HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Tested in lab Correct Answers: User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = No Created Group 1 and Group 2, added Group 2 as a member in Group 1, Added guest Accounts to Group 1 and Group 2, In the Access Review results only the Guest Accounts in Group 1 appeared for review and "Not" the Guest accounts in Group 2.
I tested this scenario today (14 Jul 2022) and noticed User1 and UserB both appeared for review and can take approve/decline action on both of them from User3 account.
User 3 can perform an access review of User B: YES This is why: At this time, the following scenarios are supported with nested groups: 1.One group can be added as a member of another group, and you can achieve group nesting. 2.Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included. 3.Conditional access (when a conditional access policy has a group scope). 4.Restricting access to self-serve password reset. 5.Restricting which users can do Azure AD Join and device registration. https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
This seems to be supported by the statement provided here by Microsoft themselves: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review#approve-or-deny-access.
No, No, Yes Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed. So, it will maintain the access.
I'm seeing this repeated over and over again without people actually understanding what this is about. The sentence does not state anything about being able to REVIEW this user. Instead, this is about not applying changes made during a review process to a user from a nested group. The section in the documentation is called "Apply the changes" and not "Retrieve the results", what this question is actually about.
Just tested it and good answers are: No-No-Yes!
I'm seeing this repeated over and over again without people actually understanding what this is about. The sentence does not state anything about being able to REVIEW this user. Instead, this is about not applying changes made during a review process to a user from a nested group. The section in the documentation is called "Apply the changes" and not "Retrieve the results", what this question is actually about.
No No Yes is the correct answer! "If a group is assigned to Azure resource roles, the reviewer of the Azure resource role will see the expanded list of the users in a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully because the user will not be removed from the nested group." See https://learn.microsoft.com/en-us/entra/id-governance/complete-access-review This means that users from nested groups are included in the review but applying a "deny" change won't have any effect on them.
Access Review supports nesting of groups.
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews. Review1 reviews access for guest users who are member of Group1. The group owner is specified as the reviewer. User3 is the owner of Group1. User2 is the only guest user in Group1. Note: Dynamic groups and nested groups are not supported with the Access review process. Reference: Create an access review of groups and applications in Azure AD access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
in think it NNY, guest users are included in nested groups, its not excluded in the link you provided
U R right and Armina is WRONG..see my comments
You're right. Look for possible scenarios with nested groups here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
U R right and Armina is WRONG..see my comments
You're right. Look for possible scenarios with nested groups here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
When you add a nested group to another group, the members of the nested group do not inherit the ownership or administrative privileges of the parent group. The owners of the parent group do not automatically become owners of the nested group. Explanation in: https://www.youtube.com/watch?v=O032Kz-5R2Q&list=PLlKA5U_Yqgof3H0YWhzvarFixW9QLTr4S&index=18
I have tested this particular question in a lab: I created Group 1 and Group 2. I created User 3 and made it owner of Group 1. I created a normal user in Group 1, a guest user in Group 2. Group 2 was made a member of Group 1, and when I ran an Access Review with the Guest checkbox ticked. I successfully was able to see User 2 ( guest ) on the results, meaning that nested groups will also get checked. Answer is NNY.
User3 can perform an access review of User1: NO User3 can perform an access review of UserA: NO User3 can perform an access review of UserB: YES Without testing I believe that Access Review Policies work with Nested groups.
For sure NNY Actually you can include as many as nested groups, there is not restriction from what i can read and find BUT there is definitely restriction on the action to the result of the preview i.e. If user A is part of a nested group i.e. he is member of Group B which is Member of group A, then is access was configured to be denied it will NOT take effect and userA will still retain the original access. Hence in SUMMARY Users in nested groups can be reviewed but NO action against them can be taken Please read this from Microsoft and read the link
IMPORTANT Note Some denied users are unable to have results applied to them. Scenarios where this could happen include: **Reviewing members of a synced on-premises Windows AD group: If the group is synced from on-premises Windows AD, the group cannot be managed in Azure AD and therefore membership cannot be changed. **Reviewing a resource (role, group, application) with nested groups assigned: For users who have membership through a nested group, we will not remove their membership to the nested group and therefore they will retain access to the resource being reviewed. **User not found / other errors can also result in an apply result not being supported. https://docs.microsoft.com/en-us/azure/active-directory/governance/complete-access-review
Correction of last answer User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /Yes Last one is YES, because Group 2 is a member of Group 1 , so we can say that User-B is a guest also for Group 1
I just tested this and the provided answer is correct: NNY. Because group2 is nested in group1, it will show up in the review.
Why are you and AlleyC getting different results from your test of the same issue? Also, why did you state " it will show up in the review", instead of "it SHOWED up in the review"?, since you actually performed the test. We are here to learn, not notch up points.
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /Yes Last one is YES, because Group 2 is a member of Group 1 , so we can say that User3 is a guest also for Group 1.
Answer is correct - The scope is set to GUEST users only. So User3 cannot perform an access review of User1 and UserA as they are Members. Group2 is a member of Group1 so the access review is inherited
Tested on 14th Jul 2022 Access Review under User3 login showed up User2 and UserB and I was able to approve/decline both of them. Out of curiosity, I added an additional user UserC as owner under Group2 to check whether UserC be able to do a review for at least UserB, but there were no Access Reviews appearing in UserC login. Probably because the Access Review was set only for Group1 owner and not Group2.
Seems like NO NO YES is a correct answer. Nested groups are supported within this particular scenario (https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions).The only thing we need to consider is whether user is a guest or not.
the ans is correct. N N Y. Tested
Tested in lab User3 can only perform an access review of User2 and UserB. reason: User3 is the owner of Group1,User2 and UserB are Guest users in Group1, UserB is member of Group2 and Group2 is member of Group1 so UserB is the Guest user of Group1 the access review Review1 states that the reviewer is the owner of Group1 and the scope is the Guest user only
No - No - Yes. group1 user1 (member) user2 (guest) user3 (owner) group2 userA (member) userB (guest) group1 = group2 + * Review1 member of a group - guest user only user2, userB group_owner (user3) user3 access review user1 --> no user3 access review userA --> no user3 access review userB --> yes.
User3 can perform an access review of UserB = Yes Reference: 1. Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access 2. Microsoft 365 and Security group owner can create access review https://learn.microsoft.com/en-us/entra/id-governance/create-access-review
User3 can perform an access review of User1. No User3 can perform an access review of UserA. No User3 can perform an access review of UserB. No User 3 can not perform an access review of UserB, because only guests of Group 1 are reviewed not the members and Group 2 is a member of Group 1.
I did this exact access review in the portal ... There were 2 users included in the review: User2 and UserB so correct answers are NNY
The correct answer is No No Yes. As Group 2 is a member of Group 1. Previously Mlatonis said the same.
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /Yes
Question: If User 3 is the OWNER of GROUP 1, wouldn't he be able to review access for both user 1 and user 2? Does OWNER not give you additional permissions that aren't being specified in the access review?
The answer is No, No and No......Yes the user (User B) will show up in the access review, but the membership of the group (Group 2) will not be removed. This is the text from Microsoft: "Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed" Of course if by "Review" you only think of "Show me a list", then the answer is No, No, Yes
So confused. You said userB will show up in the access review, implying the review can be performed on them (the results just cant be applied to them--but the question wasnt asking if the results of the review could be applied or not, just that the review could be performed on them)
In the Users section, specify the users that the access review applies to. Access reviews can be for the members of a group or for users who were assigned to an application. You can further scope the access review to review only the guest users who are members (or assigned to the application), rather than reviewing all the users who are members or who have access to the application. Present Use Case: Group2 is a member of Group1 and User3 is the owner of Group1 So User3 can review both Group 1 and 2. But for review the scope says only Guest. Solution: User1 is a member not a guest so 1st statement ==> NO UserA is member not the guest so 2nd statement ==> No UserB is a guest so 3rd statement ==> Yes Reference: https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Answer is No, No, Yes. Please see exibit: only Guest is selected in this given scenario.
