Lab 05: Practice Questions
Scenario-Based Questions
Question 1
Scenario: You invite a user from partner.com to your tenant. After sending the invitation, you check Entra ID Users and see the user listed.
What is the invitation status at this point?
A) Accepted
B) Denied
C) PendingAcceptance
D) Redeemed
Answer
C) PendingAcceptance
Explanation: When you send an invitation:
- User object is created immediately in your directory
- Status = PendingAcceptance until user clicks the link
- Status changes to Accepted after they complete the consent flow
The user exists in your directory but hasn't redeemed the invitation yet.
Question 2
Scenario: A guest user's UPN in your tenant is john_contoso.com#EXT#@fabrikam.onmicrosoft.com.
What does #EXT# indicate?
A) The user has extended permissions
B) The user is an external/guest user
C) The user's account has expired
D) The user requires an external license
Answer
B) The user is an external/guest user
Explanation: The #EXT# suffix is added to guest user UPNs to indicate they are external identities. The format is:
original-username_original-domain+#EXT#+@your-tenant.onmicrosoft.com
Example: john@contoso.com invited to fabrikam becomes: john_contoso.com#EXT#@fabrikam.onmicrosoft.com
Question 3
Scenario: Your company policy states that only IT administrators should be able to invite external users. Currently, any employee can send invitations.
Where do you configure this?
A) Azure subscription access control
B) Microsoft Entra ID > External Identities > External collaboration settings
C) Microsoft Entra ID > Enterprise applications
D) Azure Policy
Answer
B) Microsoft Entra ID > External Identities > External collaboration settings
Explanation: The "Guest invite settings" control who can invite guests:
- Anyone in the organization can invite
- Members and specific admin roles can invite
- Only specific admin roles can invite
- No one can invite (most restrictive)
For "only IT administrators," choose "Only users assigned to specific admin roles can invite guest users."
Question 4
Scenario: You want to allow guest invitations only from trusted partners: contoso.com and fabrikam.com. Users should NOT be able to invite guests from any other domain.
What should you configure?
A) Guest user access restrictions
B) Collaboration restrictions with allow list
C) Conditional Access policy blocking other domains
D) Azure AD B2C policies
Answer
B) Collaboration restrictions with allow list
Explanation: In External collaboration settings, under "Collaboration restrictions":
- Select "Allow invitations only to the specified domains"
- Add contoso.com and fabrikam.com
- Save
This prevents invitations to any email address not ending in those domains.
Question 5
Scenario: A guest user complains they cannot see any other users in your directory when using the Azure portal. They can only see their own profile.
What setting controls this?
A) Guest user access restrictions
B) RBAC role assignments
C) Conditional Access policies
D) Network security groups
Answer
A) Guest user access restrictions
Explanation: Guest user access restrictions control what guests can see in the directory:
- Most inclusive: Same as members (see all users/groups)
- Limited: Only their own profile + their group members
- Most restrictive: Only their own profile
The guest is experiencing "Most restrictive" setting. This is SEPARATE from RBAC (which controls Azure resources, not directory objects).
Question 6
Scenario: You have a guest user from partner.com. You need to ensure they use MFA every time they access your applications.
The guest user says they already have MFA configured in their home tenant.
Does the guest need to set up MFA again in your tenant?
A) Yes, always need to configure MFA in each tenant
B) No, their home tenant MFA is always trusted
C) It depends on your Conditional Access policy and cross-tenant trust settings
D) Guests cannot use MFA
Answer
C) It depends on your Conditional Access policy and cross-tenant trust settings
Explanation:
- By default, if YOUR Conditional Access requires MFA, the guest must satisfy it
- You can configure cross-tenant access settings to trust MFA from the partner's tenant
- If trust is configured, the guest's home MFA satisfies your requirement
- If not configured, they may need to do MFA again (or register in your tenant)
This is a P1 feature and part of cross-tenant access policies.
Question 7
Scenario: A guest user needs to access a specific Storage Account but should NOT have access to any other resources in your subscription.
What is the BEST approach?
A) Give the guest user Contributor role at subscription level
B) Add the guest to the Global Administrators role
C) Assign a role directly on the Storage Account only
D) Give the guest Owner role on the resource group
Answer
C) Assign a role directly on the Storage Account only
Explanation: Follow least-privilege principle:
- Assign roles at the narrowest scope needed
- Guest only needs Storage Account access → assign role on Storage Account
- NOT subscription level (too broad)
- NOT resource group level (unless they need other resources there)
Roles like "Storage Blob Data Reader" or "Storage Blob Data Contributor" at the storage account scope.
Question 8
Scenario: You have 50 guest users from various partners. You want to review their access quarterly and remove access for users who no longer need it.
What Entra ID feature should you use?
A) Conditional Access
B) Access Reviews
C) Privileged Identity Management
D) Administrative Units
Answer
B) Access Reviews
Explanation: Access Reviews (requires P2 license) allow you to:
- Schedule periodic reviews of user access
- Target specific groups (like all guests)
- Automatically remove access for users not approved
- Generate compliance reports
This is the proper governance feature for validating ongoing guest access.
Quick Knowledge Check
Can guest users be assigned directory roles like User Administrator?
Answer
Yes - guest users CAN be assigned Entra ID directory roles (but this is rare and should be carefully considered)What's the difference between B2B and B2C?
Answer
B2B = Business-to-Business (partners, vendors, external collaborators). B2C = Business-to-Consumer (customers using your apps). B2B guests are in YOUR tenant, B2C users are in a separate B2C tenantCan you invite personal email accounts (gmail.com) as guests?
Answer
Yes, by default. Personal Microsoft accounts and federated social accounts can be guests. You can restrict this with collaboration restrictionsWhat happens to a guest's access if they leave their home organization?
Answer
If using a work account, they lose access when their home account is disabled. This is why you should have access reviews to catch stale guest accountsCan guest users create resources in your Azure subscription?
Answer
Only if you grant them RBAC roles that allow resource creation (like Contributor). Being a guest only affects directory visibility, not Azure resource permissions
Compliance Scenario
Scenario: Your company must comply with audit requirements that state:
- All external user access must be logged
- External users must use MFA
- External user access must be reviewed every 90 days
- Only approved partner domains are allowed
Design the solution:
Suggested Solution
1. Logging:
- Sign-in logs automatically capture guest sign-ins
- Enable diagnostic settings to send logs to Log Analytics
- Create alerts for guest sign-in anomalies
2. MFA Requirement:
- Create Conditional Access policy
- Target: All guest and external users
- Grant: Require MFA
- Enable in enforced mode
3. 90-Day Access Review:
- Create Access Review (requires P2)
- Scope: All guest users OR specific groups containing guests
- Frequency: Quarterly
- Reviewers: Resource owners or managers
- Auto-apply results: Remove access for denied users
4. Domain Restrictions:
- External Identities > External collaboration settings
- Collaboration restrictions: "Allow invitations only to specified domains"
- Add approved partner domains
Monitoring:
- Azure Workbooks for guest user analytics
- Alert on new guests from unapproved sources
- Regular export of guest user list for compliance reporting