Your company recently created an Azure subscription. You have been tasked with making sure that a specified user is able to implement Azure AD Privileged Identity Management (PIM). Which of the following is the role you should assign to the user?
No. You havent got the meaning of question. "Anyone" can enable PIM and get the admin access for assigned duration but who has right and permission to assign admin role using PIM to others ? I hope its clear for you.
A. The Global administrator role.
Explanation:
To implement Azure AD Privileged Identity Management (PIM), a user must have elevated privileges that allow them to manage role assignments and access controls. The Global Administrator role has the highest level of permissions in Azure AD, including the ability to enable and configure Privileged Identity Management (PIM).
Why not the other options?
B. Security Administrator → Can manage security-related policies but does not have permissions to configure PIM.
C. Password Administrator → Only manages password-related tasks and cannot implement PIM.
D. Compliance Administrator → Focuses on compliance settings and auditing but lacks control over PIM.
Answer: A, Global Administrator
Reason: Azure AD Privileged Identity Management (PIM) requires Global Administrator permissions to be configured initially. While other administrators can manage specific PIM roles once it's set up, only Global Administrators can implement and configure PIM for the first time in an Azure AD tenant.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started#prerequisites
Note: Although a Security Administrator can manage some PIM settings after initial setup, they cannot implement PIM for the first time in an organization.
"Only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators" https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan
Privileged Role Administrator is not an option, thus Global Administrator it is.
The Global administrator role has the highest level of privilege in Azure AD and provides full access to all administrative features, including the ability to configure and manage Azure AD PIM. This role allows the user to enable and configure Azure AD PIM for managing privileged roles and access in the Azure subscription.
Therefore, the correct answer is:
A. The Global administrator role.
A is the answer.
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan#assign-and-activate-azure-ad-roles
For Azure AD roles in PIM, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in PIM.
Seems an outdated question as PIM now is automatically enabled when a P2 license enabled user logs in?
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started
When a user who is active in a privileged role in a Microsoft Entra organization with a Premium P2 license goes to Roles and administrators in Microsoft Entra ID and selects a role (or even just visits Privileged Identity Management):
"We automatically enable PIM for the organization
Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment"
B. Security administrator role
Here's why:
The Security administrator role provides the necessary permissions to manage Azure AD security features, including PIM.
It grants control over security policies, access management, and monitoring, which aligns with PIM's functionalities.
"Only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators" https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan
B. The Security administrator role.
The Security administrator role in Azure AD is required to manage Azure AD Privileged Identity Management. This role allows the user to configure and manage PIM settings, including configuring role assignments, activating PIM for specific roles, and managing the PIM security settings.
To start using PIM in your directory, you must first enable PIM.
1. Sign in to the Azure portal as a Global Administrator of your directory.
You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory.
Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com
In real world you should always give Privileged Role Administrator over global admin
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
A is correct. For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Shahrezza
Highly Voted 3 years, 5 months agokakakayayaya
Highly Voted 3 years, 6 months agokktamang
3 years, 5 months agohellboysecret
Most Recent 4 days, 18 hours agosiya.mthi
1 week, 5 days agostonwall12
1 month agopentium75
5 months, 3 weeks agoAndre369
5 months, 3 weeks agozellck
5 months, 3 weeks agomsoh9637
5 months, 3 weeks agoQueZee
11 months, 1 week agopentium75
7 months, 3 weeks agoMPB
1 year agoAshi_321
1 year, 2 months agowardy1983
1 year, 4 months agoESAJRR
1 year, 8 months agoJunetGoyal
1 year, 10 months agoAlexbz
1 year, 11 months agomajstor86
2 years ago