Loading…
Conditional Access is in every AZ-104 and AZ-500 interview. These are the specific questions that separate candidates who've read the docs from those who've actually configured it.
Conditional Access is the central security control in Microsoft 365 and Azure environments. Almost every Azure Administrator, M365 Administrator, and Azure Security Engineer interview includes at least one Conditional Access scenario. It's also directly tested in AZ-104, AZ-500, SC-300, and MS-102 exams.
Here are the questions that actually differentiate candidates in interviews.
"What are the components of a Conditional Access policy?"
Assignments (Who, What, Where, When): users and groups, cloud apps or actions, conditions (device platform, location, sign-in risk, device compliance, client apps). Access controls: Grant (block, require MFA, require compliant device, require Hybrid Azure AD Join, require approved app) or Session (sign-in frequency, persistent browser session, app enforced restrictions). Correct structure: Assignments define when the policy applies, Access controls define what happens.
"Your CEO got locked out of M365 10 minutes before a board presentation. What do you do immediately?"
Junior candidates panic and try to disable policies. Senior candidates: go to Entra ID → Sign-in logs → filter by CEO's UPN → find the failed sign-in → identify which Conditional Access policy caused the block → use "What If" to reproduce the block → check if it's a device compliance issue (Intune), location issue (Named Location), or risk issue (Identity Protection). Immediate workaround: temporarily exclude the CEO's account from the offending policy, document it, remediate after the presentation.
"How do you configure MFA for all users but exclude service accounts?"
Create a Conditional Access policy: Users → All users. Exclude → a service accounts group. Require MFA in Grant controls. Why exclude service accounts: they can't respond to MFA prompts. Alternatives for service accounts: use Managed Identities where possible; for legacy apps, use Conditional Access authentication context or certificate-based auth instead of interactive MFA.
"What is a Named Location and when would you use one?"
Named Locations define trusted IP ranges (offices, known VPNs) or trusted countries. Use case 1: exclude office IP ranges from MFA requirements for corporate-managed devices. Use case 2: block access from high-risk countries using "Block access" + countries location condition. Use case 3: Identity Protection sign-in risk calculation is influenced by Named Locations (known IPs lower the risk score).
"What's the difference between Sign-in Risk and User Risk?"
Sign-in risk: real-time assessment of the specific authentication attempt — is this sign-in suspicious? (anonymous IP, atypical travel, malware-linked IP, suspicious sign-in properties). User risk: accumulated assessment of whether the user's account is compromised — based on leaked credentials, unusual patterns over time. Sign-in risk policy: require MFA on medium/high risk sign-ins. User risk policy: require password change on high risk users. Requires Entra ID P2.
"How do you handle legacy authentication with Conditional Access?"
Legacy auth clients (older Outlook, IMAP, SMTP, POP3) don't support modern auth — they can't complete MFA challenges. Block legacy auth with a Conditional Access policy: Conditions → Client apps → check "Exchange ActiveSync clients" and "Other clients" → Block. Important: test thoroughly before enforcing. Use Sign-in logs to identify users still using legacy auth clients. Microsoft reports legacy auth is used in over 99% of password spray attacks.
"What's the difference between requiring a compliant device vs Hybrid Azure AD Join?"
Compliant device: the device is enrolled in Intune and meets your compliance policy (encrypted, PIN, up-to-date). Works for both cloud-only and hybrid environments. Hybrid Azure AD Join: the device is domain-joined on-premises AND registered in Entra ID. Doesn't require Intune compliance — just domain membership. Use Hybrid AAD Join for legacy on-premises devices that can't enrol in Intune. Use compliance requirement for cloud-first/BYOD scenarios.
Question pattern in AZ-104 and AZ-500: "You need to ensure users can only access SharePoint from compliant devices when outside the corporate network. Which Conditional Access policy do you configure?" Answer: Target SharePoint app, condition = Named Location not equal to corporate IP ranges, Grant = require compliant device.
These scenarios are live in the Azure Administrator and Azure Security mock interviews on InterviUni. You'll get scored feedback on your answers and a specific list of gaps to fix before the real interview.
Practice AI mock interviews, check your ATS score, or start a cert course — free.