Exam AZ-500 topic 1 question 1 discussion

Given answer is correct. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Today, this not 100% correct. PIM ready to use without consent. Any user that have active role enables PIM.

Privileged Role Administrator or Global Administrator role can manage assignments for other administrators

A. The Global administrator role. Explanation: To implement Azure AD Privileged Identity Management (PIM), a user must have elevated privileges that allow them to manage role assignments and access controls. The Global Administrator role has the highest level of permissions in Azure AD, including the ability to enable and configure Privileged Identity Management (PIM). Why not the other options? B. Security Administrator → Can manage security-related policies but does not have permissions to configure PIM. C. Password Administrator → Only manages password-related tasks and cannot implement PIM. D. Compliance Administrator → Focuses on compliance settings and auditing but lacks control over PIM.

Answer: A, Global Administrator Reason: Azure AD Privileged Identity Management (PIM) requires Global Administrator permissions to be configured initially. While other administrators can manage specific PIM roles once it's set up, only Global Administrators can implement and configure PIM for the first time in an Azure AD tenant. Reference: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started#prerequisites Note: Although a Security Administrator can manage some PIM settings after initial setup, they cannot implement PIM for the first time in an organization.

"Only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators" https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan Privileged Role Administrator is not an option, thus Global Administrator it is.

The Global administrator role has the highest level of privilege in Azure AD and provides full access to all administrative features, including the ability to configure and manage Azure AD PIM. This role allows the user to enable and configure Azure AD PIM for managing privileged roles and access in the Azure subscription. Therefore, the correct answer is: A. The Global administrator role.

A is the answer. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan#assign-and-activate-azure-ad-roles For Azure AD roles in PIM, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in PIM.

Seems an outdated question as PIM now is automatically enabled when a P2 license enabled user logs in? https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started When a user who is active in a privileged role in a Microsoft Entra organization with a Premium P2 license goes to Roles and administrators in Microsoft Entra ID and selects a role (or even just visits Privileged Identity Management): "We automatically enable PIM for the organization Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment"

B. Security administrator role Here's why: The Security administrator role provides the necessary permissions to manage Azure AD security features, including PIM. It grants control over security policies, access management, and monitoring, which aligns with PIM's functionalities.

A is correct

B. The Security administrator role. The Security administrator role in Azure AD is required to manage Azure AD Privileged Identity Management. This role allows the user to configure and manage PIM settings, including configuring role assignments, activating PIM for specific roles, and managing the PIM security settings.

To start using PIM in your directory, you must first enable PIM. 1. Sign in to the Azure portal as a Global Administrator of your directory. You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable PIM for a directory. Scenario: Technical requirements include: Enable Azure AD Privileged Identity Management (PIM) for contoso.com

A. The Global administrator role.

In real world you should always give Privileged Role Administrator over global admin For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

A is correct. For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

A. The Global administrator role.