Microsoft Entra Access Reviews are designed to help organizations regularly validate and right-size access. Microsoft’s documentation explains that access reviews can target group memberships, enterprise app assignments, Azure AD roles, and Azure resource roles (via Privileged Identity Management), allowing reviewers to assess whether users, service principals, or groups should retain access to Azure resources—confirming the first statement. Access Reviews support automation: you can configure a review to “Auto-apply results”, so when the review ends, users who were denied or not reviewed are automatically removed from the group, application assignment, or role—validating the second statement. Finally, Access Reviews are a Premium P2 capability (now Microsoft Entra ID P2) alongside PIM and advanced identity governance. They are not included in all service plans; tenants require the appropriate P2 licenses for reviewers and users in scope—therefore the third statement is No.
Question # 65
Select the answer that correctly completes the sentence.
Microsoft’s identity guidance for Azure resources states there are two kinds of managed identities: system-assigned and user-assigned. The documentation describes that a system-assigned identity is scoped to a single resource and follows its lifecycle: “A system-assigned managed identity is created in Microsoft Entra ID and is tied to the lifecycle of that Azure service instance. When the resource is deleted, Azure automatically deletes the identity.” By contrast, a user-assigned identity is reusable across resources: “A user-assigned managed identity is a standalone Azure resource… It can be assigned to one or more Azure service instances and is managed independently of the resources that use it.”
Because the scenario requires multiple Azure web apps to use the same identity, the only managed identity type that supports this sharing model is the user-assigned managed identity. This allows you to grant RBAC permissions once to the identity and then attach that same identity to several App Service instances, simplifying secretless access to Azure resources (Key Vault, Storage, SQL, etc.) and providing centralized lifecycle and rotation management. Certificates or generic service principals would reintroduce credential management, while a system-assigned identity cannot be shared across multiple apps. Therefore, a user-assigned managed identity is the correct choice.
Question # 66
Select the answer that correctly completes the sentence.
In Microsoft’s Security, Compliance, and Identity materials, Azure AD B2B collaboration is the feature designed for working with external organizations. Microsoft describes it as follows: “Azure AD B2B collaboration allows you to securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data. Guest users sign in with their own work, school, or social identities, and appear as guest users in your directory.” This directly matches the sentence in the prompt—enabling collaboration with suppliers, partners, and vendors while ensuring that external users appear as guest users in the tenant.
By contrast, Active Directory Domain Services (AD DS) is an on-premises directory service for Windows domain joined resources and does not provide cloud guest user collaboration. Active Directory forest trusts establish trust relationships between AD DS forests for resource access, not modern cloud guest access using Conditional Access, MFA, or entitlement processes. Azure AD B2C is for consumer/retail scenarios where you build customer-facing apps, managing their identities in a separate customer directory; it is not intended for partner collaboration within your enterprise tenant. Therefore, the capability that fits the statement—external partner collaboration with users appearing as guest accounts—is Azure AD B2B.
