Exam SC-300 topic 6 question 3 discussion

For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management. For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

that's correct

Box1: Privileged Role Administrator Box2: Global Admin The following Article says you need Microsoft.Authorization/roleAssignments/write to assign Azure roles. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps#step-4-check-your-prerequisites If you check all the built-in roles that have that permission, none are listed as options other than global admin which would have permission to manage the whole subscription. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator

Azure AD build-in role: Privileged role Administrator Azure build-in role: User Access Administrator

Step 4. Check your prerequisites To assign roles, you must be signed in with a user that is assigned a role that has role assignments write permission, such as Owner or ***User Access Administrator*** at the scope you are trying to assign the role. Similarly, to remove a role assignment, you must have the role assignments delete permission. Microsoft.Authorization/roleAssignments/write Microsoft.Authorization/roleAssignments/delete If your user account doesn't have permission to assign a role within your subscription, you see an error message that your account "does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'." In this case, contact the administrators of your subscription as they can assign the permissions on your behalf. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps

Given answer is correct. For Azure AD role see; https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference And the subsequent link for; https://docs.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal For Azure built-in role see; https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles And the subsequent link for; https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps

just pass the exam today. This came in the question.

Second question is referring to Azure built-in roles and NOT Azure AD built-in roles, hence user access administrator Azure Roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles Azure AD Roles: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Since the user access administrator role does not exist. For me, it is the Privileged Administrator role that should be selected for both answers.

On the exam 1/20/2022

Requirements. Delegation Requirements Delegate the management of privileged roles by using Azure AD Privileged Identity Management (PIM). Prevent nonprivileged users from registering applications in the litware.com Azure AD tenant. Use custom catalogs and custom programs for Identity Governance. Ensure that User1 can create enterprise applications in Azure AD. Use the principle of least privilege. (To assign Azure roles, you must have User Access Administrator or Owner) For Azure AD roles in Privileged Identity Management, only a user who is following roles • Privileged Role Administrator o or • Global Administrator can manage assignments for other administrators For Azure AD roles in Privileged Identity Management view assignments only a user who is following roles. • Global Administrators, • Security Administrators, • Global Readers • Security Readers User administrator Create and manage all aspects of users and groups, manage support tickets, monitor service health, Change passwords for users, Helpdesk administrators, and other User Administrators