Exam AZ-500 topic 2 question 32 discussion

The answer is YES, YES, NO. MFA Disabled/Enabled means nothing, its there to trick you. That is for 0365 only "Basic" MFA which wouldn't be in use at this point since in order to use PIM you must have EMS E5 licenses/P2 AD so those MFA enable/disabled settings are ignored. They would just get an MFA enrollment wizard/prompt to setup their phone first.

User3 cannot because his active right is expired on the 15th June 2019

Yes, Yes, No?

To support the answer #2. Microsoft Entra PIM for Azure resources provides two distinct assignment types: Eligible assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation, which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. Active assignments don't require the member to activate the role before usage. Members assigned as active have the privileges assigned ready to use. This type of assignment is also available to customers that don't use Microsoft Entra PIM. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles Answer: Yes, YES, NO

Yes Yes No. MFA doesn't matter here. User 3 cannot activate PIM because it has expired. A user cannot have both Active and Eligible assignments, so after 15 June, User 3 has no PIM roles since active assignments which it was given, expires 1st June.

the answer is N Y N.

Yes, Yes, No. The per-user MFA setting is completely irrelevant.

YYY mfa is disabled but he can activate it when he activate the role User3 the activate's state expired , but the question here is to ACTIVATE NOT USE like the second question

YES, YES, NO. MFA Disabled/Enabled means nothing, its there to trick you. That is for 0365 only "Basic" MFA which wouldn't be in use at this point since in order to use PIM you must have EMS E5 licenses/P2 AD so those MFA enable/disabled settings are ignored. They would just get an MFA enrollment wizard/prompt to setup their phone first.

YEs,yes, no. User 3 active role expire after a month! so on june 15 he cannot active . User 2 has active assignment user1 is eligible can activate

IT CLEARLY STATES MFA FOR ACTIVATION OF ELIGIBLE AND MFA FOR ACTIVE ASSIGNMENTS. N,N,Y

Answers are correct - YYY: Box-3: After the active role is expired on May 30th, only the users active access expired. The user is still eligible for 2 more months, meaning the user can activate it on June15th.

Assigned the 1st of May. On the 1st of June the Active Assignments are expired. On the 1st of August the Eligible Assignments are expired too. User1 has an Eligible Assignment so he/she can activate his/her account -> Yes User2 has an Active Assignment so he/she can use his/her account -> Yes User3 has an Active Assignment which was expire after 1 months. So he/she has no longer access to this role -> No

YES, YES NO.

Yes Yes No

Approvers are not able to approve their own role activation requests. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

1. Yes, can activate because eligible 2. Yes, Can use it because already an active assignment 3. No, f a user's Privileged Identity Management (PIM) active assignment expires, the user will lose their elevated privileges and will no longer be able to perform privileged actions within the Azure AD environment.