ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-300 All Questions

View all questions & answers for the AZ-300 exam
Go to Exam

Exam AZ-300 topic 16 question 5 discussion

Actual exam question from Microsoft's AZ-300
Question #: 5
Topic #: 16
[All AZ-300 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
✑ Conduct access reviews to ensure users still need roles
References:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
by turtle666 at Feb. 2, 2020, 7:54 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
SaurabhAzure
Highly Voted 5 years, 2 months ago
the answer should be yes. As because global administrators can perform access review. We do not need P2 license for global administrators
upvoted 10 times
riyamalin
5 years, 2 months ago
prerequisites for access review are: Azure AD Premium P2 Global administrator or User administrator ref : https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 6 times
milind8451
5 years, 1 month ago
Still I would go with Yes because if P2 license wasn't assigned then Access reviews setting would not be visible but greyed out. Since it is visible, that means P2 is assigned.
upvoted 2 times
...
...
Barry123456
4 years, 11 months ago
little bit like killing an ant with a bazooka though. overkill and may cause collateral damage.
upvoted 1 times
...
anupam77
3 years, 11 months ago
But user is part of User Admin role. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#how-many-licenses-must-you-have "Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews."
upvoted 1 times
...
...
gboyega
Highly Voted 4 years, 10 months ago
A is the correct Answer No licenses are required for the users with the Global Administrator or User Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews.
upvoted 8 times
...
deyc
Most Recent 4 years, 8 months ago
1- Create an access review of groups and applications in Azure AD access reviews Prerequisites Azure AD Premium P2 Global administrator or User administrator 2- Create an access review of Azure AD roles in Privileged Identity Management Pre-requisite: Privileged Role Administrator If I read the question correctly, the access is for groups and apps and not for AD roles... If this is the case, the answer is NO because PIMS P2 is also required
upvoted 1 times
...
basak
4 years, 8 months ago
to access review rules the user should have PIM license. So B is correct https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 1 times
basak
4 years, 8 months ago
Correction: Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 2 times
lucaribou
4 years, 8 months ago
So the answer should be yes
upvoted 1 times
...
...
...
cttay71
4 years, 9 months ago
Scenario 1: i tried creating admin1 with Global Administrator role or User Administrator role only and I am not able to create Access Review. Scenario 2: I create admin with User Admin role with Azure AD Premium P2 licenses enabled. I am able to create Access Review. Therefore, Azure AD Premium P2 is required whether you are global administrator or user administrator. Since questions already mentioned admin1 has User Administrator role, he should be able to create access review. But he could not. So my answer is NO My Answer is NO.
upvoted 6 times
...
arseyam
4 years, 9 months ago
When you enable Access Reviews for the first time, you have to click on Onboard Now, which enables access reviews for the Azure AD directory. Note that if you don’t complete this step, the Overview page of access reviews will report an error Tenant is not onboarded for Access Reviews feature. Below is a great article to clear the confusion https://campbell.scot/getting-started-with-azure-ad-identity-governance-part-2-access-reviews/
upvoted 1 times
...
BEB
4 years, 9 months ago
Answer is NO. Privileged Role Administrator is required to Create an access review. see https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review "You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles. You can also configure recurring access reviews that occur automatically." "Prerequisites Privileged Role Administrator"
upvoted 2 times
...
Jer0i
4 years, 10 months ago
Answer is B https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim The Global administrator who enables Privileged Identity Management (PIM) for an organization automatically get role assignments and access to Privileged Identity Management. No one else in your Azure Active Directory (Azure AD) organization gets write access by default, though, including other Global administrators. Other Global administrators, Security administrators, and Security readers have read-only access to Privileged Identity Management. To grant access to Privileged Identity Management, the first user can assign others to the Privileged Role Administrator role. It says "...No one else in your Azure Active Directory (Azure AD) organization gets write access by default, though, including other Global administrators." So even though you assign Admin1 as the GA, he still will not have access to PIM
upvoted 4 times
...
addy007
4 years, 11 months ago
Ans: B, https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
upvoted 1 times
...
[Removed]
4 years, 11 months ago
Creating access review on a group that can be assigned to Azure AD role If you are on the newest version of Access Reviews (your reviewers are directed to My Access by default) , then only Global Administrator can create access review on role-assignable groups. However, if you are on older version of Access Reviews (your reviewers are directed to the Access Panel by default), then both Global Administrator and User Administrator can create access review on role-assignable groups.
upvoted 2 times
...
thirstylion
5 years ago
Answer is A (Yes) No licenses are required for the users with the Global Administrator or User Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews.
upvoted 1 times
...
Prash85
5 years ago
This question doesn't talk about licenses instead it is focused on the roles and its privileges... Global Admin can create access review.. answer is YES
upvoted 2 times
...
BalaMurugesan
5 years ago
YES - "Programs and access review results are visible to users in the Global administrator, User administrator, Security administrator, or Security reader role." https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 2 times
...
Pigi_102
5 years ago
From: https://azure.microsoft.com/en-us/pricing/details/active-directory/ Premium P2 is the only license with Access Review Option. Moreover, from https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview , License Requirement: "Using this feature requires an Azure AD Premium P2 license." So the answer is NO.
upvoted 1 times
...
Bluediamond
5 years, 2 months ago
https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review
upvoted 1 times
...
turtle666
5 years, 4 months ago
Azure AD Premium P2 licenses are not required for the following tasks: No licenses are required for the users with the Global Administrator or User Administrator roles that set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 3 times
keithtemplin
5 years, 1 month ago
turtle666 copied the text straight from the referenced link
upvoted 1 times
tartar
4 years, 8 months ago
B is ok
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel