Exam AZ-500 topic 2 question 21 discussion

YYN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles#assign-a-role Azure AD PIM for Azure resources provides two distinct assignment types: - Eligible assignments require the member to activate the role before using it. Administrator may require role member to perform certain actions before role activation which might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. - Active assignments don't require the member to activate the role before usage. Members assigned as active have the privileges assigned ready to use. This type of assignment is also available to customers that don't use Azure AD PIM.

YES - Active assignment NO - User 2 has MFA disabled which is a requirement NO - You cannot self approve/activate

Yes- Active assignment requires no further action Yes - Yes, user 2 can still request to activate a privileged role via Azure AD Privileged Identity Management (PIM), even if MFA is disabled. However, the activation process will not complete successfully unless MFA is enabled No- self approval doesn't work

Here is one tricky part for the second option as it seems it asks User2 can request to activate but since MFA disabled will not be able to activate (If this ask can User2 request then it seems Yes but even request will not be able to have role at MFA disabled needs to enable MFA as well). As documentation says before activate - You can require users who are eligible for a role to prove who they are by using the multifactor authentication feature in Microsoft Entra ID before they can activate

In exam 1/28/24

3 - shouldnt the User-3 be yes the self approver is Group1. and User-3 is member of Group1?

Box 1: Yes - Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times. Box 2: Yes - While Multi-Factor Authentication is disabled for User2 and the setting Require Azure Multi-Factor Authentication for activation is enabled, User2 can request the role but will need to enable MFA to use the role. Note: Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. Box 3: No - User3 is Group1, which is a Selected Approver Group, however, self-approval is not allowed and someone else from group is required to approve the request.

1. When User1 signs in, the user is assigned the Password Administrator role automatically.-No. Reason: User1 is not a member of any group that has the Password Administrator role assigned, and User1 is not eligible for the role. Therefore, User1 will not be assigned the Password Administrator role automatically 2. User2 can request to activate the Password Administrator role.--Yes. Reason: User2 is eligible for the Password Administrator role, and the role requires approval for activation. User2 can request to activate the role, and the request will be sent to the assigned approver (Group1) for approval. 3. If User3 wants to activate the Password Administrator role, the user can approve their own request.-No. Reason: User3 is eligible for the Password Administrator role, but the role requires approval for activation. User3 cannot approve their own request. The request will be sent to the assigned approver (Group1) for approval.

Correct, yes, yes, no. Cannot self approve your own request

Yes Yes No

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow#approve-requests "Approvers are not able to approve their own role activation requests."

Answer is correct Approvers can't approve their own role activation request , check the note section in this link https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow

In Exam 10/18/2022. One case study, no lab.

# In EXAM - 01-Oct-2022

Tested this in the lab and User 3 was able to activate the Password Admin role himself by going to Assigned roles in AD -> Eligible assignments -> Update.

Answers are correct based on the ET explanation and link. YES YES NO

in selected approver there's group1, why user3 can't approve its request? User3 is in group1.