ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 37 discussion

Actual exam question from Microsoft's SC-200
Question #: 37
Topic #: 1
[All SC-200 Questions]

DRAG DROP -

You have an Azure subscription that contains the users shown in the following table.



You need to delegate the following tasks:

• Enable Microsoft Defender for Servers on virtual machines.
• Review security recommendations and enable server vulnerability scans.

The solution must use the principle of least privilege.

Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by [deleted] at Feb. 20, 2023, 1:26 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
wsrudmen
Highly Voted 2 years, 3 months ago
It should be User1 for both! How security reader can enable server vulnerability scans? User1 User1
upvoted 32 times
landfils
5 months, 2 weeks ago
it should be user 3 and user 1.
upvoted 4 times
...
mimguy
9 months ago
Agree with wsrudmen, based on this link https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions User1 and user1
upvoted 1 times
...
mb0812
1 year, 3 months ago
Both are User3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 8 times
...
scruzer
2 years, 3 months ago
This is correct! It is clearly listed here. https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 3 times
Holii
2 years, 2 months ago
Roles listed here do not include actions for enabling server vulnerability scans. Tested in my demo tenant, Security Reader role can enable vulnerability assessment features on Azure and Hybrid machines. Due to PoLP, answer is: User1, User2.
upvoted 5 times
Holii
2 years, 2 months ago
I actually tested this out some more... What a weird question. Microsoft Defender for Servers on Virual Machines requires at least Contributor-level on your subscription. To enable Vulnerability assessment for machines (server vulnerability scans on Azure and hybrid machines) you need at least User Access Administrator or Owner on the subscription. Doesn't matter what your RBAC is, cause these changes are all being performed on the subscription; and the settings page is viewable without Reader. I'm going to throw this up and say: User3 (assuming they mean the Contributor from the subscription-level) User2 (assuming you are an Owner/User Access Admin with the least-privilege RBAC role) Please correct me if I am wrong.
upvoted 4 times
...
...
...
Load full discussion...
...
danlo
Highly Voted 1 year, 7 months ago
I would say the answer is User 3 for both, User 1 is an AAD role and not RBAC. Security Administrator != Security Admin. Contributor can enable plans = Servers Plan Contributor can apply fix = Enable vulnerable scan from recommendations
upvoted 13 times
...
Banksaus
Most Recent 1 week, 4 days ago
It's not security administrator, it's the security admin role in Azure. For that reason, unless it's worded differently in the question, I'm going with User 3 for both.
upvoted 1 times
...
sdbol
1 month, 1 week ago
Task A (Enable Microsoft Defender for Servers): This involves enabling a Defender plan, which is a security configuration task. 🔹 Best fit: User 1 (Security Administrator) Task B (Review recommendations & enable vulnerability scans): Reviewing is a read-only task, but enabling scans is a security configuration task. 🔹 Best fit: User 1 (Security Administrator) again, because User 2 can only view, and User 3 lacks security privileges.
upvoted 1 times
...
Kreuz
2 months, 2 weeks ago
Contributor role. To do that, you'd need a role like Security Reader or Security Administrator, which includes the ability to view recommendations. With the Security Reader role in Microsoft 365 Defender, you can review security recommendations, but you cannot enable server vulnerability scans or make any changes to security configurations. So option should be User 1 for both.
upvoted 1 times
...
dyavlito
9 months, 3 weeks ago
Based on the principle of least privilege, you should assign the tasks to the users as follows: Enable Microsoft Defender for Servers on virtual machines: This task involves enabling a security feature and possibly making changes to resources. The user who should perform this task is User1 (Security Administrator). The Security Administrator has the necessary permissions to manage security features like Microsoft Defender. Review security recommendations and enable server vulnerability scans: This task primarily involves reviewing security information and enabling scans, which can be done by a Security Reader. The user who should perform this task is User2 (Security Reader). Security Readers can view security recommendations and configure scans, making them the most appropriate role for this task. So, the tasks should be assigned as follows: Enable Microsoft Defender for Servers on virtual machines: User1 Review security recommendations and enable server vulnerability scans: User2
upvoted 1 times
...
7d801bf
11 months, 2 weeks ago
User 1 and User 3
upvoted 2 times
...
Ramye
1 year, 3 months ago
The first box is certainly user 3 - contributor that has less permission than Security Admin. So both boxes User 3 contributor
upvoted 3 times
...
mb0812
1 year, 3 months ago
For all those vouching for User 2 for either of the boxes, check this link. NOWHERE it is mentioned that Security Reader can Enable Defender Plans or do the scans. So only option is User1 or User3. For second box, it is Contributor (User3) straight away as Security Admin cannot apply security recommendations. For first box, both user1 and 3 can do the job. However, Contributor has lesser privileges. Hence both boxes = User3
upvoted 4 times
mb0812
1 year, 3 months ago
https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 1 times
...
...
Ramye
1 year, 3 months ago
Based on the least privilege principles, the answer for both is User3 - Contribute. Explanations are given below: - Contribute has the least privilege who can Enable / disable Microsoft Defender plans - Contribute has the least privilege who can View alerts and recommendations and Enable vulnerable scan from recommendations
upvoted 1 times
Ramye
1 year, 3 months ago
To clarify Above I meant Contributor when said Contribute.
upvoted 1 times
...
...
bitmako
1 year, 5 months ago
User 1 User 2 https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management
upvoted 1 times
...
Murtuza
1 year, 5 months ago
Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.
upvoted 1 times
...
Chris2pher
1 year, 5 months ago
based on the role matrix only the security admin (S1) can do both. if you select S2 it cannot enable server vulnerability scan while the contributor can do that, the question did not mention subscription level. I think both S1 or S1 and S3
upvoted 1 times
...
smanzana
1 year, 7 months ago
User1 User1
upvoted 1 times
...
Ghost042
1 year, 7 months ago
Required roles and permissions: Owner (resource group level) can deploy the Vulnerability scanner while security Reader can only view findings. Answer is Contributor, Security Admin
upvoted 3 times
...
kabooze
1 year, 7 months ago
user 1 & User 3 https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management
upvoted 4 times
...
chepeerick
1 year, 7 months ago
Correct User1 and User2
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel