You are the global administrator of an organization with a Microsoft 365 subscription. Due to high turnover you need to map out if people who have left the company still have access to groups. You decide to create an Access review from Azure Active Directory Identity Governance, and you delegate this task to User 1. What kind of access should you assign to user 1? The solution must use the principle of least privilege.

Answer options:

A.Privileged role administrator
B.Global administrator
C.Security reader
D.User administrator

Correct Answer: D 
The least privileged role with permission to create access reviews from AAD Identity Governance is User administrator (see exhibit): 

Option A is incorrect. Privileged role administrator is needed for creating access reviews of Azure AD or Azure roles, not group membership.
Option B is incorrect. Global administrators can create access reviews, but it is not the least privileged alternative.
Option C is incorrect. The Security reader role has viewing rights to Security Center. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes. It is not the correct alternative in this scenario.
Reference: 
To know more about creating access reviews in Identity Governance, please refer to the link below: 

https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview