Question 51 of 1,000
Manage identity and accesshardMultiple ChoiceObjective-mapped

Quick Answer

The correct combination is to enable 'Require justification' and 'Require approval' while setting the 'Maximum activation duration' to 4 hours, then assign the designated security group as the approver. This works because Azure AD Privileged Identity Management (PIM) enforces these three distinct settings independently within the role activation configuration: justification ensures accountability, approval adds a secondary verification layer, and the maximum duration caps the elevated access window. On the AZ-500 exam, this scenario tests your understanding of PIM’s granular control over privileged role activation, often appearing as a multi-requirement policy where a common trap is forgetting to assign the specific security group as the approver—merely enabling approval isn’t enough. To configure PIM role activation justification approval duration correctly, remember the three pillars: Justify, Approve, Limit. A useful memory tip is “J.A.L.”—Justification, Approval, Limit—which maps directly to the three checkboxes you must toggle in the Azure portal.

AZ-500 Manage identity and access Practice Question

This AZ-500 practice question tests your understanding of manage identity and access. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: pIM allows granular configuration of role activation settings.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?

Question 1hardmultiple choice
Study the full multicast explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.

Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.

Key principle: PIM allows granular configuration of role activation settings.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.

    Why this is correct

    This meets all three requirements: justification is required, approval from the security group is required, and the activation duration is limited to 4 hours.

    Related concept

    PIM allows granular configuration of role activation settings.

  • Enable 'Require justification', 'Require ticket information', and set 'Maximum activation duration' to 8 hours.

    Why it's wrong here

    Ticket information is not required. The duration is 8 hours, which exceeds the 4-hour limit. Approval is missing.

  • Enable 'Require approval' and set 'Maximum activation duration' to 4 hours. Do not require justification.

    Why it's wrong here

    Justification is required by policy. This configuration does not require justification.

  • Enable 'Require Azure MFA on activation', 'Require justification', and set 'Maximum activation duration' to 4 hours.

    Why it's wrong here

    MFA on activation is not specified in the requirements. Approval from the security group is missing.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse 'Require justification' with 'Require ticket information' or assume that MFA is always required for activation, but the question explicitly lists only three requirements—justification, approval, and 4-hour duration—so any extra or missing settings make the option incorrect.

Detailed technical explanation

How to think about this question

In Azure AD PIM, the 'Require approval' setting triggers a workflow where designated approvers (individual users or groups) must approve each activation request. The 'Maximum activation duration' is enforced via the role's activation settings and can be set between 0.5 and 8 hours (or up to 24 hours for permanent eligible assignments). Justification is stored in the audit log and is mandatory for compliance tracking. The security group assigned as approver must be a mail-enabled security group or an Azure AD role-assignable group to receive approval notifications.

KKey Concepts to Remember

  • PIM allows granular configuration of role activation settings.
  • 'Require justification' mandates a reason for role activation.
  • 'Require approval' routes activation requests to designated approvers.
  • 'Maximum activation duration' sets a time limit for active role assignments.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

PIM allows granular configuration of role activation settings.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Review pIM allows granular configuration of role activation settings., then practise related AZ-500 questions on the same topic to reinforce the concept.

Related practice questions

Related AZ-500 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-500 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-500 question test?

Manage identity and access — This question tests Manage identity and access — PIM allows granular configuration of role activation settings..

What is the correct answer to this question?

The correct answer is: Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver. — Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.

What should I do if I get this AZ-500 question wrong?

Review pIM allows granular configuration of role activation settings., then practise related AZ-500 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

PIM allows granular configuration of role activation settings.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on AZ-500

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?

medium
  • A.Set the activation maximum duration to 4 hours and require approval from the 'Global Admin Approvers' group.
  • B.Set the activation maximum duration to 4 hours and enable MFA on activation.
  • C.Set the activation to require a ticket number justification and set the maximum duration to 8 hours.
  • D.Set the role to be permanently active but with a just-in-time approval workflow.

Why A: Option A is correct because Azure AD PIM allows you to configure role activation settings, including an activation maximum duration (which can be set to 4 hours) and requiring approval from a specified group (in this case, 'Global Admin Approvers'). These settings directly meet the requirement for time-bound activation with approval.

Variation 2. A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

hard
  • A.The activation approval requirement is not supported for the Global Administrator role
  • B.The user is a member of the approver group and is self-approving the request
  • C.The PIM policy has not been activated for the Global Administrator role
  • D.The role activation duration is set to zero, causing immediate activation

Why B: Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.

Variation 3. A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

hard
  • A.The 'Require ticket information on activation' setting is not enabled in the role settings
  • B.Users are activating through the Azure AD overview page instead of the PIM blade
  • C.The activation policy requires approval but the approvers ignore the ticket field
  • D.The role is configured for 'Active' assignment instead of 'Eligible'

Why A: Option A is correct because the 'Require ticket information on activation' setting is a separate toggle in the PIM role settings that must be explicitly enabled. Even if the support ticket number field is displayed in the activation form, the system will not enforce its entry unless this specific setting is turned on. Without it, users can leave the field blank and still successfully activate the role.

Variation 4. A company uses Azure AD Privileged Identity Management (PIM) for the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a justification, and the activation requires approval from a designated security group. Which PIM role settings should they configure?

easy
  • A.Require justification on activation (Yes), Require approval (Yes), Select approver(s) (the security group).
  • B.Require justification on activation (No), Require approval (Yes), Select approver(s) (the security group).
  • C.Expiration > Maximum activation duration (4 hours).
  • D.On activation, require Azure MFA registration.

Why A: Option A is correct because PIM role settings allow administrators to enforce both justification and approval workflows for role activation. Setting 'Require justification on activation' to 'Yes' ensures the user provides a reason, and setting 'Require approval' to 'Yes' with the designated security group as the approver enforces the approval requirement. This combination directly meets the company's stated requirements.

Variation 5. A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?

hard
  • A.Set the activation maximum duration to 1 hour.
  • B.Require justification on activation.
  • C.Require approval to activate.
  • D.Configure notification emails for role activation.

Why C: Option C is correct because Azure AD PIM requires the 'Require approval to activate' setting to enforce that activation requests for a role must be approved by designated approvers before the role becomes active. This setting also automatically triggers email notifications to the configured approvers when a request is submitted, fulfilling both the approval and notification requirements.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.