ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 3 question 11 discussion

Actual exam question from Microsoft's AZ-303
Question #: 11
Topic #: 3
[All AZ-303 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
A user named Admin1 attempts to create an access review from the Azure Active Directory admin center and discovers that the Access reviews settings are unavailable. Admin1 discovers that all the other Identity Governance settings are available.
Admin1 is assigned the User administrator, Compliance administrator, and Security administrator roles.
You need to ensure that Admin1 can create access reviews in contoso.com.
Solution: You create an access package.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
You do not use access packages for Identity Governance. Instead use Azure AD Privileged Identity Management.
Note: PIM essentially helps you manage the who, what, when, where, and why for resources that you care about. Key features of PIM include:
Conduct access reviews to ensure users still need roles
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview
by cloudcuckooland at Aug. 28, 2020, 9:29 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cloudcuckooland
Highly Voted 4 years, 8 months ago
Answer is correct but the given explanation is incorrect imo. as the other governance settings are available this confirms that the P2 license is activated, however the tenant has not been onboarded. it's easy to test this yourself with a free trial, the following are needed 1. Azure AD Premium P2 2. be a Global administrator or a User administrator then you need to onboard the Tenant to allow for access reviews. see below: https://developer.microsoft.com/en-us/graph/blogs/retrieving-azure-ad-access-reviews/ you could do this in PIM, but that is not being asked here. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review
upvoted 29 times
JayBee65
3 years, 2 months ago
Actually, Azure Active Directory Premium P1 includes some governance settings: Automated group provisioning to apps HR-driven provisioning Terms of use attestation https://www.microsoft.com/en-gb/security/business/identity-access-management/azure-ad-pricing?rtc=1. So to me it's likely that the P2 license has not been assigned, since Admin1 is a user administrator, so if a P2 license were available, would have all they need.
upvoted 1 times
JayBee65
3 years, 2 months ago
Re-reading it says all other governance features are available, so P2 must be present as you say. Hmmm
upvoted 1 times
...
...
...
czarul79
Highly Voted 4 years, 8 months ago
Correct is answer NO. Step1. Create an Azure AD Access Review. Azure Active Directory -> Select Identity Governance > On the Getting started page, click the Create an access review button. Step2. Review Admin1 if can create access reviews in contoso.com Tenant Needed to test it's easy by yourself with a free trial, the following are needed 1. Azure AD Premium P2 2. be a Global administrator or a User administrator
upvoted 10 times
...
Estudante_BH
Most Recent 3 years, 1 month ago
Selected Answer: B
Esta certo.
upvoted 1 times
...
edmacoar123
3 years, 5 months ago
On exam today 19/11/21. Correct answer. Score 860.
upvoted 1 times
...
syu31svc
3 years, 8 months ago
First, as a global administrator or user administrator, go to the Identity Governance page to ensure that access reviews is ready for your organization. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview Answer is no
upvoted 2 times
...
jd94
3 years, 10 months ago
6/12/2021. Passed the exam. No
upvoted 5 times
...
TSMRE
3 years, 10 months ago
On exam 6/7/21
upvoted 2 times
...
sunmonkey
4 years, 2 months ago
The users you are executing the review on require P2 Licences. The user setting up the review doesn't need a P2 licence. This is very convoluted. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 2 times
...
Aghora
4 years, 3 months ago
you need the following Global Administrator or Privileged Role Administrator no need for P2 license to create access reviews but needed to read . this does not matter as the question implies P2 is in place . the only thing that makes sense is Global admin . I tested on my account and gave admin the roles mentioned in the question but he still could not create access reviews even though I(Global admin ) could without P2 license . I gave him global and then he was able to do it !
upvoted 1 times
jmay
3 years, 4 months ago
You do need P2 or EMS E5. the document from microsoft is misleading. If you do not have the adequate license level you will have: Tenant does not have a valid license (EMS E5 or P2) required for Access reviews. Error code 403
upvoted 1 times
...
...
Madhukar
4 years, 4 months ago
No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements
upvoted 1 times
...
sejalo
4 years, 4 months ago
Answer No - The assigned roles can create access review if P2 license assigned, w/o P2 license Global Admin also can't create it. I have simulated the same.
upvoted 3 times
...
slafcemafce
4 years, 4 months ago
Answer is yes. I tried to make the same and I got the following message from the Azure Portal: Access to these features requires the Global Administrator, User Administrator, Global Reader, Security Administrator, or Security Reader role.
upvoted 3 times
RichardSt
4 years, 4 months ago
I agree to Yes being the correct answer. According to https://docs.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews a global administrator is always be able to create access reviews. The table "Who will create and manage Access Reviews" breaks it down into resource types to be reviewed, but the question does not mention a specific resource to be reviewed. In any case, global administrator is entitled to do that. As mentioned before, AD P2 license is not required to setup access reviews for Global Administrators. Finally, https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review incorrectly states the prerequisite to be a "privileged role administrator".
upvoted 1 times
...
pentium75
3 years, 9 months ago
If you 'tried to make the same' and got an error message, how can the answer be 'Yes'? 'Yes' means that 'creating an access package' fixes the problem, which is clearly not the case here.
upvoted 1 times
...
...
vicks85
4 years, 4 months ago
"Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews." https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 2 times
jmay
3 years, 4 months ago
You do need P2 or EMS E5. the document from microsoft is misleading. If you do not have the adequate license level, when you click on Access Review with appropriate access level, you will have: Tenant does not have a valid license (EMS E5 or P2) required for Access reviews. Error code 403
upvoted 1 times
...
...
taketad
4 years, 4 months ago
Why wouldn't Global Administrator role be enough to do the access review? The link shows Global Administrator as a top-level role for any access review. https://developer.microsoft.com/en-us/graph/blogs/retrieving-azure-ad-access-reviews/
upvoted 1 times
pentium75
3 years, 9 months ago
Who says that? Of course Global Administrator can do Access Review. But the reviewed accounts need P2 license. But the discussion here is about an 'access package' which does not solve the problem.
upvoted 1 times
...
...
Az209co
4 years, 6 months ago
the Privileged Role Administrator will be required to configure Access review. <https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-start-security-review>
upvoted 2 times
...
SPSK
4 years, 6 months ago
As the admin1 is the user admin, no need to have P2 license, Azure AD Premium P2 licenses are not required for users with the Global Administrator or User Administrator roles who set up access reviews, configure settings, or apply the decisions from the reviews. https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
upvoted 2 times
SPSK
4 years, 6 months ago
some more info if a normal user tried to access access reviews : Access to these features requires the Global Administrator, User Administrator, Global Reader, Security Administrator, or Security Reader role. Contact your administrator to get access.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago