- A
Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.
This meets all three requirements: justification is required, approval from the security group is required, and the activation duration is limited to 4 hours.
- B
Enable 'Require justification', 'Require ticket information', and set 'Maximum activation duration' to 8 hours.
Why wrong: Ticket information is not required. The duration is 8 hours, which exceeds the 4-hour limit. Approval is missing.
- C
Enable 'Require approval' and set 'Maximum activation duration' to 4 hours. Do not require justification.
Why wrong: Justification is required by policy. This configuration does not require justification.
- D
Enable 'Require Azure MFA on activation', 'Require justification', and set 'Maximum activation duration' to 4 hours.
Why wrong: MFA on activation is not specified in the requirements. Approval from the security group is missing.
Quick Answer
The correct combination is to enable 'Require justification' and 'Require approval' while setting the 'Maximum activation duration' to 4 hours, then assign the designated security group as the approver. This works because Azure AD Privileged Identity Management (PIM) enforces these three distinct settings independently within the role activation configuration: justification ensures accountability, approval adds a secondary verification layer, and the maximum duration caps the elevated access window. On the AZ-500 exam, this scenario tests your understanding of PIM’s granular control over privileged role activation, often appearing as a multi-requirement policy where a common trap is forgetting to assign the specific security group as the approver—merely enabling approval isn’t enough. To configure PIM role activation justification approval duration correctly, remember the three pillars: Justify, Approve, Limit. A useful memory tip is “J.A.L.”—Justification, Approval, Limit—which maps directly to the three checkboxes you must toggle in the Azure portal.
AZ-500 Manage identity and access Practice Question
This AZ-500 practice question tests your understanding of manage identity and access. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: pIM allows granular configuration of role activation settings.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.
Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.
Key principle: PIM allows granular configuration of role activation settings.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.
Why this is correct
This meets all three requirements: justification is required, approval from the security group is required, and the activation duration is limited to 4 hours.
Related concept
PIM allows granular configuration of role activation settings.
- ✗
Enable 'Require justification', 'Require ticket information', and set 'Maximum activation duration' to 8 hours.
Why it's wrong here
Ticket information is not required. The duration is 8 hours, which exceeds the 4-hour limit. Approval is missing.
- ✗
Enable 'Require approval' and set 'Maximum activation duration' to 4 hours. Do not require justification.
Why it's wrong here
Justification is required by policy. This configuration does not require justification.
- ✗
Enable 'Require Azure MFA on activation', 'Require justification', and set 'Maximum activation duration' to 4 hours.
Why it's wrong here
MFA on activation is not specified in the requirements. Approval from the security group is missing.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse 'Require justification' with 'Require ticket information' or assume that MFA is always required for activation, but the question explicitly lists only three requirements—justification, approval, and 4-hour duration—so any extra or missing settings make the option incorrect.
Detailed technical explanation
How to think about this question
In Azure AD PIM, the 'Require approval' setting triggers a workflow where designated approvers (individual users or groups) must approve each activation request. The 'Maximum activation duration' is enforced via the role's activation settings and can be set between 0.5 and 8 hours (or up to 24 hours for permanent eligible assignments). Justification is stored in the audit log and is mandatory for compliance tracking. The security group assigned as approver must be a mail-enabled security group or an Azure AD role-assignable group to receive approval notifications.
KKey Concepts to Remember
- PIM allows granular configuration of role activation settings.
- 'Require justification' mandates a reason for role activation.
- 'Require approval' routes activation requests to designated approvers.
- 'Maximum activation duration' sets a time limit for active role assignments.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
PIM allows granular configuration of role activation settings.
Real-world example
How this comes up in practice
A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.
What to study next
Got this wrong? Here's your next step.
Review pIM allows granular configuration of role activation settings., then practise related AZ-500 questions on the same topic to reinforce the concept.
- →
Manage identity and access — study guide chapter
Learn the concepts, then practise the questions
- →
Manage identity and access practice questions
Targeted practice on this topic area only
- →
All AZ-500 questions
1,000 questions across all exam domains
- →
Microsoft Azure Security Engineer Associate AZ-500 study guide
Full concept coverage aligned to exam objectives
- →
AZ-500 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-500 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Secure identity and access practice questions
Practise AZ-500 questions linked to Secure identity and access.
Secure compute, storage, and databases practice questions
Practise AZ-500 questions linked to Secure compute, storage, and databases.
Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel practice questions
Practise AZ-500 questions linked to Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel.
Manage identity and access practice questions
Practise AZ-500 questions linked to Manage identity and access.
Secure networking practice questions
Practise AZ-500 questions linked to Secure networking.
AZ-500 fundamentals practice questions
Practise AZ-500 questions linked to AZ-500 fundamentals.
AZ-500 scenario practice questions
Practise AZ-500 questions linked to AZ-500 scenario.
AZ-500 troubleshooting practice questions
Practise AZ-500 questions linked to AZ-500 troubleshooting.
Practice this exam
Start a free AZ-500 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-500 question test?
Manage identity and access — This question tests Manage identity and access — PIM allows granular configuration of role activation settings..
What is the correct answer to this question?
The correct answer is: Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver. — Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.
What should I do if I get this AZ-500 question wrong?
Review pIM allows granular configuration of role activation settings., then practise related AZ-500 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
PIM allows granular configuration of role activation settings.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
5 more ways this is tested on AZ-500
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?
medium- ✓ A.Set the activation maximum duration to 4 hours and require approval from the 'Global Admin Approvers' group.
- B.Set the activation maximum duration to 4 hours and enable MFA on activation.
- C.Set the activation to require a ticket number justification and set the maximum duration to 8 hours.
- D.Set the role to be permanently active but with a just-in-time approval workflow.
Why A: Option A is correct because Azure AD PIM allows you to configure role activation settings, including an activation maximum duration (which can be set to 4 hours) and requiring approval from a specified group (in this case, 'Global Admin Approvers'). These settings directly meet the requirement for time-bound activation with approval.
Variation 2. A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?
hard- A.The activation approval requirement is not supported for the Global Administrator role
- ✓ B.The user is a member of the approver group and is self-approving the request
- C.The PIM policy has not been activated for the Global Administrator role
- D.The role activation duration is set to zero, causing immediate activation
Why B: Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.
Variation 3. A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?
hard- ✓ A.The 'Require ticket information on activation' setting is not enabled in the role settings
- B.Users are activating through the Azure AD overview page instead of the PIM blade
- C.The activation policy requires approval but the approvers ignore the ticket field
- D.The role is configured for 'Active' assignment instead of 'Eligible'
Why A: Option A is correct because the 'Require ticket information on activation' setting is a separate toggle in the PIM role settings that must be explicitly enabled. Even if the support ticket number field is displayed in the activation form, the system will not enforce its entry unless this specific setting is turned on. Without it, users can leave the field blank and still successfully activate the role.
Variation 4. A company uses Azure AD Privileged Identity Management (PIM) for the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a justification, and the activation requires approval from a designated security group. Which PIM role settings should they configure?
easy- ✓ A.Require justification on activation (Yes), Require approval (Yes), Select approver(s) (the security group).
- B.Require justification on activation (No), Require approval (Yes), Select approver(s) (the security group).
- C.Expiration > Maximum activation duration (4 hours).
- D.On activation, require Azure MFA registration.
Why A: Option A is correct because PIM role settings allow administrators to enforce both justification and approval workflows for role activation. Setting 'Require justification on activation' to 'Yes' ensures the user provides a reason, and setting 'Require approval' to 'Yes' with the designated security group as the approver enforces the approval requirement. This combination directly meets the company's stated requirements.
Variation 5. A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?
hard- A.Set the activation maximum duration to 1 hour.
- B.Require justification on activation.
- ✓ C.Require approval to activate.
- D.Configure notification emails for role activation.
Why C: Option C is correct because Azure AD PIM requires the 'Require approval to activate' setting to enforce that activation requests for a role must be approved by designated approvers before the role becomes active. This setting also automatically triggers email notifications to the configured approvers when a request is submitted, fulfilling both the approval and notification requirements.
Last reviewed: Jun 11, 2026
This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.