Assigning Access for Azure Active Directory Identity Governance Review

Delegating Access Review Tasks in Azure Active Directory

Prev Question Next Question

Question

You are the global administrator of an organization with a Microsoft 365 subscription.

Due to high turnover you need to map out if people who have left the company still have access to groups.

You decide to create an Access review from Azure Active Directory Identity Governance, and you delegate this task to User 1

What kind of access should you assign to user 1? The solution must use the principle of least privilege.

Answers

A. Privileged role administrator

B. Global administrator

C. Security reader

D. User administrator.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

The least privileged role with permission to create access reviews from AAD Identity Governance is User administrator (see exhibit):

Appendix - least privileged roles for managing in Identity
Governance features

It's a best practice to use the least privileged role to perform administrative tasks in Identity Governance. We recommend that you
use Azure AD PIM to activate a role as needed to perform these tasks. The following are the least privileged directory roles to
configure Identity Governance features:

Feature Least privileged role

Entitlement management User administrator (with the exception of adding SharePoint Online sites to catalogs, which requires Global
administrator)

Access reviews User administrator (with the exception of access reviews of Azure or Azure AD roles, which requires Privileged role
administrator)

Privileged Identity Privileged role administrator
Management

Terms of use Security administrator or Conditional access administrator

Option A is incorrect.

Privileged role administrator is needed for creating access reviews of Azure AD or Azure roles, not group membership.

Option B is incorrect.

Global administrators can create access reviews, but it is not the least privileged alternative.

Option C is incorrect.

The Security reader role has viewing rights to Security Center.

The user can view recommendations, alerts, a security policy, and security states, but cannot make changes.

It is not the correct alternative in this scenario.

To know more about creating access reviews in Identity Governance, please refer to the link below:

The principle of least privilege is the concept of giving users only the minimum level of access required to perform their job functions. In this scenario, since the task is related to mapping out the access of former employees, it is recommended to assign the minimum necessary access to User 1 to perform the Access review task.

Out of the given options, the most appropriate role to assign to User 1 would be the Security reader role. This role provides read-only access to all security features in Microsoft 365, including Azure Active Directory Identity Governance.

The Security reader role allows User 1 to view and access the access review feature, without the ability to modify or change any access settings. This ensures that User 1 can only view the access review results and not make any unauthorized changes.

Privileged role administrator and Global administrator roles have more permissions than necessary for this task and should not be assigned unless absolutely required. The User administrator role is also not appropriate as it only provides access to user management tasks and not security-related tasks such as access reviews.

Therefore, assigning the Security reader role to User 1 would be the most appropriate and secure choice, in accordance with the principle of least privilege.

Prev Question Next Question