Home › Azure AZ-104 › cloudcomputing › az104identitygovernance › An admin wants to give a contractor read-only ac…
An admin wants to give a contractor read-only access to ONE specific resource group for 30 days, and have the access auto-expire. Which feature fits BEST?
ASharing the global admin password
BDisabling Entra ID for a month
CGranting Owner at the subscription scope manually for one month
DAzure RBAC role assignment with PIM (Privileged Identity Management) eligibility + expiration, scoped to that resource group
Answer & Solution
Correct answer: D. Azure RBAC role assignment with PIM (Privileged Identity Management) eligibility + expiration, scoped to that resource group
PIM provides just-in-time, time-bound role assignments with approval workflow. Owner at subscription scope is over-privileged; the other options are insecure or destructive.
Related questions
Which approach satisfies a compliance requirement that admin-level activity on a critical Which Entra ID feature lets you require additional verification for a user the moment theiAn organisation has 50 Azure subscriptions and wants to enforce policy and roll up billingWhich Azure construct lets you enforce a rule that "only resources tagged with a `cost-cenWhich Azure feature lets administrators temporarily revoke all changes to a resource — proWhich Entra ID feature lets an organisation invite external users (partners, contractors) Which combination represents the correct Azure resource hierarchy from highest scope to loWhich Azure construct lets administrators enforce "all storage accounts must require HTTPS