Atlassian Jira ACP-520 Certification Practice Exams

Lena needs an isolated testing environment to validate configuration changes before they are applied to the live instance. Which of the following statements about that sandbox are true? (Choose 3)

• ❏ A. Paid marketplace apps linked to the production site will be added to the sandbox for free

• ❏ B. A sandbox will be removed if the production site is downgraded to a Standard plan

• ❏ C. Only one sandbox can be created for each linked product

• ❏ D. Billing and technical contacts for the sandbox will be identical to the production site

• ❏ E. The sandbox capability is restricted to Enterprise subscriptions only

• ❏ F. Sandboxes can support unlimited users regardless of the production site limits

Maya has turned on Atlassian Access for her company. Which statement accurately describes what this enables?

• ❏ A. Every cloud account will be billed under Atlassian Access

• ❏ B. Atlassian Access settings will apply to self hosted Data Center instances as well

• ❏ C. She can manage users across multiple sites within her organization

• ❏ D. She can administer both managed and unmanaged Atlassian accounts

Maya asked to join Leo’s workspace on Skyward Apps. As the site administrator which action cannot be performed from the Access requests page?

• ❏ A. Approve multiple workspace access requests submitted by the same user

• ❏ B. Request additional details from Maya by sending an email

• ❏ C. Deny or approve requests for several users at the same time

• ❏ D. Deny Maya’s individual access request

Which statements accurately describe team managed projects in Trackly? (Choose 3)

• ❏ A. Team managed projects can be configured to allow anonymous visitors to browse them

• ❏ B. Team members can apply personal filters on top of the board’s built in filter

• ❏ C. Teams can create more than one team managed project and run sprints across those projects simultaneously

• ❏ D. A team managed project can export its configuration so that other projects inherit the same settings

• ❏ E. Project members can create a custom project role within a team managed project

• ❏ F. Any licensed product user can create and administer team managed projects

As a site administrator Maya can sign in as another user to verify their product permissions and change configuration settings for them. Which of the following actions can Maya perform?

• ❏ A. Sign in as a Google Cloud Identity federated user

• ❏ B. Sign in as a user who has access to multiple sites

• ❏ C. Sign in as a Jira Service Management portal only customer

• ❏ D. Sign in as another administrator who has equal or higher privileges

What happens to a Jira Software site and its subscription when the subscription is cancelled or payment is not received? (Choose 3)

• ❏ A. Subscription is deactivated 20 days after a missed payment

• ❏ B. Installed apps are cancelled when the product subscription is terminated

• ❏ C. Atlassian issues a prorated credit for unused time

• ❏ D. Site can be restored within a 14 day window after deactivation

After you open the Directory tab on the CloudForge organization overview page which directory pages will be shown to administrators? (Choose 3)

• ❏ A. Access requests

• ❏ B. Managed accounts

• ❏ C. User access settings

• ❏ D. Groups

• ❏ E. External users

• ❏ F. Users

A team at NimbusSoft must set up a secure application tunnel to a self hosted system. They need to install the tunnel software from the vendor app hub then prepare network connections and upstream ports then create the tunnel to the on premise instance and finally register a tunneled application link. What is the correct order of these tasks?

• ❏ A. Configure network connections and upstream ports then install the tunnel components then create the cloud to on premise tunnel then register the tunneled application link

• ❏ B. Install the tunnel components from the AtlasForge App Hub then configure the required connections and upstream ports then establish the tunnel to the self managed instance then create the tunneled application link

• ❏ C. Provision a Cloud VPN connection then configure the remaining network ports then install the tunnel components then create the tunneled application link

• ❏ D. Install the tunnel components then create the tunneled application link then establish the tunnel then configure connections and ports

• ❏ E. Create the tunneled application link then configure ports then install the tunnel components then establish the tunnel

• ❏ F. Configure connections and upstream ports then create the tunneled application link then install the tunnel components then establish the tunnel

Sana manages a single Atlassian cloud site at https://sana-training.example.com. Which of the following statements about her site are accurate? (Choose 3)

• ❏ A. She cannot install two separate Jira Software instances on this site

• ❏ B. The site must have at least one product configured

• ❏ C. She may not create another site using the exact site key sana-training

• ❏ D. She can assign two site administrators to the site

• ❏ E. She can enable both Jira Software and Jira Work Management on the same site

Priya at Riverbend Publishing has been assigned to manage who is allowed a personal space, control who may create new spaces, and view other users’ personal spaces. Given Confluence is operating with default permissions what access must Priya request?

• ❏ A. Ask for Confluence Space administrator role

• ❏ B. Request Confluence Product admin role

• ❏ C. Request site administrator role

• ❏ D. Request Confluence User access

• ❏ E. Request both Confluence Product admin and Confluence User roles

All questions come from my Jira ACP-520 Udemy course and certificationexam.pro

Lena upgraded her Jira Software plan from Standard to Enterprise for her team at Cedar Labs. Which of the following will become available after the upgrade?

• ❏ A. A sandbox workspace will be automatically created and linked to the upgraded site

• ❏ B. Organization insights will show product usage data for users

• ❏ C. The organization’s current office IP will be added to the IP allowlist automatically

• ❏ D. Data residency will be enabled and set to the site administrator’s region

• ❏ E. New features and updates will be delivered as a single monthly bundle

When there are two Jira Cloud sites what is true about provisioning Jira Software and Confluence instances across those sites?

• ❏ A. There must be at least two site administrators across the sites

• ❏ B. An account can host up to two Jira Software instances and two Confluence instances

• ❏ C. Each site requires a separate billing account

A managed services provider named SummitCloud needs to sign in as other staff to check product access and resolve permission issues. What happens when an organization administrator signs in as another user? (Choose 3)

• ❏ A. You will not be able to view items that are restricted to that user within the workspace you are impersonating

• ❏ B. You can modify that user’s project permissions and product configuration

• ❏ C. You cannot impersonate an invited account that has not yet logged into any product in the organization

• ❏ D. You can edit that user’s central SummitCloud account profile

• ❏ E. SummitCloud sends a notification email to the user when an administrator signs in as them

Marco needs to get a weekly email every Monday that contains a complete list of all issues labeled with priority Critical and he wants the list delivered as a single message, what Jira features must he use together to make this happen? (Choose 2)

• ❏ A. Automation Rule

• ❏ B. Email Notification

• ❏ C. Filter Subscription

• ❏ D. Saved Filter

• ❏ E. Workflow Post Function

• ❏ F. Manage Global Filter Subscriptions Permission

Which products are not available to select when provisioning a new Acme Cloud site?

• ❏ A. Statuspage

• ❏ B. Jira Service Management

• ❏ C. Jira Product Discovery

• ❏ D. Confluence

• ❏ E. Jira Software

• ❏ F. Jira Work Management

Priya is responsible for granting and revoking user access to Jira Software at Clearwave Ltd and she must not have unnecessary privileges. Which role should Priya be given so she can manage product user access without wider permissions?

• ❏ A. Organization administrator

• ❏ B. Jira Software user access administrator

• ❏ C. Jira product administrator

• ❏ D. Jira Software user

• ❏ E. Site administrator

Leah discovered that Omar’s account had been unused for several weeks so she deactivated the account. Which of the following items will be removed from Omar’s account? (Choose 2)

• ❏ A. Comments on Jira tickets

• ❏ B. Personal user data

• ❏ C. Ability to open a technical support case

• ❏ D. Confluence user space

• ❏ E. Access to view the account profile

Why can an organization administrator who has been removed still access a Jira project?

• ❏ A. The user still has an active session on another device

• ❏ B. The account is recreated by the organization’s identity provider through SAML SSO

• ❏ C. The account is unmanaged outside the organization directory

Maya is administering a trial of a Standard plan for her company FabricSoft and she neglected to provide billing details. There are 40 active users in her Jira Software site. What will occur to the subscription when the trial period ends?

• ❏ A. All users keep using Jira Software but features are limited

• ❏ B. The subscription downgrades to the Free plan

• ❏ C. The subscription will be deactivated because the account has more than ten users

• ❏ D. Only ten users retain access and the other thirty users are disabled

Aisha generated an admin API key so she can automate management of her organization through the admin APIs with a script. Which statement about that API key is accurate?

• ❏ A. A revoked API key can be recovered within ten days of deletion

• ❏ B. You can set the maximum API key validity to eleven months when creating the API key

• ❏ C. Changing the IP allowlist does not change whether an API key can access the admin APIs

• ❏ D. API keys are tied to the individual admin account that generated them

Atlassian ACP-520 Practice Exam Answers

All questions come from my Jira ACP-520 Udemy course and certificationexam.pro

The correct answers are Paid marketplace apps linked to the production site will be added to the sandbox for free, A sandbox will be removed if the production site is downgraded to a Standard plan, and Only one sandbox can be created for each linked product.

Paid marketplace apps linked to the production site will be added to the sandbox for free is correct because sandboxes typically copy the production site configuration and provide attached marketplace apps as trial or evaluation add ons so administrators can test integrations without purchasing separate licenses for the sandbox.

A sandbox will be removed if the production site is downgraded to a Standard plan is correct because sandbox access is tied to the subscription level and reducing the production subscription can remove features that the sandbox depends on which results in the sandbox being deprovisioned.

Only one sandbox can be created for each linked product is correct because the service enforces a one to one relationship between a production instance and its sandbox to avoid confusion and to ensure the sandbox is a single isolated copy for testing changes.

Billing and technical contacts for the sandbox will be identical to the production site is incorrect because sandbox instances can have separate administrative and billing arrangements or the sandbox may not inherit contact details by default so contacts are not guaranteed to be identical.

The sandbox capability is restricted to Enterprise subscriptions only is incorrect because sandboxes are not always restricted to a single subscription tier and availability can depend on plan features, add ons, or available licensing options rather than a hard Enterprise only restriction.

Sandboxes can support unlimited users regardless of the production site limits is incorrect because sandboxes normally follow user and usage limits or have their own quotas and they are not inherently exempt from limits or automatically unlimited.

The correct answer is She can manage users across multiple sites within her organization.

This option is correct because Atlassian Access gives an organization centralized user and identity management for Atlassian cloud products. It lets organization administrators manage users, enforce single sign on and provisioning, and apply security policies across multiple Atlassian sites and cloud products from a single place.

Every cloud account will be billed under Atlassian Access is incorrect because Atlassian Access is billed separately as an organization level subscription and it does not automatically move or consolidate billing for existing cloud product sites under a single account.

Atlassian Access settings will apply to self hosted Data Center instances as well is incorrect because Access applies to Atlassian cloud products and organization accounts and it does not extend management or policy enforcement to self hosted Data Center instances.

She can administer both managed and unmanaged Atlassian accounts is incorrect because Atlassian Access primarily governs managed accounts within the organization and does not grant the same administrative control over external unmanaged accounts that are not tied to the organization.

Deny or approve requests for several users at the same time is correct.

The Access requests page is built for reviewing and acting on individual user requests and it does not provide a built in bulk action to select multiple different users and approve or deny all of their requests at once. Administrators are expected to review each user request separately which is why the inability to handle cross user bulk approvals or denials is the tested limitation.

Approve multiple workspace access requests submitted by the same user is incorrect because the interface typically allows handling requests that originate from the same requester in a grouped or user centric way so you can approve those related requests without needing a cross user bulk action.

Request additional details from Maya by sending an email is incorrect because administrators can usually request more information from the requester either through the platform workflow or by contacting them directly, so asking for additional details is a supported action.

Deny Maya’s individual access request is incorrect because denying a single user request is a basic action on the Access requests page and individual approvals or denials are supported.

The correct answers are Team members can apply personal filters on top of the board’s built in filter, Project members can create a custom project role within a team managed project and Any licensed product user can create and administer team managed projects.

Team members can apply personal filters on top of the board’s built in filter is correct because team managed boards allow individual users to apply their own quick filters or view settings on top of the board filter so they can focus on the issues that matter to them without changing the board configuration for everyone.

Project members can create a custom project role within a team managed project is correct because team managed projects provide project level role controls so project admins and members can define roles that only apply to that project and assign permissions locally.

Any licensed product user can create and administer team managed projects is correct because creation and administration of team managed projects is available to users with a product license by default and does not require global administration rights unless the site admin has restricted project creation.

Team managed projects can be configured to allow anonymous visitors to browse them is incorrect because team managed projects do not normally support anonymous access and browsing is subject to site and project level user access controls.

Teams can create more than one team managed project and run sprints across those projects simultaneously is incorrect because team managed projects are designed to be self contained and do not support running a single sprint across multiple team managed projects.

A team managed project can export its configuration so that other projects inherit the same settings is incorrect because team managed project settings are local and there is no built in export and inherit mechanism like the shared schemes available for company managed projects.

The correct option is Sign in as a user who has access to multiple sites.

Site administrators can use the sign in as feature to open a user�s product view and verify permissions or change configuration for that user when the user has an Atlassian account and product access across sites. This capability is intended to let admins replicate the user experience so they can troubleshoot permissions and settings without needing the user�s credentials.

Sign in as a Google Cloud Identity federated user is incorrect because federated accounts authenticate through an external identity provider and the site admin cannot assume the user�s session when authentication is handled outside Atlassian.

Sign in as a Jira Service Management portal only customer is incorrect because portal only customers do not have full Atlassian accounts and they access the service as customers rather than as site users, so there is no account session for an admin to take over.

Sign in as another administrator who has equal or higher privileges is incorrect because the sign in as feature is restricted for security and privilege reasons and you cannot assume the session of another admin who has equivalent or greater administrative scope.

The correct options are Subscription is deactivated 20 days after a missed payment, Installed apps are cancelled when the product subscription is terminated, and Site can be restored within a 14 day window after deactivation.

Subscription is deactivated 20 days after a missed payment is correct because Atlassian applies a grace period for failed or missed payments and will deactivate the subscription after that window if billing is not resolved. This deactivation stops user access to the paid product until payment is updated or the subscription is reactivated.

Installed apps are cancelled when the product subscription is terminated is correct because marketplace app licenses for cloud products are tied to the product subscription and those app subscriptions are removed when the main product subscription ends. Customers lose app access along with the product when the subscription is terminated.

Site can be restored within a 14 day window after deactivation is correct because Atlassian provides a limited restoration window after deactivation during which a site and its data can be recovered. If the site is not restored within that timeframe the ability to recover may be lost or subject to different retention policies.

Atlassian issues a prorated credit for unused time is incorrect because Atlassian does not automatically provide prorated credits on cancellation in the way the option describes. Refunds or credits are handled according to billing policies and usually require contacting support rather than an automatic prorated credit on termination.

The correct options are Managed accounts, Groups, and Users.

The Directory tab shows account records that the organization manages and those are listed under Managed accounts. This page lets administrators view account status and control provisioning for accounts the organization administers.

The Directory includes collections of members and roles which are shown on the Groups page. Administrators use Groups to manage memberships and group based access.

Individual identities appear on the Users page so administrators can create disable and edit user profiles. The Users page is the primary directory view for individual accounts.

Access requests is incorrect because access request workflows are usually handled in an IAM or approvals interface and not as a Directory page showing directory objects.

User access settings is incorrect because that describes configuration for access rather than a directory listing of entities.

External users is incorrect because external or guest accounts are often handled differently and they are not typically presented as a separate Directory page in the organization overview.

Install the tunnel components from the AtlasForge App Hub then configure the required connections and upstream ports then establish the tunnel to the self managed instance then create the tunneled application link is correct.

You install the tunnel software first so the necessary agent and tooling are present on the host before you change network behavior. After installation you configure the required network connections and upstream ports so the tunnel has the correct paths and permissions to traverse the network. Once the software is installed and the network is prepared you establish the tunnel to the self managed instance and then register the tunneled application link so the cloud control plane can resolve and route traffic to the new tunnel endpoint.

Configure network connections and upstream ports then install the tunnel components then create the cloud to on premise tunnel then register the tunneled application link is incorrect because it delays installation until after network configuration and that can leave you without the agent needed to validate or negotiate the tunnel during setup.

Provision a Cloud VPN connection then configure the remaining network ports then install the tunnel components then create the tunneled application link is incorrect because provisioning a separate VPN is not necessarily required for an application tunnel and it places the VPN step before installing the tunnel components which prevents local validation and setup of the tunnel agent.

Install the tunnel components then create the tunneled application link then establish the tunnel then configure connections and ports is incorrect because creating the application link before establishing the tunnel and configuring ports means the registration will point to an endpoint that is not yet reachable.

Create the tunneled application link then configure ports then install the tunnel components then establish the tunnel is incorrect because registering the application first creates a link before any agent or network path exists so the link would point to a non functional endpoint.

Configure connections and upstream ports then create the tunneled application link then install the tunnel components then establish the tunnel is incorrect because it registers the tunneled application before the tunnel software is installed and before the tunnel is established which prevents the application link from being validated at registration time.

The correct options are The site must have at least one product configured, She can assign two site administrators to the site, and She can enable both Jira Software and Jira Work Management on the same site.

The The site must have at least one product configured statement is correct because an Atlassian cloud site is principally a container for products and users and a site without any products would not meet the normal definition of a managed site.

The She can assign two site administrators to the site statement is correct because Atlassian Cloud lets you grant site administrator privileges to more than one person so that administration and billing tasks can be shared.

The She can enable both Jira Software and Jira Work Management on the same site statement is correct because a single cloud site can host multiple Atlassian products at the same time and Jira Work Management can be added alongside Jira Software for teams that need both.

She cannot install two separate Jira Software instances on this site is incorrect because the statement is presented as an absolute limitation. If a truly separate Jira Software instance is required it is typically created as a separate site, and administrative needs can often be met within one product by using projects and schemes, so the wording as an absolute prohibition is misleading.

She may not create another site using the exact site key sana-training is incorrect because the statement is absolute and does not account for lifecycle exceptions. Site keys are unique while an active site exists, but site names and keys can be reused under some circumstances such as after deletion or recovery, so the blanket phrasing makes the option inaccurate.

The correct answer is Request Confluence Product admin role.

A Confluence Product admin role grants the global Confluence permissions needed to control who can create new spaces and to configure personal space settings so an admin can manage who is allowed a personal space and who can view others’ personal spaces under the default permission model.

Ask for Confluence Space administrator role is incorrect because a space administrator manages only specific spaces and cannot change global settings that control creation of new spaces or the global visibility rules for personal spaces.

Request site administrator role is incorrect because site administrators operate at the organization level and have broader platform control than is required. Product admin rights are sufficient to manage Confluence product settings without needing full site administration.

Request Confluence User access is incorrect because user access only grants a license to use Confluence and does not provide administrative capabilities to control space creation or personal space visibility.

Request both Confluence Product admin and Confluence User roles is incorrect because the Confluence Product admin role already provides the necessary administrative capabilities and adding a basic user role is redundant for this requirement.

Organization insights will show product usage data for users is correct.

It provides organization level visibility for administrators so they can see aggregated product usage and adoption across users and teams. This helps with license management and governance when supporting a larger Enterprise deployment.

A sandbox workspace will be automatically created and linked to the upgraded site is incorrect. Sandboxes are not necessarily created automatically on plan change and they require separate provisioning and configuration.

The organization’s current office IP will be added to the IP allowlist automatically is incorrect. IP allowlist entries are a security control that administrators must configure deliberately and they are not added automatically during an upgrade.

Data residency will be enabled and set to the site administrator’s region is incorrect. Data residency requires specific setup and depends on product support and account configuration rather than being turned on by a plan upgrade alone.

New features and updates will be delivered as a single monthly bundle is incorrect. Release cadence and update delivery are managed separately and an Enterprise plan does not guarantee that all new features will be packaged into a single monthly bundle.

The correct answer is An account can host up to two Jira Software instances and two Confluence instances.

Atlassian Cloud supports multiple sites and allows an organization to provision product instances across those sites. The documented limit is up to two Jira Software instances and up to two Confluence instances per account, which is why the bolded option is correct.

There must be at least two site administrators across the sites is incorrect because there is no fixed minimum number of site administrators imposed across sites. You can assign one or more site administrators based on your governance and operational needs.

Each site requires a separate billing account is incorrect because billing can be managed per site or consolidated under the organization depending on how you configure billing. A separate billing account for every site is not a mandatory requirement.

The correct answers are You can modify that user’s project permissions and product configuration, You cannot impersonate an invited account that has not yet logged into any product in the organization, and SummitCloud sends a notification email to the user when an administrator signs in as them.

You can modify that user’s project permissions and product configuration is correct because signing in as another user lets an organization administrator act in that user context to review and change project level roles and product specific settings that apply to the user. This capability is intended so administrators can reproduce issues and adjust permissions or product configuration while using the same effective access as the user.

You cannot impersonate an invited account that has not yet logged into any product in the organization is correct because an invited account must complete an initial activation or first login before it has an active product profile to impersonate. Until the invited user signs in at least once the system cannot create the runtime context needed for an administrator to assume that identity.

SummitCloud sends a notification email to the user when an administrator signs in as them is correct because the platform notifies the account holder for transparency and auditing whenever an administrator initiates an impersonation session so the user is aware that their account was accessed by an administrator.

You will not be able to view items that are restricted to that user within the workspace you are impersonating is incorrect because when an administrator successfully impersonates a user they inherit that user’s access within the workspace and can view items that are restricted to that user subject to any additional system limitations.

You can edit that user’s central SummitCloud account profile is incorrect because impersonation creates a session that uses the user’s effective permissions and product context but it does not grant direct administrative modification of the central account record. Editing central account profile fields normally requires separate account administration actions or the account owner to perform the change.

The correct options are Saved Filter and Filter Subscription.

A Saved Filter stores the JQL query that returns all issues labeled with priority Critical and lets Marco reuse that exact query whenever he needs the list.

A Filter Subscription attaches to a saved filter and schedules delivery of the filter results as a single email on a chosen cadence so Marco can receive one consolidated message every Monday.

Automation Rule is not the best choice here because automation is generally used to perform actions or send notifications on a schedule or on events and it does not provide the simple saved query plus single consolidated weekly email workflow that a filter subscription provides.

Email Notification refers to Jira event driven notifications that are sent when specific events occur and these notifications do not produce a scheduled, single-message weekly list of filter results.

Workflow Post Function runs during workflow transitions and it cannot be used to produce a recurring weekly summary of all issues matching a filter.

Manage Global Filter Subscriptions Permission controls the ability to create subscriptions that apply to all users but it is not required for an individual user to create a personal filter subscription to receive a weekly email.

The correct answer is Jira Product Discovery.

Jira Product Discovery is not presented as a selectable product during the initial Acme Cloud site provisioning process because it is handled as a separate product that must be added or enabled after the site is created, often via the product marketplace or separate provisioning flow.

Statuspage is incorrect because Statuspage can be chosen or added during the product selection or provisioning flow and therefore is available when creating a new site.

Jira Service Management is incorrect because it is one of the core products offered during site setup and can be selected as part of initial provisioning.

Confluence is incorrect because Confluence is a standard product that appears in the provisioning options and can be selected when creating a new site.

Jira Software is incorrect because it is a primary product available during site setup and is selectable during provisioning.

Jira Work Management is incorrect because it is included in the list of products you can choose during site creation and can be selected at provisioning time.

Jira Software user access administrator is correct because it gives Priya the ability to grant and revoke Jira Software product access without granting broader administrative rights.

The Jira Software user access administrator role is focused on managing who has product access and user assignments for Jira Software. This allows Priya to perform her access management duties while following the principle of least privilege and avoiding organization or site wide permissions.

Organization administrator is incorrect because that role has wide control across the entire organization and all products, which gives far more privileges than required for managing product user access.

Jira product administrator is incorrect because product administrators typically manage product configuration and settings rather than being limited to managing user access, so they may have unnecessary additional permissions.

Jira Software user is incorrect because a regular user does not have the administrative capability to add or remove other users from product access.

Site administrator is incorrect because site admins manage site wide settings and user management across multiple products, which exceeds the narrow access control task Priya needs.

The correct options are Ability to open a technical support case and Access to view the account profile.

When an account is deactivated the user can no longer sign in and cannot perform account actions. That means the user loses the Ability to open a technical support case because opening a support case requires an active, signed in account. The user also loses the Access to view the account profile because profile access requires an active account session and the ability to authenticate.

Comments on Jira tickets are not removed by deactivation because content the user created remains in the product. Deactivating the account prevents sign in but does not erase historical comments.

Personal user data is not automatically deleted when you deactivate an account. Deactivation disables access but it does not remove stored personal information and deletion is a separate action or process.

Confluence user space is not removed by deactivating the user. Personal spaces and their content persist and remain subject to the site and space permissions even after the owner’s account is deactivated.

The correct answer is The account is recreated by the organization’s identity provider through SAML SSO.

The account is recreated by the organization’s identity provider through SAML SSO explains the behaviour because when an identity provider is configured for single sign on it can perform just in time provisioning or recreate a user account when the user authenticates. The identity assertion from the IdP lets the Atlassian product create a new managed user and that restores access to the Jira project even after the original organization administrator entry was removed.

The user still has an active session on another device is not the primary reason here. An active session can allow temporary access until the session or token expires, but it does not account for the user being able to sign in again or for the account appearing again in the organization. The persistent reappearance is explained by SAML SSO reprovisioning.

The account is unmanaged outside the organization directory is incorrect because with SAML SSO the identity provider or directory is managing accounts. If the account were truly unmanaged it would not be automatically recreated by the IdP on login.

The correct option is The subscription will be deactivated because the account has more than ten users.

When a trial ends and billing details were not provided the site cannot automatically convert to the Free plan because the Free plan only supports up to ten users. In this situation the subscription is deactivated until billing is added or the user count is reduced to meet the Free plan limit.

All users keep using Jira Software but features are limited is incorrect because users do not continue to use the paid product with only feature restrictions when billing is absent for an account that exceeds the Free tier user limit. The account access is stopped rather than simply limited.

The subscription downgrades to the Free plan is incorrect because the Free plan has a ten user limit and Atlassian will not automatically downgrade a site that has more than ten users without first reducing the user count or adding payment details.

Only ten users retain access and the other thirty users are disabled is incorrect because Atlassian does not automatically choose which users remain active. The whole subscription is deactivated until billing is added or the admin reduces users to fit the Free plan.

You can set the maximum API key validity to eleven months when creating the API key is correct.

This option means that when you create an admin API key you can specify an expiration and the longest allowed lifetime you can assign at creation is eleven months. Using an expiration enforces key rotation and reduces the attack surface for admin APIs by ensuring keys do not remain valid indefinitely.

A revoked API key can be recovered within ten days of deletion is incorrect because once an API key is revoked or deleted it cannot be reliably restored and you must create a new key. Recovery windows like this are not a typical behavior for API key management in cloud admin APIs.

Changing the IP allowlist does not change whether an API key can access the admin APIs is incorrect because IP allowlists are one of the restriction mechanisms that determine whether a key can be used from a given source. Modifying the allowlist can enable or block access for clients that use the key.

API keys are tied to the individual admin account that generated them is incorrect because API keys are associated with the project or resource that created them and not bound to a single user identity in a way that prevents others with appropriate project permissions from managing those keys. Keys persist under the project until they are rotated or deleted.