You have an Azure subscription that contains a custom application named Application1. Application1 was developed by an external company named Fabrikam,
Ltd. Developers at Fabrikam were assigned role-based access control (RBAC) permissions to the Application1 components. All users are licensed for the
Microsoft 365 E5 plan.
You need to recommend a solution to verify whether the Fabrikam developers still require permissions to Application1. The solution must meet the following requirements:
-> To the manager of the developers, send a monthly email message that lists the access permissions to Application1.
-> If the manager does not verify an access permission, automatically revoke that permission.
-> Minimize development effort.
What should you recommend?
The solution that meets the requirements to verify whether the Fabrikam developers still require permissions to Application1, sends a monthly email message to the manager of the developers listing the access permissions to Application1, and automatically revokes any permission not verified by the manager with minimal development effort is option A, "In Azure Active Directory (Azure AD), create an access review of Application1."
Explanation: An access review is a feature of Azure AD that allows administrators to review and manage the access rights of users, groups, and applications. By creating an access review for Application1, the manager of the developers will receive a monthly email message listing the access permissions to Application1, which will enable them to verify if each developer still requires their assigned RBAC permissions to Application1.
If the manager does not verify a particular access permission, the access review feature can automatically revoke that permission. This meets the requirement to automatically revoke any permission not verified by the manager.
Option B, "Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet," is incorrect because while it may be possible to use a runbook to retrieve the RBAC permissions for Application1, it would require significant development effort to create the runbook and email notification capabilities.
Option C, "In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources," is incorrect because privileged identity management is not needed to manage the RBAC permissions for Application1.
Option D, "Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet," is incorrect because the Get-AzureADUserAppRoleAssignment cmdlet retrieves the application roles assigned to a user, but it does not provide a way to automatically revoke permissions if the manager does not verify them.