Exam MS-500 topic 1 question 22 discussion

If I'm right....(if not, please appreciated someone point me right) #1 Role activation alert is in "Roles" under Assignments (or Assignments in the blade directly), select i.e. Security Admin role and go to notifications section in settings. #2 Despite under Alerts are two triggers that could raise an alert for "Elegible administrators aren't using their privileged roles (<30days)" or "Potential stale accounts in a privileged role (without setting available)" I don't see anywhere an option to automate removal. So, I would answer "Access Reviews" as the only possible way I found to automate action to remove role. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts?tabs=new#administrators-arent-using-their-privileged-roles Additional link: https://docs.microsoft.com/es-es/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts?tabs=new

Given answers are correct 1- Alert 2- Role

#1: Roles #2: Access reviews Pretty sure about this and can be confirmed by testing in lab environments.

This question is outdated. Currently, you would configure this by logging into the Azure portal, opening Privileged Identity Management -> Roles -> (whatever role you want to set the alert for) -> Role Settings. Inside the settings, you'll see a "notifications" tab, which will allow you to set the configuration that meets the requirement. Don't get thrown off by the word "Alert" which you will see elsewhere. Yes, this is an alert, but you configure it as a part of notifications.

Regarding 2nd question. To fulfill this requirement, you can create an access review with the following options: Inactive users (on tenant level) only - True Days inactive - 30 days Auto apply results to resource - Enable If reviewer don't respond - Remove access General doc is here: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review#create-access-reviews see the item from 11: "...Or, you can create access reviews only for inactive users (preview). In the Users scope section, set the Inactive users (on tenant level) only to true. If the toggle is set to true, the scope of the review will focus on inactive users only. Then, specify Days inactive with a number of days inactive up to 730 days (two years). Users inactive for the specified number of days will be the only users in the review."

Answer is wrong. Notifications is under roles and to remove assignment if no sign in after 30 days has to be done in an Access Review

The correct answers are Roles and Alerts. In Roles, you can see the Role settings for each role, including Role assignment Alert. Under Alerts, there is a pre-define alert for "Eligible administrators aren't activating their privileged role". By default the number of days is set to 30 but can be reduced or extend it.

I believe correct answer is "Roles" for both as per, https://learn.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings

#1Role # Access Review I dont get why so many have role and alert x)

I would say both settings are reachable from "Role". https://docs.microsoft.com/bs-latn-ba/azure/active-directory/privileged-identity-management/pim-resource-roles-configure-role-settings

Roles Access Reviews

Roles (Roles&Admin > Role settings > scroll to send notifications ...) Access review (Settings > Enable reviewer decision helpers > No sign-in 30 days (If enabled, system recommends reviewers to deny users who have not signed-in within 30 days. Recommendation accounts for both interactive and non-interactive sign-ins.)

1. Roles 2. Access Review

#1: ROLE #2: ACCESS REVIEWS

#1✑ Administrators must be notified when the Security administrator role is activated. I found the option in role->settings->notification So for me the answer is ROLE #2 ✑ Users assigned the Security administrator role must be removed from the role automatically if they do not sign in for 30 days. There is such option in role I though the answer was ACCESS REVIEW but i did not see an option to remove the role if the user does not login since ... Any help ?

It is absolutely 1. Roles 2. Access Reviews Roles > Settings > Send notifications when eligible members activate this role Access Reviews > New > Duration > 30 days, End Never Upon completion settings > If reviewer doesn't respond > Remove access Alerts only alert on issues (stale accounts, users not using PIM etc - it does not action anything, not does it alert on when users are enabling PIM access as they should - which is what the question is asking)

Alerts and Role - Access review is part of Identity Governance and not part of PIM. Inside PIM under Manage AD role you will find the role assignment and you can edit its attributes.