Exam AZ-104 topic 2 question 4 discussion

Tested in lab Correct Answers: User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = No Created Group 1 and Group 2, added Group 2 as a member in Group 1, Added guest Accounts to Group 1 and Group 2, In the Access Review results only the Guest Accounts in Group 1 appeared for review and "Not" the Guest accounts in Group 2.

User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews. Review1 reviews access for guest users who are member of Group1. The group owner is specified as the reviewer. User3 is the owner of Group1. User2 is the only guest user in Group1. Note: Dynamic groups and nested groups are not supported with the Access review process. Reference: Create an access review of groups and applications in Azure AD access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

N, N, Y is correct For the third statement, it states User 3 can perform an access review of User B (Guest Account). In the image they provide, it says that Group Owners can review guest accounts. Since User 3 is the owner of Group 1 (Group Owner), then they would be able to review User B.

The only confusion is with UserB. While, in previous versions, access reviews did not provide any information for nested users, this is no longer true. Access information is provided. However, there isn't any way to approve/deny. This is because access is provided indirectly (through nested group membership). Microsoft states that UserB must be removed from Group2 manually. So the question is "what do we consider access review?" If the answer is just information, then "yes". However, if we are to include the full approve/deny process, then "No" Yea, the question is messed up.

Go through this very carefully, It is the correct answer with logic: Statement 1: User3 can perform an access review of User1 Answer: No Reason: User1 is a member-type user, and scope is “guest users only” Statement 2: User3 can perform an access review of UserA Answer: No Reason: UserA is a member-type user and also, UserA is part of a nested group (Group2), not a direct member of Group1 Statement 3: User3 can perform an access review of UserB Answer: No Even though UserB is a guest, they are in a nested group (Group2), not directly in Group1. Nested group users are not included in the access review Final answer: No, No, No.

NNY Answer is correct From ms doc: In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users. If a user is flagged for removal due to their membership in a nested group, they will not be automatically removed from the nested group, but only from direct group membership.

N,N,Y The question is only asking if User3 can perform access review and not removal. Per MS: In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users. If a user is flagged for removal due to their membership in a nested group, they will not be automatically removed from the nested group, but only from direct group membership.

User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = Yes Created Group 1 and Group 2, added Group 2 as a member in Group 1 https://imgur.com/a/2DTRhVb https://learn.microsoft.com/en-us/entra/id-governance/create-access-review In a group review, nested groups will be automatically flattened, so users from nested groups will appear as individual users

No, No, Yes Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed.

User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Explanation for User3 can perform an access review of UserB. /No Note In a team or group access review, only the group owners (at the time a review starts) are considered as reviewers. During the course of a review, if the list of group owners is updated, new group owners will not be considered reviewers as well as old group owners will still be considered reviewers. However, in the case of a recurring review, any changes on the group owners list will be considered in the next instance of that review. https://learn.microsoft.com/en-us/entra/id-governance/create-access-review Create a single-stage access review => Next: Reviews

User3 can perform an access review of User1. No User3 can perform an access review of UserA. No User3 can perform an access review of UserB. No User 3 can not perform an access review of UserB, because only guests of Group 1 are reviewed not the members and Group 2 is a member of Group 1.

For this round going with NNY

Final Answer: No No NO

The answer does, in fact, appear to be NNY. I created an access review just now scoped to review just the guest users of a group I had called Lab Administrators. All the members added directly to Lab Administrators were other groups, and the only result I got from the access review was the one guest user I had as a member of one of the nested groups.

User 3 CANNOT perform an access review of User B: "Common scenarios in which certain denied users can't have results applied to them may include the following: ... Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. " From: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review

CORRECT

3) NO because nested group