AZ-500 · Question #198
AZ-500 Question #198: Real Exam Question with Answer & Explanation
The correct answer is D: Potential stale accounts in a privileged role. Explanation Option D is correct because "Potential stale accounts in a privileged role" is the PIM alert that triggers when administrators haven't used or signed into their accounts within a configurable time threshold - by default, this is set to 90 days. Since your company's pa
Question
You have an Azure subscription. You enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM). Your company's security policy for administrator accounts has the following conditions: - The accounts must use multi-factor authentication (MFA). - The accounts must use 20-character complex passwords. - The passwords must be changed every 180 days. - The accounts must be managed by using PIM. You receive multiple alerts about administrators who have not changed their password during the last 90 days. You need to minimize the number of generated alerts. Which PIM alert should you modify?
Options
- ARoles are being assigned outside of Privileged Identity Management
- BRoles don't require multi-factor authentication for activation
- CAdministrators aren't using their privileged roles
- DPotential stale accounts in a privileged role
Explanation
Explanation
Option D is correct because "Potential stale accounts in a privileged role" is the PIM alert that triggers when administrators haven't used or signed into their accounts within a configurable time threshold - by default, this is set to 90 days. Since your company's password policy allows 180 days before a password change is required, the default 90-day threshold is generating excessive alerts prematurely. You can modify this alert's threshold to 180 days to align with company policy and reduce unnecessary alert noise.
Why the distractors are wrong:
- Option A is about roles assigned outside of PIM, which is unrelated to password change frequency.
- Option B concerns MFA enforcement for role activation - not password aging or account activity timelines.
- Option C ("Administrators aren't using their privileged roles") is about role usage, not password changes - though similar in concept, this alert tracks whether roles are being actively used, not account sign-in/password staleness thresholds.
💡 Memory Tip: Think "Stale = Old/Unchanged" - the "Potential stale accounts" alert is your go-to when the concern involves accounts appearing dormant or outdated. If the alert threshold doesn't match your policy window, adjust the alert, don't disable it entirely.
Topics
Community Discussion
No community discussion yet for this question.