Exam AZ-300 topic 16 question 4 discussion

'Consent to PIM' does not enable access review feature.

Please note there are 2 types of access reviews: Access review under Azure AD -> Identity Governance https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review Prerequisites: Azure AD Premium P2 Global administrator or User administrator Purpose: Create access reviews for group members or application access Access review under PIM -> Access review https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review Prerequisites: Privileged Role Administrator (and also P2 license, consent to PIM etc.) Purpose: Create access reviews for privileged Azure resource roles As the question is stating "Admin1 discovers that all the other Identity Governance settings are available", I think we are talking about AAD access review type and what's missing there is "Onboarding", probably the scenario is the tenat hasn't been oboarded for access reviews, this is old view but see screenshot for the overview(https://i0.wp.com/wpac.blob.core.windows.net/wpstorage/2019/03/030619_1438_Accessrevie1.png?w=1240&ssl=1). Hence IMO the answer is NO.

The answer is NO, you can create access reviews in PIM, however with proper privileges, you must have either global admin or Privileged role administrator role assigned before you create .

admin1 is a user administrator so he can create access review s: https://docs.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews i go with PIM

1- Create an access review of groups and applications in Azure AD access reviews Prerequisites Azure AD Premium P2 Global administrator or User administrator 2- Create an access review of Azure AD roles in Privileged Identity Management Pre-requisite: Privileged Role Administrator If I read the question correctly, the access is for groups and apps and not for AD roles... If this is the case, the answer is NO

The answers to all the questions in this series is No. The scenario assumes you are a Global Admin. If you consent to PIM and enable, only you get the Priv Role Admin. Admin 1 wont. Assigning Global Admin role wont work either. They need Priv Role Admin. AD Premium P2 or any license is not needed for creating access reviews.

Before you can begin using AAD PIM, you’ll need to purchase a license that includes the capability. - There is no Info about the Azure AD license. Upon opening AAD PIM for the first time, you’ll receive a consent page as seen below. The consent process requires confirmation of the user’s identity using Azure MFA. If the user isn’t enabled for it, it will be configured at this point.

The answer is INCORRECT. First, the concept of consenting is no where documented. Check https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started. Nothing about consenting. What you DO need is the following (from the same source above): To use Privileged Identity Management, your directory must have one of the following paid or trial licenses: Azure AD Premium P2 Enterprise Mobility + Security (EMS) E5 Microsoft 365 Education A5 Microsoft 365 Enterprise E5 The correct answer is a couple of questions below, which is to purchase a P2 license.

B is the correct answer

Enable Privileged Identity Management As part of the planning process, you must first CONSENT to and enable Privileged Identity Management by following our start using Privileged Identity Management article. Enabling Privileged Identity Management gives you access to some features that are specifically designed to help with your deployment. (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan)

Privileged Identity Management (PIM) to create access reviews for "privileged Azure AD" roles. So No.

To create access review PIM should be enabled which is why the answer is correct.

YES - correct to use Access Review you need to be Global Administrator or User Administrator

Solution Answer is confusing. To create access review a user should be in "Privileged Role Administrator" role. Reference : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review

"Conduct access reviews to ensure users still need roles" its clearly written