Exam AZ-500 topic 2 question 99 discussion

B,C,D cannot create groups

Answer is D https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator None of the other three roles has the privileges to perform ALL mentioned tasks https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#identity-governance-administrator https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#authentication-administrator https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#groups-administrator

tested and Privileged Role Admin was able to perform all required tasks.

I think D is the correct answer.

C. Identity Governance Administrator The Identity Governance Administrator role in Azure AD is designed for managing identity governance features, including access reviews, entitlement management, and privileged identity management. This role allows a user to create and manage access reviews, which are used to govern group memberships and role assignments, including Azure AD roles for role-assignable groups. Assigning User1 the Identity Governance Administrator role would allow them to perform the tasks mentioned (creating groups, creating access reviews for role-assignable groups, and assigning Azure AD roles to groups) while adhering to the principle of least privilege, as this role is specifically focused on governance features and does not grant broader administrative rights that are not necessary for the tasks.

Answer: D Explanation: D : Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units.Under Action you'll find :microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/create >>Create access reviews for membership in groups that are assignable to Azure AD roles https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-roleadministrator

D is correct. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator

D. Privileged role administrator

D also is correct but considering the principle of least privilege and the given requirements, option C, "Identity Governance Administrator," remains the best choice for User1.

D : Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. They can create and manage groups that can be assigned to Azure AD roles. In addition, this role allows management of all aspects of Privileged Identity Management and administrative units. Under Action you'll find : microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/create >> Create access reviews for membership in groups that are assignable to Azure AD roles https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator

D is correct. According to Microsoft Documentation. https://learn.microsoft.com/en-us/azure/network-watcher/connection-monitor-connected-machine-agent?tabs=WindowsScript

https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference