo prompts. C, Microsoft Authenticator, actually supports both features.

Ryan Jan 28, 2026 7:27 am

B. not C

Alex Jan 13, 2026 1:13 am

B tbh, since Temporary Access Pass can be used as an MFA method. I thought it covered modern auth steps, but now I'm not fully sure if it supports those extra prompts like number matching and geo info. Open to being corrected if I'm missing something in the docs.

Neha E. Jan 24, 2026 5:37 am

Probably C here. Microsoft Authenticator is the one that supports both number matching and showing location context during sign-in. Official docs and some exam prep labs focus on those features for secure MFA. Pretty sure, but correct me if I missed something.

Be respectful. No spam.

Correct Answer:

Explanation

The Microsoft Authenticator app is the only method listed that supports both number matching and the display of geographical location during a sign-in attempt. These features are part of the "additional context" available for push notifications, designed to enhance security. Number matching requires the user to type a number displayed on the sign-in screen into the app, preventing accidental approvals from MFA fatigue attacks. The geographical location, derived from the sign-in IP address, helps the user identify potentially fraudulent sign-in attempts from unexpected locations.

Why Incorrect

A. SMS sends a one-time passcode via text message and lacks the functionality for number matching or displaying geographical location.

B. A Temporary Access Pass is a time-limited passcode used for onboarding or account recovery, not a primary MFA method with these features.

D. A FIDO2 security key is a hardware-based, passwordless method that does not use an app interface to display number matching or location.

References

1. Microsoft Entra ID Documentation. (2023). How to use additional context in Microsoft Authenticator notifications. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context. The section "Location" states

"The user’s location based on the IP address of the signing in device is displayed

" and the section "Number matching" describes the feature.

2. Microsoft Entra ID Documentation. (2023). Authentication methods in Azure Active Directory - Microsoft Authenticator app. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app. This document outlines the capabilities of the Authenticator app

including "Push notification with number matching" as a primary authentication method.

Q: 6

HOTSPOT You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table. The virtual network subnets have service endpoints defined as shown in the following table. You configure the following Firewall and virtual networks settings for storage1: Allow access from: Selected networks Virtual networks: VNET3\Subnet3 Firewall – Address range: 52.233.129.0/24 For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Your Answer

Discussion

Owen D. Jan 22, 2026 5:02 pm

NO, YES, NO
Pretty sure about this since VM2’s public IP matches the allowed range in the storage firewall, while VM1 and VM3 aren't included in the permitted subnet rules. Real exam questions like this show up a lot. Official docs and practice sets cover these scenarios well.

SharpLearner6159 Jan 18, 2026 4:26 am

Wait, so can VM3 actually reach storage1 if its subnet isn’t using the Microsoft.Storage endpoint? I thought just being in the right subnet wasn’t enough, you need both: allowed subnet and service endpoint. Or does Azure allow access anyway?

Alex Jan 23, 2026 6:46 pm

NO, YES, NO. VM2's public IP is allowed by the firewall rule, rest are blocked.

CarefulAnalyst3882 Jan 26, 2026 7:21 pm

NO, YES, NO. VM2 only works because its public IP sits inside the firewall range, others blocked by missing endpoint or subnet rule. Not 100% but lines up with how Azure treats storage network rules.

PreciseAuditor1484 Jan 25, 2026 11:00 am

VM1 - NO, VM2 - YES, VM3 - NO. Only VNET3/Subnet3 is allowed, but it’s missing a Storage endpoint. VM2 gets access because its public IP is in the allowed range. Pretty sure that’s how Azure handles it, agree?

Liam L. Jan 14, 2026 1:09 pm

NO, NO, YES? I saw something similar on a practice set.

Owen Z. Feb 1, 2026 2:27 am

NO, YES, YES. I've seen a similar scenario in the practice test where VM3 got allowed since it's in the right VNet/subnet list (despite endpoint mismatch). Maybe official guide or Azure docs help clarify these edge cases.

IshaanW Jan 25, 2026 4:26 am

VM1 - NO; VM2 - YES; VM3 - NO. VM2 gets in because its public IP fits the firewall rule, but only VNET3/Subnet3 is allowed for virtual networks, and that subnet doesn't even have a Storage endpoint. I think that's right, correct me if you see something I'm missing.

Be respectful. No spam.

Q: 7

DRAG DROP Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure Subscription named Sub1. Sub1 contains an Azure virtual machine named VM1 that runs Windows Server 2016. You need to encrypt VM1 disks by using Azure Disk Encryption. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Configure secrets for the Azure key vault.
Create an Azure key vault.
Run Set-AzureRmStorageAccount.
Configure access policies for the Azure key vault.
Run Set-AzureRmVmDiskEncryptionExtension.

Discussion

Hannah C. Jan 12, 2026 11:45 am

Create Azure key vault, set access policies, then Set-AzureRmVmDiskEncryptionExtension. If you configure secrets first, encryption fails.

CalmOps6323 Jan 17, 2026 5:50 am

Gotta watch the order here, it's picky. First create the key vault so you have somewhere to store secrets, then set its access policies so Azure can actually use it, and finally run Set-AzureRmVmDiskEncryptionExtension to kick off the encryption. Azure will throw errors if you skip policy. Seen practice questions emphasize this sequence.

Sofia J. Jan 26, 2026 10:13 am

Same order here: Create Azure key vault, configure access policies, run Set-AzureRmVmDiskEncryptionExtension.

Mia V. Jan 19, 2026 9:51 am

Create Azure key vault → Configure access policies → Run Set-AzureRmVmDiskEncryptionExtension. You have to establish the vault and set permissions before encryption will work. Pretty sure this is the required sequence for Azure Disk Encryption, let me know if you see it differently.

OliviaX Jan 29, 2026 11:24 pm

Create Azure key vault → configure access policies → run Set-AzureRmVmDiskEncryptionExtension. 100% matches MS docs.

Emma A. Jan 13, 2026 4:08 pm

Nah, you actually need to create the key vault first, then set the access policies, then run Set-AzureRmVmDiskEncryptionExtension. The option about configuring secrets is a distractor here.

MethodicalArchitect6126 Jan 30, 2026 12:03 am

Saw this flow in the official MS docs and lab tasks. Start with the key vault, then set access policies, then run the disk encryption extension.

AveryR Jan 12, 2026 5:32 am

This looks right: create the Azure key vault, set access policies on it, then deploy the VM disk encryption extension. That way the extension has permissions to get the keys from the vault. Pretty sure that's the official process, but open to corrections.

Create an Azure key vault → Configure access policies → Run Set-AzureRmVmDiskEncryptionExtension

Rowan H. Jan 30, 2026 2:36 pm

Configure secrets for the Azure key vault, then create an Azure key vault, then run Set-AzureRmStorageAccount.

SteadyLearner7730 Jan 18, 2026 1:50 pm

Yep, makes sense to me. Create Azure key vault first, then configure access policies, and finally run Set-AzureRmVmDiskEncryptionExtension. That's the sequence I remember from my labs, but open to correction if I'm missing something here.

Be respectful. No spam.

Q: 8

You have an Azure key vault named Vault1 that stores the resources shown in following table.

Which resources support the creation of a rotation policy?

Options

Correct Answer:

Explanation

Azure Key Vault provides a specific, configurable feature named "rotation policy" for both keys and secrets. For keys, the rotation policy automates the generation of a new key version at a scheduled time or after a specific duration. For secrets, the rotation policy integrates with Azure Event Grid and automation services (like Azure Functions or Logic Apps) to manage the lifecycle of credentials such as database connection strings.

While certificates have automated renewal capabilities, this is configured within the certificate's "Issuance Policy" through "Lifetime Actions," which is a distinct mechanism from the feature explicitly named "rotation policy" that applies to keys and secrets.

Why Incorrect

A. Key1 Only: This is incorrect because secrets also support a configurable rotation policy.

B. Cert1 only: This is incorrect. Certificates use an "Issuance Policy" for renewal, not a "rotation policy," and both keys and secrets support rotation policies.

D. Key1 and Cert1 only: This is incorrect because the feature for certificates is named "Issuance Policy," not "rotation policy," and secrets do support rotation.

E. Secret1 and Cert1 only: This is incorrect because keys support a rotation policy, and the feature for certificates is named differently.

F. Key1, Secret1, and Cert1: This is incorrect because the specific "rotation policy" feature, by name and implementation, applies to keys and secrets, not certificates.

References

1. Microsoft Documentation - Configure key auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of keys in a key vault. When you configure a key rotation policy

you can customize the rotation frequency." (Section: "Key rotation policy")

2. Microsoft Documentation - Configure secret auto-rotation in Azure Key Vault: "Azure Key Vault automates the rotation of secrets for databases or services that use a username and password for authentication... You can set a rotation policy on a secret to schedule rotation..." (Section: "Secret rotation policy")

3. Microsoft Documentation - Tutorial: Configure certificate auto-rotation in Key Vault: "To configure certificate auto-rotation... 3. Select the Issuance Policy tab... 4. Set the Lifetime Action Type to Automatically renew at a given percentage lifetime." (Section: "Create a certificate in Key Vault") This reference demonstrates that certificate lifecycle management uses an "Issuance Policy" and "Lifetime Actions

" distinguishing it from the "rotation policy" of keys and secrets.

Q: 9

DRAG DROP You create an Azure subscription. You need to ensure that you can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to secure Azure AD roles. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

Verify your identity by using multi-factor authentication (MFA).
Consent to PIM.
Sign up PIM for Azure AD roles.
Discover privileged roles.
Discover resources.

Discussion

Noah M. Jan 31, 2026 2:24 am

Consent to PIM → MFA → Sign up PIM for Azure AD roles. I don’t think you can select 'discover' steps before onboarding is finished, it's an easy trap. Similar question showed up on practice exams too.

LukeJ Jan 23, 2026 6:21 am

Consent to PIM, then MFA, then sign up PIM for roles. Saw similar sequence on my exam. Confident that's right.

Logan C. Jan 31, 2026 5:02 am

Consent to PIM → MFA → Sign up PIM for Azure AD roles. The 'discover' steps usually come after onboarding, easy miss since they look important up front. I've seen a similar sequence on practice labs, but open to correction if the portal flows changed recently.

Anita R. Jan 31, 2026 12:43 pm

Consent to PIM, then verify with MFA, then sign up PIM for Azure AD roles. You have to onboard PIM and prove your admin identity before you can actually assign anything. The discover steps are after all that. Pretty sure that's the right Azure flow but let me know if anyone saw something different on the new UI.

Avery V. Jan 26, 2026 6:40 am

Not quite, the discover actions are tempting but you can't discover privileged roles until PIM is actually set up. The correct sequence is: Consent to PIM, then verify with MFA, then sign up PIM for Azure AD roles. Easy to get tripped up by that first discover step.

ThoughtfulMentor3923 Jan 13, 2026 2:42 am

Yeah, order makes sense here. First you need to consent to PIM so Azure can actually manage roles, then it'll hit you with MFA as a security measure, and finally you sign up PIM for the Azure AD roles. The discover steps come later after setup. That's how I've seen it in lab environments too, but let me know if I'm missing anything!

Consent to PIM
Verify your identity by using multi-factor authentication (MFA)
Sign up PIM for Azure AD roles

SteadySec4562 Jan 29, 2026 4:35 pm

Does the question specify if it's a brand new tenant or one that already has PIM partially set up? If some steps are pre-configured, the required actions could be different.

Skyler Jan 27, 2026 3:46 am

Consent to PIM → Verify with MFA → Sign up PIM for Azure AD roles. This matches the typical onboarding flow for enabling PIM in a fresh setup. Consent authorizes PIM, then identity check with MFA, finally actually enabling PIM on roles. Seen similar steps in Microsoft docs, pretty sure this is the right order. Disagree?

Sean Jan 29, 2026 6:28 pm

Consent to PIM, then MFA verification, then sign up PIM for Azure AD roles. I don’t think you start with discover steps since you can’t manage roles before setup. Pretty sure this is what MS expects here, unless I’m missing a trick with the MFA order.

Sam Jan 20, 2026 7:04 am

Consent to PIM, discover privileged roles, sign up PIM for Azure AD roles. Not totally sure if 'discover' goes second but that's what I picked.

Be respectful. No spam.

Correct Answer:

Answer Area Bucket 1: B. Consent to PIM. Bucket 2: A. Verify your identity by using multi-factor authentication (MFA). Bucket 3: C. Sign up PIM for Azure AD roles.

Explanation

To enable and use Azure AD Privileged Identity Management (PIM), a user with the Global Administrator role must perform a sequence of onboarding steps.

Consent to PIM: The first action is to grant PIM the necessary permissions to manage directory roles. This is a one-time consent action for the entire Azure AD tenant.
Verify your identity by using multi-factor authentication (MFA): Because consenting to and configuring PIM is a highly privileged operation, the administrator must first verify their identity using MFA. This ensures the user is who they claim to be before proceeding.
Sign up PIM for Azure AD roles: After consent is given and the administrator's identity is verified, the final step is to explicitly enable, or "sign up," the PIM service to begin managing Azure AD roles.

The other options, Discover privileged roles and Discover resources, are actions performed after PIM has been successfully set up and configured.

References

Microsoft Learn: In the official documentation for deploying PIM, the sequence is clearly outlined. The article states, "The first step is to consent to PIM... To consent to PIM, you'll be required to verify your identity with multi-factor authentication (MFA)... After you've consented to PIM, you can sign up PIM to manage Azure AD roles." This directly supports the provided order of operations.

Source: Microsoft Entra documentation, "Deploy Privileged Identity Management (PIM)", section: "Onboard PIM".

Microsoft Learn: The getting started guide also confirms this sequence by explaining that the initial user (a Global Administrator) must first consent and will be prompted for MFA. The ability to manage roles comes after these initial onboarding and verification steps are completed.

Source: Microsoft Entra documentation, "Start using Privileged Identity Management", section: "Prerequisites".

Q: 10

You have a Microsoft Entra tenant that uses Microsoft Entra Permissions Management and contains the accounts shown in the following table:

Which accounts will be listed as assigned to highly privileged roles on the Azure AD insights tab in the Entra Permissions Management portal?

Options

Discussion

Jack D. Jan 20, 2026 12:36 am

B or E for me, since Security Admin and Privileged Role Admin are always counted but I thought User Admin (Admin4) could also show up as highly privileged in some Azure reports. Not 100% sure though, open to other ideas.

Skyler R. Jan 22, 2026 2:36 pm

Its D, User Administrator (Admin4) isn't tagged as highly privileged here. Entra docs list the other three roles only. Agree?

SkepticalSec8213 Jan 23, 2026 7:26 pm

D imo, but Microsoft keeps changing what counts as 'highly privileged' so not 100 percent sure.

Ivy Jan 22, 2026 3:50 am

E but only if User Administrator counts as highly privileged which I think sometimes gets included depending on tenant config.

Nina U. Jan 26, 2026 11:45 pm

I think it's E, User Administrator can show as highly privileged in some Entra lists. Could be a trick here.

Liam Q. Jan 19, 2026 2:51 am

Mia W. Jan 18, 2026 4:37 pm

Looks like E, pretty sure User Administrator counts as highly privileged in some lists. Saw similar in exam reports.

PreciseSec1156 Jan 19, 2026 11:20 pm

C/D? Not seeing User Admin flagged as highly privileged in the Entra Permissions Management docs, so D fits best I think.

QuickCandidate9477 Jan 28, 2026 5:31 am

D makes sense here, User Administrator (Admin4) isn’t picked up as highly privileged in Entra Permissions Management. That one’s a common trap, I think some get mixed up by the name. Anyone see it marked as privileged recently?

Morgan Y. Jan 22, 2026 5:05 pm

C or E, seen similar in practice sets but always check the official guide and labs since Microsoft changes this sometimes.

Be respectful. No spam.

Correct Answer:

Explanation

Microsoft Entra Permissions Management specifically identifies certain Microsoft Entra roles as "highly privileged" for reporting on the Azure AD insights tab. According to official documentation, these roles are Global Administrator, Privileged Role Administrator, and Security Administrator.

In the given scenario:

Admin1 holds the Global Administrator role.

Admin2 holds the Security Administrator role.

Admin3 holds the Privileged Role Administrator role.

The User Administrator role, held by Admin4, is not classified as a highly privileged role in this context. Therefore, only Admin1, Admin2, and Admin3 will be listed.

Why Incorrect

A. This option is incorrect because it omits the Security Administrator (Admin2) and Privileged Role Administrator (Admin3) roles, which are also considered highly privileged.

B. This option is incorrect because it omits the Global Administrator (Admin1) role, which is a highly privileged role.

C. This option is incorrect as it omits two highly privileged roles (Admin1, Admin3) and incorrectly includes the User Administrator (Admin4) role.

E. This option is incorrect as it omits the Global Administrator (Admin1) role and incorrectly includes the User Administrator (Admin4) role.

F. This option is incorrect because the User Administrator (Admin4) role is not considered a highly privileged role by Microsoft Entra Permissions Management for this insight.

References

1. Microsoft Learn. (2023). View key statistics and data about your authorization system in Permissions Management. Under the section "The Azure AD insights tab

" the "Highly privileged roles" tile description explicitly states: "Permissions Management considers the following roles to be highly privileged: Global administrator

Privileged role administrator

and Security administrator." This directly supports that Admin1

Admin2

and Admin3 are the correct accounts.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE