AZ-300 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-300 Exam - Question 213

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.

You need to ensure that the Admin1 can create access reviews in contoso.com.

Solution: You consent to Azure AD Privileged Identity Management (PIM).

Does this meet the goal?

Show Answer
Correct Answer: B

Admin1 already has the roles of User administrator, Compliance administrator, and Security administrator, which should typically provide sufficient permissions for administering access reviews. However, for Admin1 to create access reviews within Azure AD Identity Governance, they need to ensure that the tenant is properly onboarded for access reviews which might be missing here. Additionally, the relevant prerequisite for creating access reviews is either having an Azure AD Premium P2 license or being assigned roles like Global administrator or Privileged Role Administrator specifically for Privileged Identity Management (PIM) related access reviews. Simply consenting to PIM does not address the specific requirement here. Therefore, the correct solution in this scenario is 'No' as consenting to PIM alone does not meet the goal.

Discussion

15 comments
Sign in to comment
ccarlton
Feb 27, 2020

'Consent to PIM' does not enable access review feature.

SaurabhAzure
Mar 27, 2020

thats true...

tartar
Sep 14, 2020

B is ok

tartar
Sep 14, 2020

B is ok

mstm
Aug 16, 2020

Please note there are 2 types of access reviews: Access review under Azure AD -> Identity Governance https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review Prerequisites: Azure AD Premium P2 Global administrator or User administrator Purpose: Create access reviews for group members or application access Access review under PIM -> Access review https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review Prerequisites: Privileged Role Administrator (and also P2 license, consent to PIM etc.) Purpose: Create access reviews for privileged Azure resource roles As the question is stating "Admin1 discovers that all the other Identity Governance settings are available", I think we are talking about AAD access review type and what's missing there is "Onboarding", probably the scenario is the tenat hasn't been oboarded for access reviews, this is old view but see screenshot for the overview(https://i0.wp.com/wpac.blob.core.windows.net/wpstorage/2019/03/030619_1438_Accessrevie1.png?w=1240&ssl=1). Hence IMO the answer is NO.

gboyega
Jul 14, 2020

B is the correct answer

praveen97
Jul 21, 2020

Answer is NO since Privileged Identity requires 'Privileged Role Administrator' role to create Access Reviews. I have tested this in the lab. See the Pre-requisites provided in the below article before creating Access Reviews. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review#prerequisites

frafra
Jun 1, 2020

YES - correct to use Access Review you need to be Global Administrator or User Administrator

Harkonnen
Jul 27, 2020

The answer is INCORRECT. First, the concept of consenting is no where documented. Check https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started. Nothing about consenting. What you DO need is the following (from the same source above): To use Privileged Identity Management, your directory must have one of the following paid or trial licenses: Azure AD Premium P2 Enterprise Mobility + Security (EMS) E5 Microsoft 365 Education A5 Microsoft 365 Enterprise E5 The correct answer is a couple of questions below, which is to purchase a P2 license.

xofowi5140
Aug 3, 2020

https://journeyofthegeek.com/2018/05/29/exploring-azure-ad-privileged-identity-management-pim-part-2-setup/

kishoreg
Apr 3, 2020

"Conduct access reviews to ensure users still need roles" its clearly written

babacandy
May 11, 2020

Solution Answer is confusing. To create access review a user should be in "Privileged Role Administrator" role. Reference : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review

Prash85
Jun 6, 2020

To create access review PIM should be enabled which is why the answer is correct.

Abhiatms02
Jun 28, 2020

Privileged Identity Management (PIM) to create access reviews for "privileged Azure AD" roles. So No.

dips31089
Aug 7, 2020

The answers to all the questions in this series is No. The scenario assumes you are a Global Admin. If you consent to PIM and enable, only you get the Priv Role Admin. Admin 1 wont. Assigning Global Admin role wont work either. They need Priv Role Admin. AD Premium P2 or any license is not needed for creating access reviews.

deyc
Sep 29, 2020

1- Create an access review of groups and applications in Azure AD access reviews Prerequisites Azure AD Premium P2 Global administrator or User administrator 2- Create an access review of Azure AD roles in Privileged Identity Management Pre-requisite: Privileged Role Administrator If I read the question correctly, the access is for groups and apps and not for AD roles... If this is the case, the answer is NO

azureexaminer
Jun 29, 2020

Enable Privileged Identity Management As part of the planning process, you must first CONSENT to and enable Privileged Identity Management by following our start using Privileged Identity Management article. Enabling Privileged Identity Management gives you access to some features that are specifically designed to help with your deployment. (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan)

azureexaminer
Jun 29, 2020

ignore my comment above. i just reread that all ID settings are available which indicates that ID is already in place.

magpi
Sep 11, 2020

I fell you are right. You have to augment your privileges and enable User Administrator role.

xofowi5140
Aug 3, 2020

Before you can begin using AAD PIM, you’ll need to purchase a license that includes the capability. - There is no Info about the Azure AD license. Upon opening AAD PIM for the first time, you’ll receive a consent page as seen below. The consent process requires confirmation of the user’s identity using Azure MFA. If the user isn’t enabled for it, it will be configured at this point.

sharonh
Feb 23, 2021

admin1 is a user administrator so he can create access review s: https://docs.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews i go with PIM

Showkat
Dec 25, 2021

The answer is NO, you can create access reviews in PIM, however with proper privileges, you must have either global admin or Privileged role administrator role assigned before you create .

Showkat
Dec 25, 2021

docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review