Exam MS-102 topic 1 question 76 discussion

A is correct Answer is correct "A". Security Administrator will not loose access after RBAC is enabled. Security Reader will so definitely not C. Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important. Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide

"Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role." https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide

The correct answer is C. User3. Explanation: - Security Reader role grants read-only access to security-related information, including security incidents in the Microsoft 365 Defender portal. - User3, as a Security Reader, can view security incidents but cannot take action on them. - User1 (Security Administrator) and User2 (Security Operator) have higher privileges, including the ability to manage and respond to incidents, but the question specifically asks about viewing incidents. - User4 (Compliance Administrator) focuses on compliance-related tasks and does not have access to security incidents.

Warning Initially, only those with Microsoft Entra Global Administrator or Security Administrator rights can create and assign roles in the Microsoft Defender portal; therefore, having the right groups ready in Microsoft Entra ID is important. Turning on role-based access control causes users with read-only permissions (for example, users assigned to Microsoft Entra Security reader role) to lose access until they are assigned to a role. Users with administrator permissions are automatically assigned the default built-in Defender for Endpoint Global Administrator role with full permissions. After opting in to use RBAC, you can assign more users who aren't Microsoft Entra Global Administrators or Security Administrators to the Defender for Endpoint Global Administrator role. After opting in to use RBAC, you can't revert to the initial roles as when you first logged into the portal.

The Security Reader is the user who should be able to view security incidents in Microsoft Defender for Endpoint, since this role grants read-only access to security data, including incidents. Alternatively, the Security Administrator would also have access to view security incidents, but this role has broader administrative permissions that go beyond just viewing.

Based on the roles provided in the image details and the permissions associated with Microsoft Defender for Endpoint: - User1 (Security Administrator): This role can manage security settings and policies but is not limited to viewing incidents. - User2 (Security Operator): Typically involved in handling and responding to incidents but may not focus solely on viewing them. - User3 (Security Reader): This role is specifically designed for viewing security incidents and monitoring without the ability to make changes. - User4 (Compliance Administrator): Focuses on compliance settings and is unrelated to security incidents. Given this information, the correct user who can view security incidents from the Microsoft 365 Defender portal is C. User3. ____________________________________________________

Copilot: C. User3 (Security Reader), as this role is specifically designed for viewing security incidents https://learn.microsoft.com/en-us/defender-endpoint/manage-incidents

Políticas anti-phishing no Microsoft 365 https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about

"When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with the Security Administrator role in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID."

The statement "You verify that role-based access control (RBAC) is turned on in Microsoft Defender for Endpoint" means that "role-based permissions" are being enforced within the Microsoft Defender for Endpoint environment. When RBAC is enabled, access to security data (such as incidents, alerts, or reports) is controlled based on the user’s assigned role in Azure AD. Each role has specific permissions regarding what they can view or manage. In the context of the question: - "Security Reader (User3)" is a role that grants "view-only access" to security information, including security incidents and alerts. With RBAC enabled, this role can view security incidents but cannot make changes to them, making "User3" the correct answer. Thus, turning on RBAC ensures that "only those with the proper permissions (e.g., Security Reader)" can view the security incidents in Microsoft 365 Defender. This is why "Option C (User3)" is correct.

Initially, only those with Microsoft Entra Global Administrator or Security Administrator rights can create and assign roles in the Microsoft Defender portal; therefore, having the right groups ready in Microsoft Entra ID is important. Turning on role-based access control causes users with read-only permissions (for example, users assigned to Microsoft Entra Security reader role) to lose access until they are assigned to a role. Users with administrator permissions are automatically assigned the default built-in Defender for Endpoint Global Administrator role with full permissions. After opting in to use RBAC, you can assign additional users who aren't Microsoft Entra Global Administrators or Security Administrators to the Defender for Endpoint Global Administrator role. After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.

AMDf is correct

Security reader Security readers can perform the following tasks: - View a list of onboarded devices - View security policies - View alerts and detected threats - View security information and reports Security readers can't add or edit security policies, nor can they onboard devices.

This should be C I think... https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/scc-permissions?view=o365-worldwide "Security Reader - Members have read-only access to many security features of Identity Protection Center, Privileged Identity Management, Monitor Microsoft 365 Service Health, and the Defender and compliance portals. " I see nothing in this statement or anywhere around the Security Reader role in this article indicating they wouldn't be able to view incidents within that portal.

https://www.examtopics.com/discussions/microsoft/view/49358-exam-ms-101-topic-2-question-27-discussion/

A is correct https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide

Only view security incident... Security reader. https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-roles-permissions?view=o365-worldwide&tabs=M365Admin