AZ-303 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-303 Exam - Question 141

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.

You need to ensure that Admin1 can create access reviews in contoso.com.

Solution: You assign the Global administrator role to Admin1.

Does this meet the goal?

Show Answer
Correct Answer: A

Assigning the Global administrator role to Admin1 would ensure that Admin1 can create access reviews. The Global administrator role has the highest level of access in Azure AD and includes permissions to manage all aspects of Azure AD, including access reviews. Since the issue is a permission-related one where Admin1 is unable to access the Access reviews settings despite having other relevant roles, elevating Admin1 to a Global administrator would grant the necessary permissions to create and manage access reviews.

Discussion

26 comments
Sign in to comment
lolo13698
Jun 2, 2021

It should be NO. The questions says the user is already member of "user administrator" which is a prerequisite for Access Review. So giving the user the global admin role can't be the answer. Something else is needed (maybe the P2 licence)

Myfeltf65
Jun 3, 2021

Answer is correct https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

gizda2
Oct 1, 2021

this is a perfect example of how a totally false answer can be the highest voted....

examineezer
Oct 4, 2021

You are right. It should be YES. From below: Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#how-many-licenses-must-you-have

hogtrough
Oct 15, 2021

That doesn't explain how giving global administrator rights would solve the issue though, it just explains that license is not the issue. Both user administrators and global administrators can perform these tasks, so since the user is already a member of user administrator, global administrator provides no additional value.

vvvlloydvvv
Nov 23, 2021

You are correct that the person setting the access review doesn't require a P2 license. However, the tenant does require a P2 license. Otherwise, no users will be available to conduct the review.

hogtrough
Oct 15, 2021

That doesn't explain how giving global administrator rights would solve the issue though, it just explains that license is not the issue. Both user administrators and global administrators can perform these tasks, so since the user is already a member of user administrator, global administrator provides no additional value.

vvvlloydvvv
Nov 23, 2021

You are correct that the person setting the access review doesn't require a P2 license. However, the tenant does require a P2 license. Otherwise, no users will be available to conduct the review.

examineezer
Oct 4, 2021

You are right. It should be YES. From below: Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#how-many-licenses-must-you-have

hogtrough
Oct 15, 2021

That doesn't explain how giving global administrator rights would solve the issue though, it just explains that license is not the issue. Both user administrators and global administrators can perform these tasks, so since the user is already a member of user administrator, global administrator provides no additional value.

vvvlloydvvv
Nov 23, 2021

You are correct that the person setting the access review doesn't require a P2 license. However, the tenant does require a P2 license. Otherwise, no users will be available to conduct the review.

hogtrough
Oct 15, 2021

That doesn't explain how giving global administrator rights would solve the issue though, it just explains that license is not the issue. Both user administrators and global administrators can perform these tasks, so since the user is already a member of user administrator, global administrator provides no additional value.

Azurefox79
Nov 18, 2021

Incorrect - the key here is that they have the correct role for access reviews and also since the other identity gov options are there they have the correct license. PIM is needed but you have to configure PIM. To configure PIM you must be a GA, i've done this several times. Then you can use access review.

gizda2
Nov 24, 2021

This one!

vvvlloydvvv
Nov 23, 2021

You are correct that the person setting the access review doesn't require a P2 license. However, the tenant does require a P2 license. Otherwise, no users will be available to conduct the review.

gizda2
Nov 24, 2021

This one!

tmfahim
Jan 2, 2021

should be "Yes"

SyntaxError
Jan 3, 2021

Please see comments here: https://www.examtopics.com/discussions/microsoft/view/13260-exam-az-300-topic-16-question-5-discussion/

TSMRE
Jun 8, 2021

On exam 6/7/21, I said yes and passed the exam

Anu2020
Jun 12, 2021

For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

jd94
Jun 12, 2021

6/12/2021. Passed the exam. YES

Thisismynickname001
Aug 30, 2021

Access Review prerequisites: > Azure AD Premium P2 > Global administrator or User administrator > Microsoft 365 and Security group owner (Preview) https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review#prerequisites If you are Global Administrator without a license and you try to use Access Review you'll see following error: Tenant does not have a valid license (EMS E5 or P2) required for Access reviews.

Sam_997
Oct 19, 2021

Just tested this in my subscription as a global admin. You need a P2 licence and Global or User admin rights. The answer should be NO

spiraltrip
Feb 15, 2021

The question is about creating access reviews, not responding do it. To create access reviews, either you: 1. Azure AD Premium 2 2. Global Administrator or User Administrator You still need to purchase Azure AD Premium 2 for each of the user that requires an access review. So the answer should be "Yes"

malyaban
Mar 18, 2021

Answer should be yes but remember they now mention precisely that to create an Access Review you don't need Any P2 license. Otherwise 2 questions will have Answer Yes ;-)

malyaban
Mar 15, 2021

Answer is YES i.e. incorrect first we do not need P2 for creating Access Reviews, even if you provide P2 still the creation needs global admin or privileged role admin. Here Global admin is being given. https://developer.microsoft.com/en-us/graph/blogs/retrieving-azure-ad-access-reviews/

[Removed]
Mar 29, 2021

i think you are correct and that link confirms it, the question because admin1 attempts to create an access review and see that settings are unavailable to him because tenant is not onboarded yet as he is the User Admin already that means he can create access reviews but onboarding can only be done by global admin no matter the license. So this answer is yes and the one for P2 license is No

demonite
Apr 6, 2021

Answer is No https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

praveen_617
May 16, 2021

Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#how-many-licenses-must-you-have

network_zeal
Aug 10, 2021

Answer is YES, as per Microsoft documentation, Azure AD Premium P2 licenses are NOT required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews.

kumarts
Aug 25, 2021

Answer is Yes, refer https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

azurecert2021
Jan 7, 2021

Answer should be yes as Azure AD Premium P2 license is not required for Global Administrator or User Administrator roles ,license is only required for User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience Using this feature requires an Azure AD Premium P2 license. Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. You can recertify the role assignment users in Azure AD roles such as Global Administrators, or Azure resources roles such as User Access Administrator in the Azure AD Privileged Identity Management (PIM) experience. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

nexnexnex
Jan 10, 2021

should be yes, but by the different reason: - since we can use other IG options, it means we have P2 license - but initial PIM onboard should be done by Global Admin, User Admin is not enough

user110819801
Jan 19, 2021

The answer should be Yes. The two previous questions were a No because the tenant still have to be onboarded to access reviews. In this case, the user is given the Global Administrator role, which allows him or her to onboard the tenant to access reviews.

pentium75
Jul 12, 2021

No because question is not whether making him Global Administrator allows him to onboard the tenant, but whether making him Global Administrator makes him see "Access Reviews" panel.

rsaintt
Apr 27, 2021

option A - Yes : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review

QiangQiang
May 1, 2021

It's Yes, Prerequisites of creating access reviews: Azure AD Premium P2 (Other IG features are available meaning P2 license exists) Global administrator or User administrator https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

saumenP
May 15, 2021

But the question says user is already a member of "user administrator". So making him Global administrator also doesn't make any sense. What he is missing is one of the prerequisite "P2" license. So answer should be NO

azurellc
May 16, 2021

On exam 5/15/2021

Ario
Jun 6, 2021

Correct answer is Yes - user has Global Admin which is required and also P2 License already there.

topicks
Jun 19, 2021

Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews

akp1000
Jun 23, 2021

Anser is Yes. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

crazyaboutazure
Jul 10, 2021

Answer is NO but reason is tenant is onboarded not given which is a requirement. After that if you want to create access review for AD role you need P2 license which is given in question and then you need to have either global or privileged admin role. User admin is suitable for creating access review for app and app group. Period.

gizda2
Oct 1, 2021

where did you read that "a user named Admin1" is privileged admin?

syu31svc
Aug 28, 2021

Answer is No https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

mj4
Aug 29, 2021

User administrator should have required permission, if not ask him to use access review in PIM Answer is B. No for all three questions

mj4
Aug 29, 2021

going with Yes, If Service admin cant get his access, then we need to give higher permission which is Global admin.

gcpbrig01Option: B
Dec 10, 2021

Being Global administrator still not help as the tenant needs to be onboarded for access first. hence the answer is no.

gcpbrig01
Dec 10, 2021

access review*

therealss
Dec 28, 2021

i believe the answer is yes. another poster mentioned that you already know you have P2 license installed from what you can see on the screen already. so by adding Global Admin role (plus we inferred P2 license is already present) that should be enough to enable the reviews.

ishin999
Jan 8, 2022

I think there may be a bit of confusion here....The answer is NO... My understanding of this is that P2 is required at the tenant level...you don't have to allocate a P2 licence to Global admin or User admin to use access review....BUT...you need to allocate any other user a P2 licence out of the licencing pool to allow them to set up access reviews....The fact in this case that the user mentioned has "user admin" already and can't use access reviews indicates that the tenant does not have P2....granting GA will not meet the requirement