Exam AZ-104 topic 2 question 4 discussion

Tested in lab Correct Answers: User3 can perform an access review of User1 = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserA = No User1 is a Member and not a Guest Account, Access Review specified Guests only. User3 can perform an access review of UserB = No Created Group 1 and Group 2, added Group 2 as a member in Group 1, Added guest Accounts to Group 1 and Group 2, In the Access Review results only the Guest Accounts in Group 1 appeared for review and "Not" the Guest accounts in Group 2.

User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Access to groups and applications for employees and guests changes over time. To reduce the risk associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create access reviews for group members or application access. If you need to routinely review access, you can also create recurring access reviews. Review1 reviews access for guest users who are member of Group1. The group owner is specified as the reviewer. User3 is the owner of Group1. User2 is the only guest user in Group1. Note: Dynamic groups and nested groups are not supported with the Access review process. Reference: Create an access review of groups and applications in Azure AD access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review

User3 can perform an access review of User1. /No User3 can perform an access review of UserA. /No User3 can perform an access review of UserB. /No Explanation: Explanation for User3 can perform an access review of UserB. /No Note In a team or group access review, only the group owners (at the time a review starts) are considered as reviewers. During the course of a review, if the list of group owners is updated, new group owners will not be considered reviewers as well as old group owners will still be considered reviewers. However, in the case of a recurring review, any changes on the group owners list will be considered in the next instance of that review. https://learn.microsoft.com/en-us/entra/id-governance/create-access-review Create a single-stage access review => Next: Reviews

Wrong No No No it´s specified to review only "Guest users" User1 = Member UserA = Member UserB = is in Group2 which is a Member of Group1

User3 can perform an access review of User1. No User3 can perform an access review of UserA. No User3 can perform an access review of UserB. No User 3 can not perform an access review of UserB, because only guests of Group 1 are reviewed not the members and Group 2 is a member of Group 1.

For this round going with NNY

Final Answer: No No NO

The answer does, in fact, appear to be NNY. I created an access review just now scoped to review just the guest users of a group I had called Lab Administrators. All the members added directly to Lab Administrators were other groups, and the only result I got from the access review was the one guest user I had as a member of one of the nested groups.

User 3 CANNOT perform an access review of User B: "Common scenarios in which certain denied users can't have results applied to them may include the following: ... Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. " From: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review

CORRECT

3) NO because nested group

Even without much technical knowledge, you can answer this question correctly by applying basic comprehensive reading skills. User3 is Group 1 OWNER, Group 2 is MEMBER of Group 1, User3 can perform access reviews on GUESTS ONLY. Correct answer is: No No Yes

User3 can perform an access review of UserB = Yes Reference: 1. Reviewing a role with nested groups assigned: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access 2. Microsoft 365 and Security group owner can create access review https://learn.microsoft.com/en-us/entra/id-governance/create-access-review

Apparently the answer is NO-NO-YES. Although MS Learn states that access reviews for users with permissions through nested groups won't have any effect. But those users will show up for review. Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-perform-roles-and-resource-roles-review#approve-or-deny-access

I think that the simple solution here is this: No/No/Yes Reason is that the review in the picture points out that it's only searching for Guest users and User B is the Only quest user from the answer area. User 1 is a member and User A is a member

Answer is No, No, Yes. Users and groups Allows targeting of specific sets of users. For example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app. A group can be any type of user group in Microsoft Entra ID, including dynamic or assigned security and distribution groups. Policy is applied to nested users and groups. https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-users-groups

In this case. From the setting. We focus on Guest users only. User 1 is not a guest member. (No) User A is not a guest member. (No) User B is a guest member. (Yes) For setting understanding: https://learn.microsoft.com/en-us/azure/active-directory/governance/create-access-review For step-by-step explanation: https://www.youtube.com/watch?v=O032Kz-5R2Q&t=1s