You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Azure AD roles. The solution must use the principle of least privilege.
Which role should you assign to User1?
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that User1 can create access reviews for Azure AD roles. The solution must use the principle of least privilege.
Which role should you assign to User1?
To ensure User1 can create access reviews for Azure AD roles while adhering to the principle of least privilege, the Privileged Role Administrator role should be assigned. This role specifically allows users to manage Azure AD roles and perform access reviews, providing the necessary permissions without over-privileging the user.
To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites
The correct answer is B. Identity Governance Administrator. According to the web search results, the Identity Governance Administrator role can create and manage access reviews for Azure AD roles1. The Privileged role administrator role can only manage Azure AD roles, but not access reviews2. The User administrator and User Access Administrator roles do not have permissions to create or manage access reviews3.
The correct answer is B. Identity Governance Administrator. The Identity Governance Administrator role allows users to create and manage access reviews for Azure AD roles, as well as other identity governance features. Privileged role administrator: This role allows users to manage all privileged roles in Azure AD. This is more permission than User1 needs, as they only need to be able to create access reviews for Azure AD roles.
This is actually correct. If people are studying for this test they should know by now that if something is referencing Azure AD the test will Mean Azure Entra ID https://learn.microsoft.com/en-us/entra/id-governance/create-access-review
I stand corrected - To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role. Citation: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites
I stand corrected - To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role. Citation: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites
To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review?toc=%2Fazure%2Factive-directory%2Fgovernance%2Ftoc.json#prerequisites
A. Privileged role administrator
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task Least privileged roles by task in Microsoft Entra ID Create, update, or delete access review of a group or of an app- User Administrator
The Identity Governance Administrator has the least number of roles required to create and manage Access Reviews for Azure AD roles.
To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.
Global administrators and Privileged Role administrators can create reviews on role-assignable groups
In Microsoft 365 (M365), users with specific roles can create access reviews for Azure Active Directory (Azure AD) roles. Here are the roles that can perform this task: Global Administrator: Global administrators have full access to all administrative features in Microsoft 365 and Azure AD, including the ability to create access reviews for Azure AD roles. Security Administrator: Security administrators have permissions to manage security-related settings in Azure AD, and they can create access reviews for Azure AD roles. Privileged Role Administrator: Privileged Role Administrators can manage assignments for privileged roles in Azure AD, including the ability to create access reviews for these roles.
Chatgpt Response
Look at the table here https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Specifically the row "Microsoft Entra roles"
Access reviews: User Administrator (with the exception of access reviews of Azure or Microsoft Entra roles, which require Privileged Role Administrator). In this case, the Access review is for an Azure role which requires Privileged Role Administrator. https://learn.microsoft.com/en-us/entra/id-governance/identity-governance-overview?WT.mc_id=Portal-Microsoft_Azure_ELMAdmin#appendix---least-privileged-roles-for-managing-in-identity-governance-features
"To create access reviews for Microsoft Entra roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role." https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites
Microsoft Entra roles 1-Global administrator or 2-Privileged Role administrator
Identity Governance Administrator role provides the necessary permissions to manage access reviews without granting excessive privileges.
Should be B - Identity Governance Administrator (principle of least privilege)
Based on https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews answer is D.
To create access reviews for Azure resources, you must be assigned to the Owner or the (User Access Administrator) role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned at least the (Privileged Role Administrator) role. REF: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites Correct Answer: A
To allow User1 to create access reviews for Azure AD roles while adhering to the principle of least privilege, you should assign B. Identity Governance Administrator. The Identity Governance Administrator role enables a user to manage access reviews, terms of use, and privileged access settings in Azure AD. This role is specifically suited for handling access reviews while limiting permissions to only governance-related tasks, aligning with the principle of least privilege.
User administrators cannot create access reviews for Azure AD roles. The User administrator role is primarily responsible for managing user accounts, groups, and password resets, but it does not have the necessary permissions to manage access reviews or governance tasks related to Azure AD roles. To create access reviews for Azure AD roles, roles like Identity Governance Administrator or Privileged Role Administrator are required. These roles have the necessary permissions for managing access reviews, especially related to Azure AD roles.
Identity Governance Administrator hast he least privileges.
Global Administrator: Can manage all aspects of Azure AD, including creating and managing access reviews for Azure AD roles. Privileged Role Administrator: Specifically responsible for managing role assignments in Azure AD and can create access reviews for privileged roles, including Azure AD roles like Global Administrator, Security Administrator, etc. User Access Administrator (when managing resources): If access reviews are tied to Azure resources, this role might be able to initiate reviews for roles assigned to those resources.
as usual for microsoft to make fun by confusing via terminology. dont know what makes them happy..there is nothing intelligent about it. just because Azure AD is now called Microsoft Entra, which means that Azure AD roles are not Azure RBAC roles but rather Entra roles. And entra roles are those roles which are predefined administrative kind of roles like global administrator, user administrator, etc.. refer the table in this link https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews
Answer D) User Access Administrator To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review#prerequisites:~:text=To%20create%20access%20reviews%20for%20Azure%20resources%2C%20you%20must%20be%20assigned%20to%20the%20Owner%20or%20the%20User%20Access%20Administrator%20role%20for%20the%20Azure%20resources.
To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned at least the Privileged Role Administrator role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review
"To create access reviews for Azure resources*, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles*, you must be assigned at least the Privileged Role Administrator role." https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-roles-and-resource-roles-review
Answer: A. Privileged role administrator For better understading to those considering B. Answer B is incorrect. An "Identity Governance Administrator" can create an access review to a security group (which can so happen be set to grant a role onto its members) but CANNOT create an access review specifically to an Azure AD role. Neither can it determine what or if a role is assigned to the security group in the scope of its access review.