ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-304 All Questions

View all questions & answers for the AZ-304 exam
Go to Exam

Exam AZ-304 topic 2 question 43 discussion

Actual exam question from Microsoft's AZ-304
Question #: 43
Topic #: 2
[All AZ-304 Questions]

You have 200 resource groups across 20 Azure subscriptions.
Your company's security policy states that the security administrator must verify all assignments of the Owner role for the subscriptions and resource groups once a month. All assignments that are not approved by the security administrator must be removed automatically. The security administrator must be prompted every month to perform the verification.
What should you use to implement the security policy?

  • A. Identity Secure Score in Azure Security Center
  • B. Access reviews in Identity Governance
  • C. the user risk policy in Azure Active Directory (Azure AD) Identity Protection
  • D. role assignments in Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by stefanw at March 14, 2021, 6:12 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AKumar
Highly Voted 4 years, 4 months ago
Given Answer is correct- here is the explanation - https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-use-access-reviews
upvoted 27 times
somenick
4 years, 1 month ago
Guys, NONE of the given answers are not working. You can try it in portal for free. I'm wondering if anyone got this question on the exam? We should mark and report it to Microsoft on the exam.
upvoted 3 times
dasEnder
3 years, 2 months ago
PIM is AAD P2 licensed. Did you changed the license?
upvoted 1 times
...
...
sallymaher
4 years, 4 months ago
in the same link you have provided check" Where do you create reviews? " u need to review owner role so through the PIM , but also not role assignment but PIM-Manage
upvoted 2 times
...
tita_tovenaar
4 years ago
see my earlier comment, this is not suitable here since Azure triggers a review on every group and application, see purple note in ref. https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review#create-one-or-more-access-reviews
upvoted 1 times
...
nsvijay04b1
3 years, 11 months ago
correct. PIM is again going to use 'identity governance's access reviews' https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
upvoted 4 times
...
Load full discussion...
...
yasinetm
Highly Voted 4 years, 4 months ago
I think it's D. Privileged Identity Management allows to create access reviews in order to check role assignments. Access reviews in Identity Governance allows to review groups and application assignments. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review
upvoted 14 times
PaulM1122
4 years, 4 months ago
No, PIM wil only create an access review when a user is requesting the rolel.
upvoted 6 times
...
Kode
4 years, 1 month ago
Yes but no. It does require PIM, but D states role assignment within PIM… that does not meet the objective. You will need to create an access review in PIM, which is part of Identity Governance. So create access review in Identity Governance is correct https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review#open-access-reviews
upvoted 4 times
4tune
3 years, 10 months ago
there is access review within PIM which is different from the access review in the first blade of identity governance
upvoted 1 times
...
sapien45
3 years, 2 months ago
A play on words ... yiu aree right. Acces Review are the key words, not role assignement B
upvoted 1 times
...
...
...
Snownoodles
Most Recent 2 years, 10 months ago
"access review" is for group members, access package review. This is for common user review not privileged users review.. "PIM Azure AD roles" is for privileged administrator role's review "PIM Azure resource" is for Azure RBAC roles review. The correct answer should be "PIM Azure resource" review. Since there is no such answer,, the given answer is the closest one.
upvoted 1 times
...
ezfix
2 years, 10 months ago
D. The question is poorly written or the interface has changed. Subscription & Resource Group access reviews are under PIM, and there are two ways to get to them. These are different than the normal access reviews listed in answer B, which are "Team + Group" access reviews. Option 1 - AD Privileged Identity Management, Azure Resources, select the subscription or management group, then Access Reviews. Option 2 - Azure Active Directory, Identity Governance, Privileged Identity Management - Azure Resources, select the subscription or management group, then Access Reviews. If you simply went to Azure Active Directory, Identity Governance, Access Reviews, you would only be able to use "Team + Group" or "Applications", and not the subscription or resource groups which this question is describing. Hope this helps.
upvoted 1 times
...
ezfix
2 years, 10 months ago
D. Access reviews for "Groups", use AD Identity Governance. Access review for "roles", use Azure AD Privileged Identity Management (PIM). Reviewed in the portal and this is correct. https://learn.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 1 times
...
One111
2 years, 11 months ago
Selected Answer: D
PIM for Azure resources (based on RBAC) is best option here.
upvoted 2 times
...
LillyLiver
3 years, 1 month ago
Selected Answer: D
Guys (Gals), it's PIM. Proven in my tenant. If you go into "AAD > Identity Governance > Privileged Identity Governance > Azure Resources > Discover Resources", you can select the subscription to manage access reviews on. I'm thinking that this question has some older content, but it's still valid.
upvoted 2 times
...
Jag74
3 years, 2 months ago
Selected Answer: B
https://docs.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview
upvoted 1 times
...
Azure_daemon
3 years, 3 months ago
For Azure AD roles or ARM roles we use PIM for the App/Group we use access review so D is the correct answer
upvoted 1 times
...
AD3
3 years, 5 months ago
'C'. See the question & answer for Examtopics 303 Question #4Topic 2 HOTSPOT - You plan to implement an access review to meet the following requirements: shows the section for time and access revoke rule.
upvoted 1 times
...
petey212
3 years, 6 months ago
Selected Answer: B
Access reviews is the simplest method for recurring review of access permissions and it allows the person to approve/deny.
upvoted 1 times
...
bacug
3 years, 6 months ago
Selected Answer: D
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
upvoted 1 times
...
Gluckos
3 years, 6 months ago
Selected Answer: D
In PIM can select more subscriptions https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review#create-access-reviews " 4)For Azure AD roles, select Azure AD roles again under Manage. For Azure resources, select the subscription you want to manage." Identity Goverance doesn't.. but works with a subscription scope
upvoted 1 times
kanweng
3 years, 4 months ago
The next piece of Azure AD Identity Governance is Privileged Identity Management (PIM)
upvoted 1 times
...
...
us3r
3 years, 6 months ago
Selected Answer: B
Have reviews recur periodically: You can set up recurring access reviews of users at set frequencies such as weekly, monthly, quarterly or annually, and the reviewers will be notified at the start of each review. Reviewers can approve or deny access with a friendly interface and with the help of smart recommendations source https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview#when-should-you-use-access-reviews
upvoted 1 times
...
ScubaDiver123456
3 years, 7 months ago
Selected Answer: D
I believe it is D (Access review through PIM) since it can do Azure resource role checks and provide an automatic way to repeat them every month. It can also automatically remove access https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review
upvoted 1 times
...
Eitant
3 years, 7 months ago
Selected Answer: B
Correct Answer
upvoted 1 times
...
iwuehfkjj3
3 years, 7 months ago
Selected Answer: B
correct
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel