One teammate sent me the next question and asked me to explain.
You have an Azure subscription that contains a custom application named App1. App1 was developed by an external company. Developers at the external company were assigned role-based access control (RBAC) permissions to the App1 components. All users are licensed for the Microsoft 365 E5 plan.
You need to recommend a solution to verify if the external company developers still require permissions to App1. The solution must meet the following requirements:
✑ To the manager of the developers, send a monthly email message that lists the access permissions to App1.
✑ If the manager does not verify an access permission, automatically revoke that permission.
✑ Minimize development effort.
What should you recommend? (Correct answer marked with bold)
- A. In Azure AD create an access review of App1.
- B. Create an Azure Automation runbook that runs the Get-AzRoleAssignment cmdlet.
- C. In Azure Active Directory (Azure AD) Privileged Identity Management, create a custom role assignment for the Application1 resources.
- D. Create an Azure Automation runbook that runs the Get-AzureADUserAppRoleAssignment cmdlet.
Let’s review answers from the ending. The answer D contains the cmdlet Get-AzureADUserAppRoleAssignment. From the cmdlet structure, obviously, you can only get information. However, the second requirement tells us, we need to revoke permission. This means we need use additional cmdlet with Set-*, Revoke-*, Remove-*, etc in the beginning. But the answer doesn’t mention it so we can use it to reply to the question.
Let’s moving on to the answer C. This answer mentions PIM, so we need to figure out what it is. Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments
This short explanation shows the answers that almost meet all requirements except the last one [Minimize development effort].
The answer B has the same explanation as answer D. The difference is only in the usage of another cmdlet Get-AzRoleAssignment.
Finally, we reached correct answer A. The access review is an efficient way to manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed regularly to make sure only the right people have continued access.
When access review is configured, you will get periodically an email with a request to check group membership out. For example, if review was ignored the predefined action runs. Additionally, if you open Identity Governance | Access reviews Azure portal search appropriated license first before shows you interface.
I hope I have explained all parts of this topic. See you in the next topics 🙂