Ensure IT Department Users Have Required Access to Security Administrator Role | Microsoft SC-300 Exam Answer

D.

In Azure Active Directory (Azure AD) Privileged Identity Management (PIM), roles can be assigned to users or groups on an "eligible" or "active" basis. An "eligible" assignment means the user is eligible to activate the role when they need it, while an "active" assignment means the user has the role currently activated.

In this scenario, you need to ensure that the IT department users only have access to the Security administrator role when required, and not permanently. Therefore, you need to change the assignment type of the Security administrator role from "active" to "eligible".

Option D - Assignment type to Eligible - is the correct answer. By setting the assignment type to "eligible", the IT department users will no longer have permanent access to the Security administrator role. Instead, they will need to request access to the role when they require it, and the request will be reviewed and approved by a PIM administrator. This helps to ensure that the Security administrator role is only used when necessary and minimizes the risk of unauthorized access.

Option A - Expire eligible assignments after - is not the correct answer because it only sets a time limit on how long a user can remain eligible for a role, but it does not address the issue of the IT department users having permanent access to the Security administrator role.

Option B - Expire active assignments after - is not the correct answer because it only sets a time limit on how long a user can remain active in a role, but it does not address the issue of the IT department users having permanent access to the Security administrator role.

Option C - Assignment type to Active - is not the correct answer because it would further entrench the issue of the IT department users having permanent access to the Security administrator role.