You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,
Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the
Microsoft 365 E5 plan.
You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
-> To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
-> If the manager does not verify an access permission, automatically revoke that permission.
-> Minimize development effort.
What should you recommend?
Click on the arrows to vote for the correct answer
A. B. C. D.D
The correct answer to this question is D: In Azure Active Directory (Azure AD), create an access review of Application1.
Explanation:
The question is asking for a solution to verify whether the developers at Fabrikam still require permissions to Application1. The solution must send a monthly email message to the manager of the developers listing the access permissions to Application1, and automatically revoke any permission that the manager does not verify. The solution must also minimize development effort.
Azure Active Directory (Azure AD) provides access review functionality that allows administrators to review and manage access to Azure AD resources, including applications. An access review allows managers or reviewers to evaluate whether users still require access to an application or resource. If a user no longer requires access, the reviewer can revoke the access.
Option A, creating a custom role assignment for the Application1 resources in Azure AD Privileged Identity Management (PIM), is not the best solution for this scenario because PIM is focused on managing privileged access to resources, not managing regular access to resources. Additionally, creating a custom role assignment would require development effort and would not automatically send a monthly email message to the manager of the developers.
Option B, creating an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet, would require development effort and would not automatically send a monthly email message to the manager of the developers. Additionally, this solution would only retrieve the app role assignments for users, not manage those assignments.
Option C, creating an Azure Automation runbook that runs the Get-AzureRmRoleAssignment cmdlet, would require development effort and is not the best solution for this scenario because it is focused on managing Azure resources, not managing access to an application.
Therefore, the best solution for this scenario is option D, creating an access review of Application1 in Azure AD. An access review would send a monthly email message to the manager of the developers listing the access permissions to Application1, and the manager could revoke any permission that is no longer required. This solution requires minimal development effort and is specifically designed for managing access to Azure AD resources, including applications.