ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-300 All Questions

View all questions & answers for the SC-300 exam
Go to Exam

Exam SC-300 topic 4 question 34 discussion

Actual exam question from Microsoft's SC-300
Question #: 34
Topic #: 4
[All SC-300 Questions]

HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains three users named User1, User2, and User3.
You create a group named Group1. You add User2 and User3 to Group1.
You configure a role in Azure AD Privileged Identity Management (PIM) as shown in the Application Administrator exhibit. (Click the Application Administrator tab.)

Group1 is configured as the approver for the Application administrator role.
You configure User2 to be eligible for the Application administrator role.
For User1 you add an assignment to the Application administrator role as shown in the Assignment exhibit. (Click the Assignment tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
User1 is eligible from 1/1/2021 to 1/31/2021.
However, here the Application Administrator role requires approval.

Box 2: No -
User2 is also member of Group1, and Group1 is configured as the approver for the Application administrator role.

Box 3: Yes -
User1 is eligible from 1/1/2021 to 1/31/2021.
Activation maximum duration (hours) is set to 5 hours.
by existingname at Sept. 1, 2022, 6:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
existingname
Highly Voted 2 years, 6 months ago
On the exam today I answer N, Y, Y I think user2 cannot approve his own request
upvoted 22 times
jack987
2 years, 2 months ago
I agree with existingname. The correct answer is N-Y-Y.
upvoted 1 times
...
Bjarki2330
2 years, 6 months ago
I agree. You can see it stated here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow "Approvers are not able to approve their own role activation requests."
upvoted 10 times
Logitech
1 year, 5 months ago
Thank you for the link. The wording of the quets sucks because he has allready an eligable assingment. And they write: when users2 request to be assigned... instead of when user2 activates his role. Assignment is not activation in my opinion. MS quests make me angry, sometimes.
upvoted 1 times
...
...
...
Nyamnyam
Highly Voted 1 year, 4 months ago
N-Y-N 1. User1 is set as eligible, not active. 2. Approvers are not able to approve their own role activation requests. 3. Assignment expires on 31 Jan at 23:59. Full stop.
upvoted 15 times
...
YesPlease
Most Recent 18 hours, 8 minutes ago
1) NO, even adding a user manually will still need to follow the workflow...which requires an approval by Group1 2) YES, a user may not approve their own request (unless the workflow is asking for the all of the members to do a "self approval")..but the approval Group1 contains User2 and User3 as approvers. 3) NO, the "assignment ends" is a hard stop to access...regardless if they have a 5 hour window to use the activation. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow#:~:text=Approvers%20are%20not%20able%20to%20approve%20their%20own%20role%20activation%20requests.
upvoted 1 times
...
Arash123
3 months, 3 weeks ago
Third question is NO. Because it says "UNTIL February 1, 2021, at 04:00"
upvoted 1 times
Arash123
3 months, 3 weeks ago
Sorry, I meant YES!
upvoted 1 times
Arash123
3 months, 3 weeks ago
No again, stop at 31 Jan!
upvoted 1 times
IRISone
3 months, 1 week ago
to clarify abit, the assignment to activate a role stops at the first of february. an active assignment that has been accepted beforehand will run its course.
upvoted 1 times
...
...
...
...
srysgbvjumozmail
7 months, 1 week ago
NO - User cannot be added to active role unless approved. YES - Approvers are not able to approve their own role activation requests, user 2 can only be approved by other approvers (user3) YES - maximum duration is 5 hours as shown in "Activation Maximum hours" https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-approval-workflow#approve-requests
upvoted 1 times
...
Sc300ExamDemo
9 months, 2 weeks ago
N - user cannot be added to active role unless approved. Y - tested in azure portal, user 2 can only be approved by other approvers (user3) Y - maximum duration is 5hours as shown in "Activation Maximum hours"
upvoted 1 times
...
a6792d4
9 months, 4 weeks ago
N, Y, N
upvoted 1 times
...
penatuna
1 year, 2 months ago
No - User1 is eligible from 1/1/2021 to 1/31/2021.However, here the Application Administrator role requires approval. Eligible is a role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time. Yes - Approvers are not able to approve their own role activation requests. Group1 is configured as the approver for Application Administrator role. User3 is in Group1, so User3 can approve User2.
upvoted 1 times
penatuna
1 year, 2 months ago
No – User1 is eligible from 1/1/2021 to 11:59:00 PM 1/31/2021. User1 is approved to Application Administrator role on 1/31/2021 at 23:00. Activation maximum duration (hours) is set to 5 hours. However, since User1 assignment to Application Administrator ends at 11:59:00 on 1/31/2021, you cannot use the Application Administrator role after that. I tested it with User1, and after the assignment end time, User1 cannot do Application Administrator stuff, for example “Create your own application”.
upvoted 2 times
...
...
Nivos300
1 year, 4 months ago
I think the answer is correct N N Y
upvoted 1 times
...
cgonIT
1 year, 5 months ago
Correct Answer is: No, No, No. 1. No. The User1 needs to be approved by any approver (User2 or User3, so Group1 Users). 2. No. Approvers are not able to approve their own role activation requests, see next link: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-approval-workflow#approve-requests 3. No. The role can't be request to be activated if end-date is after the End Time of the assigned Role. Tested in lab right now and the error message during activation says: "The following policy rules failes:["ExpirationRule"]".
upvoted 2 times
curtmcgirt
1 year, 3 months ago
doesn't your explanation of #2 mean that only user3 can approve user2's request? aka 'yes'?
upvoted 2 times
...
...
dule27
1 year, 8 months ago
NO YES YES
upvoted 1 times
...
ExamStudy68
1 year, 11 months ago
I may be wrong, but I think the point of the last question is User1 activated on Jan 31 at 23:00 so User1 is activated when the assignment ends at 11:59pm - before the five hour time limit completes. Not sure what the answer is - still looking.
upvoted 2 times
...
LeTrinh
2 years ago
N, Y, N The Activation maximum duration (5 hours) is only for the timeline of the request to activate the role. So the answer is wrong.
upvoted 4 times
34reefer
1 year, 11 months ago
31 jan 23:00 > 1 Feb 04:00 is 5 hours, so N,Y,Y
upvoted 2 times
b233f0a
1 year, 8 months ago
N,Y,N Assignment expired 31 Jan @ 11:59 so cannot be used in Feb
upvoted 6 times
...
...
...
Hot_156
2 years, 5 months ago
It is N,Y,Y I tested this in my lab, so you cannot approve a request for yourself. Also, if there are guest accounts in the group, they will receive the email about approving the request but they cannot do it
upvoted 7 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago