Exam MD-102 topic 1 question 110 discussion

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role.

B appears to be correct: To set up security defaults and create Conditional Access policies, a user requires the Conditional Access Administrator or Security Administrator role1. However, the Security Reader or Global Reader role is sufficient if the purpose is solely to read policies1.

To provide a user with the ability to manage Security defaults and create Conditional Access policies while adhering to the principle of least privilege, you should assign the Conditional Access Administrator role (Option B). This role grants the necessary permissions without the broader access associated with the Global Administrator role

correction "To configure security defaults in your directory, you must be assigned at least the Conditional Access Administrator role." https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults?utm_source=chatgpt.com#enabling-security-defaults:~:text=To%20configure%20security%20defaults%20in%20your%20directory%2C%20you%20must%20be%20assigned%20at%20least%20the%20Conditional%20Access%20Administrator%20role.%20By%20default%20the%20first%20account%20in%20any%20directory%20is%20assigned%20a%20higher%20privileged%20role%20known%20as%20Global%20Administrator.

security admin cannot create CA policy

To configure security defaults in your directory, you must be assigned at least the Conditional Access Administrator role.

Conditional Access Administrator: This role allows the user to manage Conditional Access policies and other identity-related configurations. It adheres to the principle of least privilege because the user is given only the permissions required to manage Conditional Access settings.

https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#enabling-security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role. By default the first account in any directory is assigned a higher privileged role known as Global Administrator.

https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#enabling-security-defaults - To configure security defaults in your directory, you must be assigned at least the Security Administrator role. By default the first account in any directory is assigned a higher privileged role known as Global Administrator.

Correct answer is C: Security Administrator. Why? Because the Conditional Access Admin can only change or create or delete CA's and dos not have security defaults in it. Only the Security Admin or Global Admin have this. But the question says "LEAST privilege" so it's C. in this case. Learn more about Azure build-in roles here: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator

It is possible with B or C, however B has fewer privileges - https://learn.microsoft.com/en-us/answers/questions/1462298/configure-security-defaults-which-role-can-do-this

With both it is possible, but the conditional access administrator has fewer privileges.

Conditional Access Admin CANNOT configure Security Defaults. C fulfils both requirements. Source: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#enabling-security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role.

B https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide

Answer is C: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator Conditional Access Admin role can only edit Conditional Access related settings, they cannot edit Security Defaults

B. Conditional Access Administrator. The Conditional Access Administrator role allows users to manage Azure Active Directory Conditional Access policies without giving them broader administrative permissions that come with roles like Global Administrator. This aligns with the principle of least privilege by granting only the necessary permissions for the task.