Exam AZ-500 topic 1 question 9 discussion

"Consent to PIM" is deprecated. No more required. So now only priv users needs to access/ visits PIM (Premium P2 is enabled") - Access will be provided automatically. "When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management): We automatically enable PIM for the organization Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment"

Correct answer is D. First thing you do is Discover Azure resources. 1. Discover Azure resources 2. Configure Azure role settings. 3. Give eligible assignments. 4. Allow eligible users to activate their Azure roles just-in-time. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prepare-pim-for-azure-roles

To secure Azure AD roles using Azure AD Privileged Identity Management (PIM), the first action you should take is to sign up for Azure AD Privileged Identity Management (PIM) for Azure AD roles1. This step is crucial as it enables PIM for your tenant, allowing you to manage, control, and monitor access to privileged roles. Once PIM is enabled, you can proceed with discovering privileged roles and resources, configuring role settings, and assigning eligible users2.

Answer: Question is outdated Reason: Per current Microsoft documentation, with Microsoft Entra ID P2 or Microsoft Entra ID Governance license, PIM is automatically enabled for the tenant and doesn't require sign-up or consent. Reference: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prerequisites

To enable Azure AD Privileged Identity Management (PIM) for Azure AD roles, you can follow these steps: Step 1: Sign Up for PIM Go to the Azure portal. In the left-hand navigation pane, select Azure Active Directory. Under Manage, select Privileged Identity Management. If this is your first time accessing PIM, click Sign up to enable it for your Azure AD directory.

Before you can manage and secure Azure AD roles using PIM, you need to sign up for PIM. This is the first step in enabling PIM for Azure AD roles, after which you can configure role management, policies, and other settings.

https://learn.microsoft.com/en-us/training/modules/manage-authorization-microsoft-entra-id/15-configure-privileged-identity-management

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started#prepare-pim-for-azure-roles

As per the below site, the correct answer is C. Before implementing PIM for Entra or RBAC roles, the first step is to "discover and mitigate privileged roles": https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan

To secure Azure AD roles using Azure Active Directory Privileged Identity Management (PIM), the first action you should take is to enable Privileged Identity Management (PIM) for Azure AD. This step is essential as it sets up PIM for your Azure AD environment, allowing you to manage and secure privileged roles. After enabling PIM, you can proceed with other tasks like assigning eligible roles, configuring role settings, and setting up just-in-time (JIT) access. However, enabling PIM is the foundational step.

Yes, question is outdated (consent is no longer required), however looking at below link - it seems that you have to "Discover and mitigate privileged roles" - therefore C is potentially correct answer nowadays. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan

Before you can effectively manage and secure privileged roles in Azure AD using PIM, you need to discover the existing privileged roles in your Azure subscription. This involves identifying the roles that have elevated permissions and need to be managed through PIM. By discovering privileged roles, you gain visibility into the current role assignments and can determine which roles should be subject to PIM and undergo the access review and just-in-time (JIT) activation process.

C is the answer. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan#discover-and-mitigate-privileged-roles List who has privileged roles in your organization. Review the users assigned, identify administrators who no longer need the role, and remove them from their assignments. You can use Azure AD roles access reviews to automate the discovery, review, and approval or removal of assignments.

The sequence is as follows, as per the documentation: 1. Plan a PIM deployment: a step of this includes 'C. Discover and mitigate privileged roles' https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan 2. Start using PIM: a step of this includes 'D. Discover resources' https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started So though both steps C & D are valid, C refers to the planning phase, D to the usage phase, therefore C comes first.

ChatGPT: For securing Azure AD roles using Azure Active Directory (Azure AD) Privileged Identity Management (PIM), the FIRST action you should take is: C. You should discover privileged roles. Before enabling and configuring Azure AD Privileged Identity Management (PIM), it's essential to discover and identify the privileged roles within your Azure environment. Understanding the roles and their permissions is a crucial initial step in implementing proper security measures and access controls. Once you have discovered these roles, you can proceed to configure and manage them using Azure AD PIM.

The correct answer is B. Before you can start using Azure AD PIM to manage and secure privileged roles, you must first give your consent to use the service within your Azure environment. This step is crucial as it involves agreeing to the terms of use and understanding the permissions and capabilities that PIM will have within your Azure AD environment. The process of signing up for Azure AD PIM (Option A) typically follows after you have given consent. Signing up may involve configuring specific settings or initiating the service within your Azure subscription, but it cannot be done before consent is provided. Discovering privileged roles (Option C) and discovering resources (Option D) are actions taken after Azure AD PIM is activated and consented to. These steps are part of the process of setting up and configuring PIM, wherein you identify which roles and resources require privileged access management.

Ladies and Jentelmens please read question carefully: Hi please read question carefully , it does not say Enable role for Azure subscription, Your solution is correct but it is for Azure Subscription not Azure Roles. So since we are not talking about resources we must choose C. If in the condiition it says for Azure resource we must chose D in this case - Discover Azure resources. Here Answer is C