HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains Azure AD Privileged Identity Management (PIM) role settings for the User administrator role as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan
So correct answers are: 8 hours Global administrators and privileged role administrators
"If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers."
https://janbakker.tech/active-directory-identity-governance-privileged-identity-management/
This is exactly what it says in the PIM settings when editing a role.
on the exam 24.02.2022. I answered: 8 hours Global administrators and Privileged role administrators
This question needs to be updates, under https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings You can require approval for activation of an eligible assignment. The approver doesn't have to have any roles. When you use this option, you must select at least one approver. We recommend that you select at least two approvers. There are no default approvers.
8 hours Global administrators and privileged role administrators
this question came out in my test today.
on the exam 09222022, i answered the same. Passed the exam, btw.
Given answer for the second selection is wrong, If no approvers are selected automatically by default the Global administrator or Privileged Role Administrators become the approvers.
8 hours Global administrators and privileged role administrators Norte : If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.
That's the point! Reference for it: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
build in my lab, 8 hours and when not assigning approvers: "If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers"
8 hours Global administrators and privileged role administrators
I stand corrected. The time limit under "activation" is the one in effect here which is 8 Hours.
My answer would be "1 Month" as it's teh time when an active assignment expire and the role would require another activation. The 8 hours is the time period before an activation request expire, different from the role lifetime which is the assignment
I stand corrected. The time limit under "activation" is the one in effect here which is 8 Hours.
I'm changing my suggested answer again: Actually it should be 1 month: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan Type of assignments There are two types of assignment – eligible and active. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. You can also set a start and end time for each type of assignment. This addition gives you four possible types of assignments: Permanent eligible Permanent active Time-bound eligible, with specified start and end dates for assignment Time-bound active, with specified start and end dates for assignment In case the role expires, you can extend or renew these assignments. We recommend you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role.
Note: User may not be prompted for multi-factor authentication if they authenticated with strong credentials, or provided multi-factor authentication earlier in this session. If there is no information about strong credentials in the question, it should be assumed that the user will be prompted for MFA every 8 hours regardless of their previous authentication status. The activation maximum duration for Azure AD PIM sets a time limit for the user's access to the privileged role, and once that time limit has been reached, the user will need to re-authenticate with multi-factor authentication to continue using the role. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings#on-activation-require-multi-factor-authentication
Wrong. The correct answers are 15 days and global administrator or privileged role administrator. Because no delegation here. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings Role settings Activation maximum duration Use the Activation maximum duration slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.
Correct. Have it setup and tested.
Is there anything that the Global Admin can't do?
Work with Custom Security Attributes - you need a dedicated Azure AAD RBAC role.