ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 1.2: Authentication and AuthorizationDomain 1Authentication and AuthorizationPIMGovernance

AZ-305 · Question 08 · Domain 1.2: Authentication and Authorization

An enterprise has 50 Azure subscriptions organized under a Management Group hierarchy.

The security policy dictates that no user should have standing (permanent) administrative access to any subscription. When developers need 'Contributor' access to troubleshoot production issues, they must request it. The request must require justification, be approved by a manager, and automatically expire after 4 hours.

You need to design a solution to meet these requirements with the least administrative effort.

What should you recommend?

Answer options:

A.

Implement Microsoft Entra Privileged Identity Management (PIM) and configure role settings for the Contributor role at the Management Group level.

B.

Create a custom Azure Automation runbook that grants Contributor access when triggered by a ServiceNow ticket, and removes it after 4 hours.

C.

Implement Azure AD Entitlement Management and create an Access Package containing the Contributor role for each of the 50 subscriptions.

D.

Configure Microsoft Defender for Cloud Just-In-Time (JIT) VM access for all virtual machines.

How to approach this question

Identify the requirement for Just-In-Time RBAC role assignment (PIM) and the requirement for least administrative effort across 50 subscriptions (Management Groups).

Full Answer

A.Implement Microsoft Entra Privileged Identity Management (PIM) and configure role settings for the Contributor role at the Management Group level.✓ Correct
Microsoft Entra Privileged Identity Management (PIM) is the native service for managing, controlling, and monitoring access to important resources. It provides Just-In-Time (JIT) access, requires justification, supports approval workflows, and enforces time bounds (e.g., 4 hours). By configuring PIM at the Management Group level, the settings automatically inherit to all 50 underlying subscriptions, drastically reducing management overhead.

Common mistakes

Confusing Defender JIT (network port access) with PIM JIT (RBAC role access).
07All questions09

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 3

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They cur...MediumQ02Fabrikam Inc. is a Managed Service Provider (MSP) managing Azure environments for 50 different en...HardQ03A financial institution generates 5 TB of telemetry and audit logs daily across its Azure environ...MediumQ04A retail company has recently migrated several workloads to Azure. The IT Director wants a centra...EasyQ05A healthcare organization with 10,000 employees uses on-premises Active Directory. They are migra...Hard
View all 55 questions →