Created same setup: User2(guest) of Group1 UserB(guest) of Group2 both were eligible for Review by User3 of Group1(Owner of Group1)
Supplied answer is correct. The review will include UserA, but UserA cannot be removed if access is deemed unjustified as they belong to a group that has been given access. The issue not discussed here is what actions are specified in the review. If the actions were to remove users, then the answer would be No, No, No.
No, no, Yes. The reviewer is set group owner. User 3 is a group owner. It states that reviewer selection = Use this option to designate a specific user to complete the review. This option is available regardless of the scope of the review, and the selected reviewers can review users, groups and service principals. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-roles-and-resource-roles-review
Apparently the answer is NO-NO-YES. Although MS Learn states that access reviews for users with permissions through nested groups won't have any effect. But those users will show up for review. Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access
Even without much technical knowledge, you can answer this question correctly by applying basic comprehensive reading skills. User3 is Group 1 OWNER, Group 2 is MEMBER of Group 1, User3 can perform access reviews on GUESTS ONLY. Correct answer is: No No Yes
The answer does, in fact, appear to be NNY. I created an access review just now scoped to review just the guest users of a group I had called Lab Administrators. All the members added directly to Lab Administrators were other groups, and the only result I got from the access review was the one guest user I had as a member of one of the nested groups.
Can someone help me understand this a little better as I choose yes for the first 2 answers and no last.
Since the Group2 is Member of Group1 Include and the members of Group 2
NNY is the answer. https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review Now you can select a scope for the review. Your options are: - Guest users only: This option limits the access review to only the Azure AD B2B guest users in your directory.
I'll go with No, No, No. Reference this link, user will not be removed from a nested group. They can be reviewed but no action will occur if trying to remove them: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review
Im so confused, the question is asking if user3 can perform a review on userB, not if user3 can remove userB
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review UserA will be reviewed but cannot be removed as they are in a nested group.
Sorry - UserB
TBH, the answers can be NNN because ownership permissions on groups are not inherited.
Answer is No, No, Yes. Users and groups Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Microsoft Entra ID, including dynamic or assigned security and distribution groups. Policy is applied to nested users and groups. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups
3) NO because nested group
Wrong No No No it´s specified to review only "Guest users" User1 = Member UserA = Member UserB = is in Group2 which is a Member of Group1
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Explanation for User3 can perform an access review of UserB. /No Note In a team or group access review, only the group owners (at the time a review starts) are considered as reviewers. During the course of a review, if the list of group owners is updated, new group owners will not be considered reviewers as well as old group owners will still be considered reviewers. However, in the case of a recurring review, any changes on the group owners list will be considered in the next instance of that review. https://learn.microsoft.com/en-us/entra/id-governance/create-access-review Create a single-stage access review => Next: Reviews
No, No, Yes Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed.
User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = Yes Created Group 1 and Group 2, added Group 2 as a member in Group 1 https://imgur.com/a/2DTRhVb https://learn.microsoft.com/en-us/entra/id-governance/create-access-review In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users
the Access Review is set to Guest user Only So can review access only on user2 and user B
didnt understand the logic at all, i am looking in a different perspective. Group 2 is member of Group1.
This is SC300 question, access review need Azure AD P2, why related to AZ 104 ?
It is NNY. U3 can review the access guest users of G1 which also includes Group2. User B is the guest of G2 and hence U3 can review the access of UB.
User3 can perform an access review of UserB. /No Sorry but i cannot seem to find supporting information that does not support nested group. Seek some advise. Thanks in advance
Read the question in a different way. Group2 is a member of Group1 and Group1 owner is User3. User 3 should able to review the access permission of guests and members. mean User1, UserA and UserB.
Read the question in a different way. Group2 is a member of Group1 and Group1 owner is User3. User 3 should be able to review the access permission of members. meaning User1, UserA not UserB, because he is a guest. Kindly correct me.
Correct answers: User3 can perform an access review of User1: NO User3 can perform an access review of UserA: NO User3 can perform an access review of UserB: YES
Agree with No, No, No. Only guests are reviewed not members. Users in nested groups are not reviewed according to MS article; https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review
Where does it say only guests are reviewed and not members!?!?!?
Read the question again!
it says the access review CAN be performed on users, but certain users cannot have results applied to them.
No, the scope is only applied to guest users. See below article for referance https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review
It say: Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed. So, it will maintain the access.
It say: Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed. So, it will maintain the access.
Read the question again!
It say: Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed. So, it will maintain the access.
NNN User 3 is the owner of G1, not G2
AS per the article nested group Access Review is not supported, can someone have a look and share there thoughts https://www.enowsoftware.com/solutions-engine/azure-active-directory-center/first-look-at-access-reviews-for-office-365-groups-and-applications
Advice for everyone, who is going to say NO for third option. Do the lab and see. Both guests are available for review in this scenario.
correct Answer : NNY User3 is the owner of Group1. Group1 owners can be REVIEWRS Users to be REVIEWED : GUEST ONLY USERS USER1 IS NOT GUEST - NO USER A - IS NOT GUEST - NO USER B - IS GUEST - So YES
NNY User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User 3 can perform an access review of User B: Yes Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review will not remove their membership to the nested group and therefore they will retain access to the role being reviewed. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access The question is not about access being maintained. It is only about the ability to review.
3) - YES - If a group is assigned to Azure resource roles, the reviewer of the Azure resource role will see the expanded list of the users in a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully because the user will not be removed from the nested group. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-complete-roles-and-resource-roles-review
You have to be global administrator to create reviews : "Global administrator or Identity Governance administrator to create reviews on groups or applications." https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review So : No, No, No
These roles only required to create the access review! You don't need these roles to perform the review
In this case. From the setting. We focus on Guest users only. User 1 is not a guest member. (No) User A is not a guest member. (No) User B is a guest member. (Yes) For setting understanding: https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review For step-by-step explanation: https://www.youtube.com/watch?v=O032Kz-5R2Q&t=1s
I think that the simple solution here is this: No/No/Yes Reason is that the review in the picture points out that it's only searching for Guest users and User B is the Only quest user from the answer area. User 1 is a member and User A is a member
(Typo- User B is a guest user, not quest) The criteria for the creation of the review: Look at the picture and look for "Users". you will then find the scope is set to "Guest Users only".
CORRECT
User 3 CANNOT perform an access review of User B: "Common scenarios in which certain denied users can't have results applied to them may include the following: ... Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. " From: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review
It says that they retain access not but that is after they have been reviewed so User3 can review them just can't do anything about it
Final Answer: No No NO
For this round going with NNY
N,N,Y The question is only asking if User3 can perform access review and not removal. Per MS: In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users. If a user is flagged for removal due to their membership in a nested group, they will not be automatically removed from the nested group, but only from direct group membership.
NNY Answer is correct From ms doc: In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users. If a user is flagged for removal due to their membership in a nested group, they will not be automatically removed from the nested group, but only from direct group membership.
Go through this very carefully, It is the correct answer with logic: Statement 1: User3 can perform an access review of User1 Answer: No Reason: User1 is a member-type user, and scope is “guest users only” Statement 2: User3 can perform an access review of UserA Answer: No Reason: UserA is a member-type user and also, UserA is part of a nested group (Group2), not a direct member of Group1 Statement 3: User3 can perform an access review of UserB Answer: No Even though UserB is a guest, they are in a nested group (Group2), not directly in Group1. Nested group users are not included in the access review Final answer: No, No, No.