Exam AZ-500 topic 1 question 9 discussion

"Consent to PIM" is deprecated. No more required. So now only priv users needs to access/ visits PIM (Premium P2 is enabled") - Access will be provided automatically. "When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management): We automatically enable PIM for the organization Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment"

Correct answer is D. First thing you do is Discover Azure resources. 1. Discover Azure resources 2. Configure Azure role settings. 3. Give eligible assignments. 4. Allow eligible users to activate their Azure roles just-in-time. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prepare-pim-for-azure-roles

A year 2025 version of this questions would look like this: Your company has an Azure subscription integrated with an Entra ID tenant. You need to secure Azure AD roles using Privileged Identity Management (PIM), minimizing standing privileges and using just‑in‑time access where possible. What is the first action you should take to prepare? A. Discover existing Azure resource and Entra roles B. Sign up for PIM in the Entra tenant C. Consent to PIM from an Entra administrator account D. Discover resources to protect with PIM The correct answer would be B: Sign up for PIM in the Entra tenant You must first enable the PIM service in Entra ID Governance or P2 license terms. This step appears when you first open the “Privileged Identity Management” blade—essentially “turning on PIM” for your tenant. Without doing this, no other PIM configuration (like discovering roles or resources) is available in the portal.

List who has privileged roles in your organization. Review the users assigned, identify administrators who no longer need the role, and remove them from their assignments.

Accoding to the MS Doc: When you first set up Privileged Identity Management for Azure resources, you need to discover and select the resources you want to protect with Privileged Identity Management. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-discover-resources

D , no more https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prepare-pim-for-azure-roles

The correct first step in securing Azure AD roles using Privileged Identity Management (PIM) is A. You should sign up for Azure AD Privileged Identity Management (PIM) for Azure AD roles. Here's why: Before you can manage and secure privileged roles with PIM, your organization must first activate PIM for Azure AD roles. This step enables role assignments to be eligible, providing just-in-time access, approval workflows, and auditing capabilities for privileged roles. Once PIM is enabled, the next logical steps would be: Discover Privileged Roles (C) to identify which roles are currently assigned. Consent to PIM (B) to ensure necessary permissions are in place. Discover Resources (D) if you're expanding PIM governance beyond Azure AD into Azure resources.

To secure Azure AD roles using Azure AD Privileged Identity Management (PIM), the first action you should take is to sign up for Azure AD Privileged Identity Management (PIM) for Azure AD roles1. This step is crucial as it enables PIM for your tenant, allowing you to manage, control, and monitor access to privileged roles. Once PIM is enabled, you can proceed with discovering privileged roles and resources, configuring role settings, and assigning eligible users2.

Answer: Question is outdated Reason: Per current Microsoft documentation, with Microsoft Entra ID P2 or Microsoft Entra ID Governance license, PIM is automatically enabled for the tenant and doesn't require sign-up or consent. Reference: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prerequisites

To enable Azure AD Privileged Identity Management (PIM) for Azure AD roles, you can follow these steps: Step 1: Sign Up for PIM Go to the Azure portal. In the left-hand navigation pane, select Azure Active Directory. Under Manage, select Privileged Identity Management. If this is your first time accessing PIM, click Sign up to enable it for your Azure AD directory.

Before you can manage and secure Azure AD roles using PIM, you need to sign up for PIM. This is the first step in enabling PIM for Azure AD roles, after which you can configure role management, policies, and other settings.

https://learn.microsoft.com/en-us/training/modules/manage-authorization-microsoft-entra-id/15-configure-privileged-identity-management

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prepare-pim-for-azure-roles

As per the below site, the correct answer is C. Before implementing PIM for Entra or RBAC roles, the first step is to "discover and mitigate privileged roles": https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan

To secure Azure AD roles using Azure Active Directory Privileged Identity Management (PIM), the first action you should take is to enable Privileged Identity Management (PIM) for Azure AD. This step is essential as it sets up PIM for your Azure AD environment, allowing you to manage and secure privileged roles. After enabling PIM, you can proceed with other tasks like assigning eligible roles, configuring role settings, and setting up just-in-time (JIT) access. However, enabling PIM is the foundational step.

Yes, question is outdated (consent is no longer required), however looking at below link - it seems that you have to "Discover and mitigate privileged roles" - therefore C is potentially correct answer nowadays. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan

Before you can effectively manage and secure privileged roles in Azure AD using PIM, you need to discover the existing privileged roles in your Azure subscription. This involves identifying the roles that have elevated permissions and need to be managed through PIM. By discovering privileged roles, you gain visibility into the current role assignments and can determine which roles should be subject to PIM and undergo the access review and just-in-time (JIT) activation process.