In the Microsoft Cloud Adoption Framework (CAF) for Azure, the methodology is organized into sequential stages that guide an organization from initial intent through operations. Microsoft describes the flow as: “Strategy → Plan → Ready → Adopt → Govern → Manage.” The guidance explains that before building landing zones or preparing environments (Ready), organizations should complete the Strategy and Plan work. Microsoft states that the framework “helps you create and align your business strategy, define business outcomes, and justify cloud adoption” in the Strategy stage; then, in Plan, you “translate that strategy into an actionable adoption plan, rationalize portfolios, and prepare a cloud adoption backlog.” Only after these two stages does the Ready phase occur, where you “prepare your cloud environment (landing zone) to host the workloads.”

Additionally, CAF emphasizes that Govern and Manage are ongoing disciplines that operate alongside and after adoption rather than preceding Ready: “Govern and Manage provide iterative guardrails and operational baselines that evolve as you adopt more workloads.” Therefore, the two phases addressed before the Ready phase are Define Strategy and Plan, aligning with Microsoft’s prescribed order and intent of the Cloud Adoption Framework methodology.

Microsoft’s SCI/Learn content describes Azure AD (now Microsoft Entra ID) as a cloud service, not something you install on-premises. The docs state Azure AD is a “cloud-based identity and access management service” that “helps your employees sign in and access resources.” This clarifies the third statement (IAM service) as Yes, and the first statement (on-premises deployment) as No, because the native on-prem directory is Windows Server Active Directory, whereas Azure AD runs in Microsoft’s cloud and can be synchronized with on-prem AD via tools like Azure AD Connect.

Microsoft also explains licensing/availability: the service comes in several editions, and the free/Office 365 tier is included with many suites. The documentation explicitly notes that Azure AD is “included with subscriptions such as Microsoft 365” (formerly Office 365) and provides tenant-wide identity for those services. Therefore, stating that Azure AD is provided as part of a Microsoft 365 subscription is Yes.

In summary: Azure AD/Entra ID is a cloud identity and access management platform; it’s not deployed on-premises, and Microsoft 365 subscriptions include an Azure AD tenant/edition to manage users, groups, apps, and access policies.

Microsoft Entra ID Protection is designed to detect and respond to identity compromise by calculating user risk and sign-in risk and surfacing risk detections such as “leaked credentials,” “anonymous IP address,” “impossible travel,” and related signals. Microsoft explains that Identity Protection “uses adaptive machine learning and threat intelligence to detect risky users and risky sign-ins and assigns each a risk level of Low, Medium, or High.” These detections include “Leaked credentials (found on public or dark-web lists)”, confirming that Identity Protection can detect when user credentials have been exposed.

ID Protection is integrated with Conditional Access to take policy-driven actions: “Risk-based Conditional Access policies let you require multi-factor authentication (MFA), block access, or require password change when a user or sign-in risk level is met.” The built-in policies include User risk policy and Sign-in risk policy, which can automatically enforce MFA or password reset when the configured risk threshold is reached.

However, Identity Protection does not manage Azure AD group membership. There is no capability to add users to groups based on risk level; group membership changes are outside the scope of Identity Protection’s controls. Instead, remediation is applied through Conditional Access or password reset policies driven by the calculated risk.

Therefore: adding users to groups based on risk (No); detecting leaked credentials (Yes); invoking MFA based on risk via Conditional Access (Yes).

Azure Blueprints allow cloud architects and central IT to define a repeatable set of Azure resources and governance artifacts—including Azure Policy assignments, role assignments (RBAC), resource groups, and ARM/Bicep templates—and then deploy them consistently across subscriptions. Microsoft’s guidance describes Blueprints as a way to “orchestrate the deployment of various resource templates and other artifacts” to establish standards, patterns, and compliance for environments at scale. This is distinct from Azure Policy, which evaluates and enforces configuration but does not package multi-artifact environments; Microsoft Sentinel and Defender are security analytics/protection services rather than provisioning frameworks. Thus, for consistent provisioning across multiple subscriptions, the prescribed solution is Azure Blueprints.

In Microsoft’s Security, Compliance, and Identity portfolio, Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) integrates directly with Microsoft Entra Conditional Access to provide Conditional Access App Control—Microsoft’s real-time session control. Microsoft’s documentation describes this capability as enabling organizations to “monitor and control user sessions in real time” and to “protect downloads, restrict uploads, block copy/paste and print, and apply access or session policies” for sanctioned and unsanctioned applications. The enforcement is achieved through a reverse-proxy session that is invoked by Conditional Access policy decisions, allowing continuous inspection and dynamic controls after authentication.

By contrast, other options in the list do not offer real-time session enforcement via Conditional Access. Azure AD Privileged Identity Management (PIM) focuses on just-in-time role activation, approval workflows, and access reviews for privileged accounts—not session control of app usage. Microsoft Defender for Cloud provides cloud security posture management and workload protection across Azure, multicloud, and hybrid resources—again, not Conditional Access–based user session governance. Microsoft Sentinel is a SIEM/SOAR solution used for ingestion, detection, investigation, and response; it does not apply Conditional Access policies to control user sessions. Therefore, the service that can use Conditional Access policies to control sessions in real time is Microsoft Defender for Cloud Apps through Conditional Access App Control.

Explanation

Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list.

In Microsoft identity architecture, federation establishes trust between different identity providers to enable single sign-on (SSO) across organizational and platform boundaries. Microsoft Learn explains that federation uses standards such as SAML, WS-Federation, and OpenID Connect/OAuth 2.0 so a user can authenticate with their home identity provider and obtain tokens that are accepted by a relying party (the application or service). This trust relationship lets organizations share identities securely without copying passwords or synchronizing credentials, providing a seamless sign-in experience across multiple systems and clouds.

By contrast, Active Directory Domain Services (AD DS) and a domain controller provide on-premises directory and authentication services primarily within a single Windows domain/forest using Kerberos/NTLM, not cross-provider SSO on their own. Microsoft Entra Privileged Identity Management (PIM) manages just-in-time, approval-based elevation for roles and does not deliver SSO capabilities. Therefore, the technology explicitly intended to provide SSO across multiple identity providers is federation.

Microsoft states that Azure AD Multi-Factor Authentication “adds a second form of verification” to sign-ins and supports multiple verification methods. The documented methods include Microsoft Authenticator app notifications or verification codes, text message (SMS) codes, and phone call verification. In Microsoft’s description, users can approve a push notification in the Microsoft Authenticator app or enter a code from the app; they can receive a text message containing a verification code; or they can answer a phone call to complete the challenge. Email verification and security questions are not listed as supported MFA methods for Azure AD sign-ins and are not valid second factors in Azure AD MFA. Consequently, the correct methods from the options provided are Phone call, Text message (SMS), and Microsoft Authenticator app. These align with Azure AD’s core MFA capabilities used in Conditional Access and per-user MFA to strengthen authentication beyond the password and to meet compliance and security requirements for strong user verification.

 Security defaults require an Azure Active Directory (Azure AD) Premium license. No

 Security defaults can be enabled for a single Azure Active Directory (Azure AD) user. No

 When Security defaults are enabled, all administrators must use multi-factor authentication (MFA). Yes

Microsoft explains that Security defaults are baseline identity protections that are “available to all tenants at no additional cost” and are intended to “help protect your organization from common identity-related attacks.” They are a tenant-wide setting: Microsoft states that security defaults are “either on or off for the entire tenant” and “can’t be customized or targeted to specific users or groups.” If you require per-user or granular targeting, Microsoft directs customers to use Conditional Access policies instead.

A core behavior of security defaults is enforcing MFA: “All users are required to register for Azure AD Multi-Factor Authentication,” and “administrators are required to perform MFA.” In addition, security defaults “block legacy authentication” and apply other baseline requirements, but they do not enable premium features such as Azure AD Identity Protection or PIM. Summarizing the implications for the statements: no premium license is required; you cannot enable security defaults for just one user because the control is global; and when enabled, administrators must use MFA, with Microsoft recommending exclusion only for a break-glass account if necessary.

Microsoft defines hybrid identity as enabling a common identity across on-premises and cloud by integrating your directory services. Microsoft Learn states: “Hybrid identity is achieved by integrating your on-premises Active Directory with Azure Active Directory.” This integration is delivered through the synchronization and optional federation capabilities that connect AD DS to Azure AD so users can access both on-premises and cloud resources with one identity.

To implement this integration, Microsoft’s tooling is explicit: “Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.” Azure AD Connect (now Microsoft Entra Connect) synchronizes users, groups, and optionally passwords or hashes to Azure AD, providing the foundation for hybrid scenarios such as single sign-on and seamless sign-in.

Regarding tenants, Microsoft’s identity platform clarifies that “A Microsoft 365 organization is associated with a single Azure AD tenant.” Therefore, a hybrid identity deployment does not require two Microsoft 365 tenants; it typically links a single Azure AD (Microsoft Entra ID) tenant with one or more on-premises AD DS forests. In summary, Azure AD Connect enables hybrid identity, hybrid identity is the synchronization/integration of AD DS with Azure AD, and it does not necessitate multiple Microsoft 365 tenants.