Configure Azure AD Privileged Identity Management (PIM)

Practice Test

True or False: Azure AD Privileged Identity Management is a service that allows you to manage, control, and monitor access to important resources in your organization.

• True
• False

Answer: True

Explanation: Azure AD PIM is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to resources in Azure AD, Azure, and other Microsoft Online Services.

With Azure AD Privileged Identity Management, you can only assign admin roles that are permanent and cannot be changed.

• True
• False

Answer: False

Explanation: With Azure AD PIM, you can assign eligible admin roles that are Just in Time and can be activated when needed. These roles are not permanent.

Which of the following are functions of Azure AD Privileged Identity Management? (Select all that apply.)

• A. Setting alerts for unusual activities
• B. Configuring automatic role activation
• C. Managing access to Azure services
• D. Monitoring the access of users to Azure resources

Answer: A, C, D

Explanation: Azure AD PIM allows setting alerts for unusual activities, managing access to Azure services, and monitoring the access of users to Azure resources. It does not, however, support automatic role activation.

True or False: Azure AD Privileged Identity Management only supports admin roles in Azure AD.

• True
• False

Answer: False

Explanation: Azure AD PIM enables you to manage, control, and monitor access to resources in Azure AD, Azure, and other Microsoft Online Services.

Which security standard does Azure AD PIM help meet?

• A. ISO 9001
• B. ISO 14500
• C. ISO 27001
• D. ISO 20000

Answer: C

Explanation: Azure AD PIM helps organizations meet ISO 27001 security standard by decreasing the risks associated with standing access.

True or False: Azure AD PIM offers time-bound access to Azure AD resources.

• True
• False

Answer: True

Explanation: One of the features of Azure AD PIM is Just in Time (JIT) access, which offers temporary, time-bound access to Azure AD resources.

True or False: Delegated approvers can approve only their own requests in Azure AD PIM.

• True
• False

Answer: False

Explanation: Delegated approvers can approve requests for other eligible administrators, not only their own.

Which of the following roles can Azure AD PIM assign?

• A. Security Reader
• B. Billing Reader
• C. Visitor
• D. All of the above

Answer: D

Explanation: Azure AD PIM can assign all admin roles available in Azure AD, Azure, and other Microsoft Online Services, including Security Reader, Billing Reader, and even Visitor.

Which of the following features enables time-bound access to resources in Azure AD PIM?

• A. Just in Time access
• B. Permanent access
• C. Continuous access
• D. Always on access

Answer: A

Explanation: Just in Time access feature of Azure AD PIM allows for time-bound access to resources, reducing risks associated with standing access.

An admin role in Azure AD PIM can become permanent if it’s not removed manually.

• True
• False

Answer: False

Explanation: The access given to an admin role in Azure AD PIM is time-bound and expires after the specified duration. It cannot become permanent unless explicitly made so.

Interview Questions

What is Azure AD Privileged Identity Management (PIM)?

Azure AD Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that provides just-in-time privileged access to Azure resources and Azure AD. It helps protect organizations from the risks associated with excessive, unnecessary, or misused access permissions.

What types of roles can Azure AD PIM manage?

Azure AD PIM can manage Azure AD roles, Azure roles, and Azure AD Directory roles.

How would you activate eligibility for a role in Azure AD PIM?

Once a role is assigned as eligible to a user, they can activate it when needed. The user would have to use the Azure portal, navigate to Azure AD PIM, and from there, they can activate the eligible role.

What are the two types of access assignments that Azure AD PIM provides?

Azure AD PIM provides two types of access assignments: permanent access assignments and eligible access assignments. Permanent access remains until it is manually revoked, while eligible access require the user to request access and it expires after a set period.

What is the role of a Privileged Role Administrator in Azure AD PIM?

A Privileged Role Administrator can enable PIM for their organization, manage role settings, and view audit history.

Can you customize the duration of a role assignment in Azure AD PIM?

Yes, you can customize the duration of a role assignment. Default maximum activation duration settings can be overridden at the role setting level or at the time of activation.

Can you delegate the management roles in Azure AD PIM?

Yes, a Privileged Role Administrator can delegate management roles in PIM to other users, reducing the number of users who need to be assigned this powerful role.

What are the two states of a role assignment in Azure PIM?

The two states are “eligible” and “active”. An “eligible” role assignment requires the user to perform a specific set of actions to use the role. An “active” role assignment does not require the user to perform any actions to use the role.

How is Azure AD PIM licensed?

Azure AD PIM is included with Azure AD Premium P2 and Enterprise Mobility + Security (EMS) E5 licenses.

How does Azure AD PIM help improve organizational security?

Azure AD PIM reduces the risk of security breaches by providing just-in-time and just-enough access to Azure resources. It provides oversight for activities performed with elevated privilege, allowing organizations to discover, restrict, and monitor privileged identities and access.

Can you configure Azure AD PIM to require an approval for role activation?

Yes, Azure AD PIM allows configuration of an approval process for activating eligible roles.

Does Azure AD PIM provide audit trails?

Yes, Azure AD PIM has detailed audit trails for all privilege related activities.

What is the purpose of the Azure AD PIM Access Reviews feature?

The Access Reviews feature in Azure AD PIM allows organizations to periodically review and validate role assignments, ensuring that only appropriate users have access to specific roles.

What happens when a role assignment expires in Azure AD PIM?

When a role assignment expires, the user will lose the privileges associated with that role. The user or an administrator will need to reactivate the role if access to that specific role is still required.

Can Azure AD PIM be used with custom roles?

Yes, Azure AD PIM can be used with custom roles as long as they are based on Azure RBAC built-in roles. Custom roles allow for more granular control over resource access in Azure.