Azure Active Directory Access Reviews
Question
Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that the Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B.B
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
-> Conduct access reviews to ensure users still need roles
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configureThe solution of assigning the Global administrator role to Admin1 does meet the goal of allowing Admin1 to create access reviews in the contoso.com Azure AD tenant.
Explanation:
In Azure AD, access reviews are used to periodically review and update group memberships, application access, and role assignments to ensure that they remain appropriate and secure. Access reviews are available only if Identity Governance is enabled for your organization. By default, the Identity Governance settings are only available to users who are assigned the Global administrator, Privileged Role Administrator, or Identity Governance administrator roles.
In the given scenario, Admin1 attempts to create an access review from the Azure Active Directory admin center but discovers that the Access reviews settings are unavailable, even though all the other Identity Governance settings are available. Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles, which are not sufficient to access the Access reviews settings.
To enable Admin1 to create access reviews, the solution proposes assigning the Global administrator role to Admin1. This role has permissions to perform all tasks in Azure AD, including managing access reviews. Therefore, assigning the Global administrator role to Admin1 will provide the necessary permissions for Admin1 to create access reviews in the contoso.com Azure AD tenant.
In conclusion, the proposed solution of assigning the Global administrator role to Admin1 does meet the goal of allowing Admin1 to create access reviews in the contoso.com Azure AD tenant. Therefore, the answer is A. Yes.
