Home › Azure AZ-500 › cloudcomputing › az500identityaccess › Which Microsoft Entra ID feature should an engin…
Which Microsoft Entra ID feature should an engineer use to require MFA only when sign-in risk is elevated (unfamiliar location, anonymous IP, leaked credentials)?
AConditional Access policies (often with Identity Protection signals)
BStatic MFA-always-or-never with no risk evaluation
CDisabling MFA when users complain
DSharing TOTP seeds via email
Answer & Solution
Correct answer: A. Conditional Access policies (often with Identity Protection signals)
Conditional Access + Identity Protection give adaptive MFA (per AZ-500 §1 Conditional Access). The other options weaken security.
Related questions
Which Microsoft Entra ID feature lets a security engineer detect risky user behaviour (impWhich Microsoft Entra capability lets an admin enforce per-user MFA via a Conditional AcceWhich Microsoft Entra ID feature lets a developer register an app and obtain a CLIENT ID aWhich Azure / Microsoft Entra feature lets an admin enforce 'block sign-in from countries Which Microsoft Entra ID feature lets an admin enforce 'every privileged role activation mWhich Microsoft Entra ID feature lets an admin define a custom role with EXACTLY the actioWhich Microsoft Entra ID feature should an admin use to require user CONSENT to specific OWhich Azure resource feature lets an Azure VM / App Service / Function App authenticate to