Exam SC-300 topic 4 question 6 discussion

Correct

I think the best way to read this question is "What should you configure FIRST for the Security administrator role assignment?" You would setup "D. Assignment type to Eligible" so the admins can request the role in future, for a limited time based on the Role Setting of "Activation maximum duration (hours): 8 (by default)" Only then would you set "B. Expire active assignments after from the Role settings details" So D is the correct answer.

Answer d) Assignment type to ELIGIBLE A role assignment that requires a user to perform one or more actions to use the role. If a user is eligible for a role, they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure#terminology:~:text=Description-,eligible,-Type

D. Assignment type to Eligible: When you set the assignment type to "Eligible," it means that users will not have permanent access to the role but will be eligible for it. They will need to activate the role when required, and it won't be active by default. This approach allows you to enforce just-in-time access, meaning that users will only have access to the Security administrator role when they request and activate it through PIM. Once their role activation period ends, they will lose access to the role automatically.

Correct Answer: D

I would say B for teh below reason Eligible means teh user needs to take action to activate the role but it may then be permanent and won't expire. This doesn't comply with the ask "when required". Hence time bound should be applied on "Active" roles to disable access after completing the task and right until it's required again for the user to request another activation

D. Assignment type to Eligible

D is the correct answer

D is correct. in the exam today

On the exam - March 28, 2022

just pass the exam today. This came in the question.

On the exam today - March 4, 2022

On the exam 1/20/2022

Correct

Passed the exam today 23/09/2021 This question came in the exam.

eligible A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There is no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people do not need that access all the time. Eligible role user permissions • Request activation of a role that requires approval • View the status of your request to activate • Complete your task in Azure AD if activation was approve

Eligible yes however you also need to remove perm assignment of security admin role from users.