HOTSPOT -
You have a Microsoft 365 E5 subscription.
From Azure AD Privileged Identity Management (PIM), you configure Role settings for the Global Administrator role as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
1) 15 days. The user is Assigned the role in active state. The active assignment expires after 15 days, as shown in the config details. 2) the role can be made available to activation requests for 3 months. This is because the role assignment can be an Eligible assignment and an Eligible assignment is configured to expire after 3 months. Eligible assignments require themselves to be activated just in time by the assignee within the 3 month period. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-add-role-to-user
meant to reference this 2nd link as well that completely clarifies the point: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings?source=recommendations
Correct. Others are misunderstanding this. 8 hours is meant for the activation request not the actual assignment.
Sorry, but you have misinterpreted the documentation. The 'activation maximum duration' setting is how long the role is active for after activation (with or without approval), it has nothing to do with how long an activation request can sit there waiting for approval. Also, note that the user must already have the role assigned as eligible for them to activate the role to start with. Best wishes.
A user that is assigned the Global Administrator role as active [will lose the role after 15 days]. You can make the Global Administrator role available to activation requests [for up to eight hours].
Agreed!
Agree here.
Hello Guys, according to the link below, 8 hours is just the required time for the admin to activate the role if a user requests it. For example: if User1 requests an admin role. the PIM admin has 8 hours to activate the role for User1. 8 hours after the requests of User1 if the admin doesn't activate the role for him, the request will expire and User1 has to request again. But if the admin activates the role for User1 within 8 hours, User1 will have 15 days to do his job. After 15 days he will lose the role. https://learn.microsoft.com/fr-fr/entra/id-governance/privileged-identity-management/pim-how-to-change-default-settings
Correct answers are: A user that is assigned the Global Admin role *as active*: will lose the role after 15 days You can make a Global Admin role available to *activation requests*: for up to eight hours. People often misunderstand the difference between Activation section and Assignment section. Keyword-"activation" is always the process of elevation from eligibility to active assignment, and is regulated via "Activation maximum duration" Keyword-"active" is always the "permanent active assignment", and is regulated by "Expire active assignment after"
First Option Correct 8 Hours The second options are 15 Days... https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-renew-extend
first is correct - will lose the role after 8 hours second is questionable -- why not 15 days ?
Re: the second question, agree it would be 15 days in this case. The first question states "A user that is assigned the the Global Administrator role as active" and the active assignment is set to expire after 15 days.
Nope! It said "you can make the role GA available to activation request <- this is an elegible role! 3 months
Ici le point marquant c'est qu'il n'y a pas d'approbation vu qu'il est administrateur global, ainsi lorsque l'utilisateur active la mission il a 15 jours pour travailler avant que son activation ne s' expire après 15 jours pour que le l'utilisateur fasse une nouvelle demande d'activation et il est à noter qu'il a 3 mois d'éligibilité c'est à dire 3 mois pour exploiter le rôle d'administrateur global après ceci il perdra ce privilège. Réponses : 1) 15 jours 2) 3 mois
First one : will lose the role after 8 hours AND can reactivate every 8 hours Right ?
poor wording because 1. the user will lose the role after 15 days, but they can have it activated every 15 days so both fits. 2. activation request last for 8 hours, but they can also request activations for the next 3 months 1. i would go with lose the role after 15 days because they would need privileged role admin to reactive it or have someone with that role do it. 2. i would go with for up to three months because its talk about how long the user is eligible to make request. to be the other way it should read available to activation request that last...
How I see it. 1. will lose the role after 15 days 2. for up to eight hours
Correct
TBH, I think the config is wrong, a PIM profile can be eligible or active but not both, so I don't know why we can see both options. In that case is eligible, so the role, once is active manually, will be active for 8 hours, afterwards, he/she will lose the rol (question A). This kind of activation will be available for 3 months (question B)
Nevermind, I confused user assignment with role settings. It would be A) 15 days and B) 3 months
Atrocious wording. Depending on how you interpret "lose" 3 options in 1st answer can be valid: will lose the role after 8 hours can reactivate the role every 8 hours will lose the role after 15 days 2nd answer is correct: 3 months
I think this should be the correct lecture: You can activate the role or extend it anytime you want, you don't need to wait the 8 hours, so the correct answer for the first one is after 15 days role will disappear.