Microsoft Azure Architect Design (AZ-301) Practice Exam

Which Azure service can be utilized to monitor administrator changes in Azure resources?

• A. Azure AD Privileged Identity
• B. Azure AD Managed Services
• C. Azure Key Vault
• D. Azure Resource Manager

The correct answer is: Azure AD Privileged Identity

Using Azure AD Privileged Identity Management (PIM) allows for the monitoring of changes made by administrators to Azure resources. This service enables organizations to manage, control, and monitor access within Azure Active Directory (Azure AD), specifically focusing on role assignments for administrators. With PIM, you can track when and how roles are assigned, including any changes made to the roles of users in the directory. One of the primary functions of Azure AD PIM is to provide a historical audit log of role changes, which helps organizations maintain a compliance posture. This logging feature is critical for security auditing and ensuring that only authorized personnel make adjustments to sensitive resources. PIM ensures that administrators operate with the principle of least privilege, granting elevated privileges only when necessary and allowing for comprehensive tracking of activities related to these privileges. In contrast, other options like Azure AD Managed Services and Azure Key Vault focus on identity management and secure storage of secrets, respectively, without direct monitoring features for administrative changes to Azure resources. Azure Resource Manager, while essential for resource deployment and management, does not offer specific monitoring capabilities for tracking changes made by administrators. Thus, Azure AD Privileged Identity Management is the optimal choice for monitoring and auditing administrator modifications in Azure environments.