Exam SC-300 topic 4 question 50 discussion

Tried this with all the suggested answer, and none of them can modify the review frequency of Package1. See explanation below. Security Admin - Cannot update Policy Privileged role administrator - Gets “No access” to Access Packages. External Identity Provider administrator - Gets “No access” to Access Packages. User administrator - Gets “No access” to Access Packages. User administrator used to be the right choice for this question. However, things have now changed: The User Administrator role is no longer allowed to manage catalogs and access packages in Azure AD Entitlement Management. Please transition to the Identity Governance Administrator role to continue managing access without disruption, or go to the Entitlement Management settings page if you need to temporarily opt out. So, if there is an option in this question to choose Identity Governance Administrator, choose that. https://learn.microsoft.com/azure/active-directory/governance/identity-governance-overview?WT.mc_id=Portal-Microsoft_Azure_ELMAdmin#appendix---least-privileged-roles-for-managing-in-identity-governance-features

Should be Identity Governance Admin if up to date, but if not present, choose User Administrator. "The least privileged role for Entitlement management has changed from the User Administrator role to the Identity Governance Administrator role." https://learn.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview?WT.mc_id=Portal-Microsoft_Azure_ELMAdmin#appendix---least-privileged-roles-for-managing-in-identity-governance-features

To ensure that User1 can modify the review frequency of Package1 while adhering to the principle of least privilege, you should assign the Privileged role administrator role to User1. This role allows the user to manage role assignments in Azure AD, including modifying access packages and their review settings.

I haven't seen anyone say "Privileged role administrator" yet if you ask which role can update or modify Access Reviews in Entra, ChatGPT, Copilot and Google all suggest Privileged role administrator. is that not correct?

Create and manage access reviews (creators) Access package Global Administrator Identity Governance Administrator Catalog owner (for the access package) Access package manager (for the access package) https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews

To ensure that User1 can modify the review frequency of Package1 while adhering to the principle of least privilege, the appropriate role would be B. Privileged role administrator. The Privileged Role Administrator role allows users to manage role assignments in Azure AD and manage access packages, which includes modifying access reviews and their configurations. This provides the necessary permissions without granting excessive access.

The least privileged role for Entitlement management has changed from the User Administrator role to the Identity Governance Administrator role.

Create and manage access reviews for Access package Global administrator Identity Governance administrator Catalog owner (for the access package) Access package manager (for the access package)

To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.

o enable reviews of access packages, you must meet the prerequisites for creating an access package: Microsoft Azure AD Premium P2 or Microsoft Entra ID Governance Global administrator, Identity Governance administrator, User administrator, Catalog owner, or Access package manager