AZ-500 Question #361: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that uses Azure Active Directory (Azure AD) Privileged Identity Management (PIM). A PIM user that is assigned the User Access Administrator role reports receiving an authorization error when performing a role assignment or viewing the list of assignments. You need to resolve the issue by ensuring that the PIM service principal has the correct permissions for the subscription. The solution must use the principle of least privilege. Which role should you assign to the PIM service principle?

Options

• AContributor
• BUser Access Administrator
• CManaged Application Operator
• DResource Policy Contributor

Explanation

The PIM service principal requires appropriate permissions to manage role assignments within a subscription, and an authorization error indicates insufficient permissions. To resolve this with least privilege, the PIM service principal should be granted the User Access Administrator role.

Common mistakes.

• A. The Contributor role grants full access to manage all resources but does not include the ability to assign roles in Azure RBAC, making it insufficient for managing access and exceeding least privilege if other permissions are not needed.
• C. The Managed Application Operator role is specific to managing managed applications and does not grant permissions for managing Azure RBAC role assignments across a subscription.
• D. The Resource Policy Contributor role is for managing resource policies (Azure Policy) and does not provide permissions to view or assign Azure RBAC roles.

Concept tested. Azure PIM service principal permissions for role management

Reference. https://learn.microsoft.com/azure/active-directory/privileged-identity-management/subscription-owners-ready-pima#grant-the-privileged-identity-management-service-access-to-your-azure-resources

No community discussion yet for this question.