Exam SC-100 topic 5 question 5 discussion

Option A is incorrect because multi-user authorization by using Resource Guard is used to provide additional protection for Azure resources, but it does not address the issue of compromised administrator accounts in MABS.

MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization. ref: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq

"You need to ensure that A COMPROMISED ADMINISTRATOR ACCOUNT cannot be used to delete the backups." We do not know which kind of "Administrator account" has been compromised. It may be a Global Administrator. Such would not be stopped by PIM. Also the PIN (C) is not a solution because a SINGLE user with enough privileges can retrieve AND enter the PIN. The only option that prevents a single "compromised administrator account" from doing harm, regardless of which privileges the account has, is A.

To protect against ransomware, we need proper authentication to prevent a compromised admin account from performing critical operations. As part of adding an extra layer of authentication, you're prompted to enter a security PIN before modifying online backups. https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature#prevent-attacks https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware#azure-backup

A. From Azure Backup, configure multi-user authorization by using Resource Guard.

Using MUA make you "ensure that a compromised administrator account cannot be used to delete the backups." since it needs multiple admin check and mua can't be disabled by admin backup admin without security admin approval for mua operator role activation.. https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault#disable-mua-on-a-recovery-services-vault To disable MUA on a vault, follow these steps: The Backup admin requests the Security admin for Backup MUA Operator role on the Resource Guard. They can request this to use the methods approved by the organization such as JIT procedures, like Microsoft Entra Privileged Identity Management, or other internal tools and procedures. The Security admin approves the request (if they find it worthy of being approved) and informs the Backup admin. Now the Backup admin has the Backup MUA Operator role on the Resource Guard.

Only A works to ensure that a compromised administrator account cannot be used to delete the backups.

It's C and not A because: configuring multi-user authorization may not specifically prevent a compromised administrator account from deleting backups if the compromised account has sufficient permissions.

https://techcommunity.microsoft.com/t5/azure-governance-and-management/security-and-ransomware-protection-with-azure-backup/ba-p/3986246

Leaning toward Option A for the following reasons - Option A (MUA) and Option C (PIN) are both effective ways to add resistance to deletion of backups from a Recovery Services Vault https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware?toc=%2Fazure%2Fbackup%2Ftoc.json&bc=%2Fazure%2Fbackup%2Fbreadcrumb%2Ftoc.json#steps-to-take-before-an-attack https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats - The question's ask is "ensure that a compromised administrator account cannot be used to delete the backups" ... continued in reply

I will go for A. MUA by Resource Guard recommend by microsoft. See link: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats

Choice C is correct

Here are the subtle differences in the question. Pay attention to disabled vs deleted backups As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations. Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. MUA protects against disabling backups and reducing retention for backups.

i think now the recommendation MUA for Azure Backup, so i go with A

A : f you have a compromised administrator account, you should configure multi-user authorization by using Resource Guard for your vaults. This will prevent the admin from deleting the backups without the approval of another user who owns the Resource Guard. A security PIN is not sufficient to protect your backups, as the compromised admin may be able to access or reset the PIN

C. From a Recovery Services vault, generate a security PIN for critical operations

C. From a Recovery Services vault, generate a security PIN for critical operations. Configuring a security PIN for critical operations adds an extra layer of security for performing actions like deleting backups. Even if an administrator account is compromised, an attacker would also need access to the security PIN to perform critical operations, such as deleting backups. This aligns with the goal of preventing backups from being deleted, even if an administrator account is compromised. Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: