Exam MS-500 topic 1 question 46 discussion

Y,Y,Y https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications

Wouldn't it be Yes, No Yes? When users activate their role and the role setting requires approval, approvers will receive two emails for each approval: Request to approve or deny the user's activation request (sent by the request approval engine) The user's request is approved (sent by the request approval engine) Also, Global Administrators and Privileged Role Administrators receive an email for each approval: The user's role is activated (sent by Privileged Identity Management) https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications Security Administrator, doesn't have the same access as a PRM https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-administrator https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator

When users activate their role and the role setting requires approval, approvers will receive two emails for each approval: Request to approve or deny the user's activation request (sent by the request approval engine) The user's request is approved (sent by the request approval engine) Also, Global Administrators and Privileged Role Administrators receive an email for each approval: The user's role is activated (sent by Privileged Identity Management)

User Role activation is pending approval Role activation request is completed PIM is enabled Privileged Role Administrator (Activated) Yes (only if no explicit approvers are specified) Yes* Yes Security Administrator (Activated) No Yes* Yes Global Administrator (Activated) No Yes* Yes

Y,Y,Y tested in lab

Y: The global admin can receive notifications by default according to the documentation. Y: The security administrator can receive notifications by default according to the documentation. Y: The Privileged Role Manager will receive notifications only when the appropriate approvers have not been specified. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications

When users activate their role and the role setting requires approval, approvers will receive two emails for each approval: Request to approve or deny the user's activation request (sent by the request approval engine) The user's request is approved (sent by the request approval engine) Also, Global Administrators and Privileged Role Administrators receive an email for each approval:

Correct answer should be Y, Y, Y. Reasons: Privileged Role Administrators receive an email notification when a role activation is pending approval (if no explicit approvers are specified), when a role activation request is completed, and when PIM is enabled. Security Administrators receive an email notification only when a role activation request is completed or when PIM is enabled. They do not receive a notification when a role activation is pending approval. Global Administrators do not receive email notifications when a role activation is pending approval, but they do receive a notification when a role activation request is completed or when PIM is enabled. Read also the last question "User4 REQUESTS activation" & the first 2 questions are "User4 ACTIVATES"

When we look in the given URL below, we'll see that Global Admin and Security Admin will not receive a mail when the request for activation is still pending. The tricky past in this question is however that User4 "activates" a role thus this still needs to be approved first before activation is completed (THEN the other admins will get a mail). It is indeed a weirdly constructed question as "activates" would still mean "yet activated", but seemingly not in Microsoft terms... https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#notifications-for-azure-ad-roles

Another horribly worded question. Here the trick is "when X activates the role" vs. "when X requests activation of the role" While everyone in comments here seems to be looking deeper and noting that post-approval more emails get sent out I think it's much simpler -- Option A, and B are impossible actions, it's a trick question since they don't activate it directly (Though we as logical people are treating their request, with approval as the indirect activation which it is) tl;dr: User is not activating the role, they are requesting activation of the role, thus A and B aren't things that can even occur in this bad example, and B is correct.

Y Y N When an activation is completed, Global Admins, Security Admins, and Privileged Role Admins receive a notification. When an activation is pending, only the Privileged Role Admin receives a notification.The last question is a request, not an activation.

User Role activation is pending approval Role activation request is completed PIM is enabled Privileged Role Administrator (Activated/Eligible) Yes (only if no explicit approvers are specified) Yes* Yes Security Administrator (Activated/Eligible) No Yes* Yes Global Administrator (Activated/Eligible) No Yes* Yes So, answer is Y,Y,Y

N,N,Y is correct! Question 1 is "activates" Question 2 is "activates" Question 3 is "requests" https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications Answer chart pulled from the link above: Privileged Role Administrator (Activated/Eligible): --Role activation is pending approval (only if no explicit approvers are specified): Yes --Role activation request is completed: Yes* --PIM is enabled: Yes Security Administrator (Activated/Eligible): --Role activation is pending approval (only if no explicit approvers are specified): No --Role activation request is completed: Yes* --PIM is enabled: Yes Global Administrator (Activated/Eligible)(Activated/Eligible): --Role activation is pending approval (only if no explicit approvers are specified): No --Role activation request is completed: Yes* --PIM is enabled: Yes

The answer is Y,Y,Y. I did a test in my Lab to double-check the output based on this information > https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications#notifications-for-azure-ad-roles

Y,Y,Y is a correct answer. These admins get a notification when a role is activated, if enable notification tab is set to enabled: Global Administrators Security Administrators Privileged Role Administrator Here is the proof: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-email-notifications

If no specific approvers are selected, privileged role administrators/global administrators will become the default approvers.

Correct answer is Y/Y/Y: First two questions asks if the users receive notification when role was successfully activated. NOT TALKING ABOUT ACTIVATION REQUEST Third question is about notification which will be send to user who must approve role activation and since there are no approvers specified then only Privileged Role Administrator will receive notification.