Azure AD Access Reviews: Enabling Admin1 to Create Access Reviews | Microsoft Exam AZ-303 Solution

Azure AD Access Reviews

Question

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You have an Azure Active Directory (Azure AD) tenant named contoso.com.

A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.

Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.

You need to ensure that Admin1 can create access reviews in contoso.com.

Solution: You create an access package.

Does this meet the goal?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

B

You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity Management.

Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:

Conduct access reviews to ensure users still need roles

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview

The solution provided in the question - creating an access package - is not sufficient to meet the goal of enabling Admin1 to create access reviews in contoso.com.

An access package is a collection of resources in Azure AD that can be assigned to users or groups for access. While access packages can include access reviews as a resource, creating an access package alone does not grant Admin1 the necessary permissions to create access reviews.

To enable Admin1 to create access reviews, you should assign the Identity Governance Administrator role to the user. This role allows the user to create and manage access reviews in Azure AD.

To assign the Identity Governance Administrator role to Admin1, follow these steps:

  1. Sign in to the Azure portal with an account that has permissions to manage Azure AD.
  2. In the left navigation pane, select Azure Active Directory.
  3. In the Azure AD pane, select Roles and administrators.
  4. In the Roles and administrators pane, search for Identity Governance Administrator.
  5. Select the Identity Governance Administrator role.
  6. In the Role assignments pane, select Add assignment.
  7. Search for and select Admin1.
  8. Select Add.

After completing these steps, Admin1 should be able to create access reviews in contoso.com.