The security team wants to require approval for any activation of the Global Administrator role in Azure AD Privileged Identity Management (PIM). The approvers must be members of a security group named 'GA-Approvers'. Activations must require a business justification and expire after 4 hours. Which PIM configuration should the administrator modify?
Option A enables approval, duration, and justification; option C adds the approver group. Both are required.
Why this answer
Option D is correct because configuring PIM role settings for Global Administrator requires both enabling approval (with the 'GA-Approvers' group as designated approvers) and setting the activation parameters (maximum duration of 4 hours and justification requirement). Option A alone only sets the role settings but does not specify which group serves as approvers; Option C alone adds the approvers group but does not configure the activation duration or justification. Both A and C together fulfill the full requirement.
Exam trap
The trap here is that candidates often confuse role settings (which control activation policies like duration and approval) with eligible assignments (which define who can activate), leading them to select only Option A or only Option C, missing that both must be configured together to meet the full requirement.
How to eliminate wrong answers
Option A is wrong because while it correctly sets require approval, maximum activation duration to 4 hours, and require justification, it does not specify the 'GA-Approvers' group as the approvers—the approvers must be defined separately in the role settings. Option B is wrong because it requires MFA instead of approval, which does not meet the requirement for approval-based activation. Option C is wrong because adding 'GA-Approvers' as approvers in eligible assignments does not configure the activation duration or justification; those parameters are set in the role settings, not in assignments.