Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You assign the Global administrator role to Admin1.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.B
Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
-> Conduct access reviews to ensure users still need roles
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configureThe solution of assigning the Global administrator role to Admin1 would meet the goal of allowing them to create access reviews in contoso.com.
Explanation:
Azure AD provides different roles with different permissions to manage the identity and access management tasks. In this scenario, Admin1 has User administrator, Compliance administrator, and Security administrator roles assigned, but still, they are unable to create access reviews. It indicates that the access reviews setting might not be enabled or permission is missing.
The Global administrator role is the highest privilege role in Azure AD and has access to all administrative features, including access reviews. By assigning the Global administrator role to Admin1, they will have access to all administrative features and will be able to create access reviews in contoso.com.
However, it is important to note that granting Global administrator role to a user can have security implications. The Global administrator has access to all Azure AD resources, which can potentially lead to a breach if the account is compromised. It is recommended to assign this role to users only when necessary and to limit the number of Global administrators in an organization.