HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table:
User3 is the owner of Group1.
Group2 is a member of Group1.
You configure an access review named Review1 as shown in the following exhibit:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
Tested in lab Correct Answers: User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = No Created Group 1 and Group 2, added Group 2 as a member in Group 1, Added guest Accounts to Group 1 and Group 2, In the Access Review results only the Guest Accounts in Group 1 appeared for review and "Not" the Guest accounts in Group 2.
great explanation
If group 2 is a member of group 1, do the members of group 2 not get reviewed through that membership ?
This seems to be supported by the statement provided here by Microsoft themselves: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-azure-ad-roles-and-resource-roles-review#approve-or-deny-access.
Access Review supports nesting of groups.
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews. Review1 reviews access for guest users who are member of Group1. The group owner is specified as the reviewer. User3 is the owner of Group1. User2 is the only guest user in Group1. Note: Dynamic groups and nested groups are not supported with the Access review process. Reference: Create an access review of groups and applications in Azure AD access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
in think it NNY, guest users are included in nested groups, its not excluded in the link you provided
U R right and Armina is WRONG..see my comments
You're right. Look for possible scenarios with nested groups here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions
When you add a nested group to another group, the members of the nested group do not inherit the ownership or administrative privileges of the parent group. The owners of the parent group do not automatically become owners of the nested group. Explanation in: https://www.youtube.com/watch?v=O032Kz-5R2Q&list=PLlKA5U_Yqgof3H0YWhzvarFixW9QLTr4S&index=18
User3 can perform an access review of User1. No User3 can perform an access review of UserA. No User3 can perform an access review of UserB. No User 3 can not perform an access review of UserB, because only guests of Group 1 are reviewed not the members and Group 2 is a member of Group 1.
Even without much technical knowledge, you can answer this question correctly by applying basic comprehensive reading skills. User3 is Group 1 OWNER, Group 2 is MEMBER of Group 1, User3 can perform access reviews on GUESTS ONLY. Correct answer is: No No Yes
User3 can perform an access review of UserB = Yes Reference: 1. Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access 2. Microsoft 365 and Security group owner can create access review https://learn.microsoft.com/en-us/entra/id-governance/create-access-review
3) NO because nested group
Apparently the answer is NO-NO-YES. Although MS Learn states that access reviews for users with permissions through nested groups won't have any effect. But those users will show up for review. Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access
Answer is No, No, Yes. Users and groups Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Microsoft Entra ID, including dynamic or assigned security and distribution groups. Policy is applied to nested users and groups. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups
User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Explanation for User3 can perform an access review of UserB. /No Note In a team or group access review, only the group owners (at the time a review starts) are considered as reviewers. During the course of a review, if the list of group owners is updated, new group owners will not be considered reviewers as well as old group owners will still be considered reviewers. However, in the case of a recurring review, any changes on the group owners list will be considered in the next instance of that review. https://learn.microsoft.com/en-us/entra/id-governance/create-access-review Create a single-stage access review => Next: Reviews
For this round going with NNY
Final Answer: No No NO
The answer does, in fact, appear to be NNY. I created an access review just now scoped to review just the guest users of a group I had called Lab Administrators. All the members added directly to Lab Administrators were other groups, and the only result I got from the access review was the one guest user I had as a member of one of the nested groups.
User 3 CANNOT perform an access review of User B: "Common scenarios in which certain denied users can't have results applied to them may include the following: ... Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. " From: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review
It says that they retain access not but that is after they have been reviewed so User3 can review them just can't do anything about it
CORRECT
Such kind of question go against well architected framework. SMH
I think that the simple solution here is this: No/No/Yes Reason is that the review in the picture points out that it's only searching for Guest users and User B is the Only quest user from the answer area. User 1 is a member and User A is a member
(Typo- User B is a guest user, not quest) The criteria for the creation of the review: Look at the picture and look for "Users". you will then find the scope is set to "Guest Users only".
In this case. From the setting. We focus on Guest users only. User 1 is not a guest member. (No) User A is not a guest member. (No) User B is a guest member. (Yes) For setting understanding: https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review For step-by-step explanation: https://www.youtube.com/watch?v=O032Kz-5R2Q&t=1s