Exam SC-200 topic 1 question 37 discussion

It should be User1 for both! How security reader can enable server vulnerability scans? User1 User1

I would say the answer is User 3 for both, User 1 is an AAD role and not RBAC. Security Administrator != Security Admin. Contributor can enable plans = Servers Plan Contributor can apply fix = Enable vulnerable scan from recommendations

User3 → Enable Microsoft Defender for Servers on virtual machines User1 → Review security recommendations and enable server vulnerability scans Tasks: 1. Enable Microsoft Defender for Servers on virtual machines This involves activating the Defender for Servers plan, which requires enabling extensions, assigning plans, or automating configurations on VMs. Requires permission to modify resource/subscription-level settings. ✅ Minimum role required: Contributor 2. Review security recommendations and enable vulnerability scans This involves: Viewing alerts and recommendations Applying security recommendations Enabling vulnerability assessment ✅ Required role: Security administrator ⚠️ Security reader can view, but cannot apply or enable anything.

It's not security administrator, it's the security admin role in Azure. For that reason, unless it's worded differently in the question, I'm going with User 3 for both.

Task A (Enable Microsoft Defender for Servers): This involves enabling a Defender plan, which is a security configuration task. 🔹 Best fit: User 1 (Security Administrator) Task B (Review recommendations & enable vulnerability scans): Reviewing is a read-only task, but enabling scans is a security configuration task. 🔹 Best fit: User 1 (Security Administrator) again, because User 2 can only view, and User 3 lacks security privileges.

Contributor role. To do that, you'd need a role like Security Reader or Security Administrator, which includes the ability to view recommendations. With the Security Reader role in Microsoft 365 Defender, you can review security recommendations, but you cannot enable server vulnerability scans or make any changes to security configurations. So option should be User 1 for both.

Based on the principle of least privilege, you should assign the tasks to the users as follows: Enable Microsoft Defender for Servers on virtual machines: This task involves enabling a security feature and possibly making changes to resources. The user who should perform this task is User1 (Security Administrator). The Security Administrator has the necessary permissions to manage security features like Microsoft Defender. Review security recommendations and enable server vulnerability scans: This task primarily involves reviewing security information and enabling scans, which can be done by a Security Reader. The user who should perform this task is User2 (Security Reader). Security Readers can view security recommendations and configure scans, making them the most appropriate role for this task. So, the tasks should be assigned as follows: Enable Microsoft Defender for Servers on virtual machines: User1 Review security recommendations and enable server vulnerability scans: User2

User 1 and User 3

The first box is certainly user 3 - contributor that has less permission than Security Admin. So both boxes User 3 contributor

For all those vouching for User 2 for either of the boxes, check this link. NOWHERE it is mentioned that Security Reader can Enable Defender Plans or do the scans. So only option is User1 or User3. For second box, it is Contributor (User3) straight away as Security Admin cannot apply security recommendations. For first box, both user1 and 3 can do the job. However, Contributor has lesser privileges. Hence both boxes = User3

Based on the least privilege principles, the answer for both is User3 - Contribute. Explanations are given below: - Contribute has the least privilege who can Enable / disable Microsoft Defender plans - Contribute has the least privilege who can View alerts and recommendations and Enable vulnerable scan from recommendations

User 1 User 2 https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.

based on the role matrix only the security admin (S1) can do both. if you select S2 it cannot enable server vulnerability scan while the contributor can do that, the question did not mention subscription level. I think both S1 or S1 and S3

User1 User1

Required roles and permissions: Owner (resource group level) can deploy the Vulnerability scanner while security Reader can only view findings. Answer is Contributor, Security Admin

user 1 & User 3 https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management