Answer is B
Security admin can manage Microsoft Defender for cloud app policy.
To set up Defender for Cloud Apps, you must be a Global Administrator or a Security Administrator in Microsoft Entra ID or Microsoft 365.
https://learn.microsoft.com/en-us/defender-cloud-apps/get-started
Test post to understand order. 2/2
From Defender while trying to create the Defender Session policy: "Conditional Access policy not found. Conditional access policies are required for Cloud App security policies to work. Check your conditional access policy settings or create a new one in Entra ID"
Security Administrator can create the required CA policy which User1 is assigned the role.
Answer B: (I hate questions like this). The "Security Administrator" role has admin permissions over other Microsoft security products, while the Cloud App Security Administrator is scoped to just Defender for cloud apps. I used 2 different user accounts to test this. 1 with each role. The security administrator was able to create the neccessary Conditional Access Polciy within Entra (this is needed to create an app session policy in defender for cloud) whereas the "Cloud App Security Administrator" could NOT create a conditiona access policy within entra, let alone even read them.
To create a Microsoft Defender for Cloud Apps session policy, you need at least a Security Administrator role in Microsoft Entra ID or Microsoft 365. Looking like answer D
"In order for your session policy to work, you must also have a Microsoft Entra ID Conditional Access policy, which creates the permissions to control traffic."
"This procedure provides a high-level example of how to create a Conditional Access policy for use with Defender for Cloud Apps.
In Microsoft Entra ID Conditional Access, select Create new policy.
Enter a meaningful name for your policy, and then select the link under Session to add controls to your policy.
In the Session area, select Use Conditional Access App Control."
https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad
NO - This is a necessary step for session policies to take effect, but it does not give User1 the permission to create policies.
The user still needs the Cloud App Security Administrator role to manage Defender for Cloud Apps, and the question is "What should you do first?"
the Security Administrator role alone cannot create Microsoft Defender for Cloud Apps (formerly known as Cloud App Security) session policies. The Security Administrator role typically has permissions related to managing security-related aspects of Microsoft 365 services, but it does not include specific permissions for Microsoft Defender for Cloud Apps.
To create session policies in Microsoft Defender for Cloud Apps, users need to be assigned the Cloud App Security Administrator role or another role with equivalent permissions specifically related to Microsoft Defender for Cloud Apps administration.
I think that Security admin can manage policies already
Security admin can in Microsoft Defender for Cloud Apps: Add admins, add policies and settings, upload logs and perform governance actions.
So add him Cloud App Security Admin role is not necessary.
Personally, don't think the options make sense especially A and B, if B turn out to be the answer they want. Yes the Security Admin role is able to create the policy in question, but option B does not make sense as the correct answer to the question. How does "Create a Conditional Access policy and select Use Conditional Access App Control". sound like a likely answer to this question? to me, the question does not have an answer.
The Security Administrator role does not have the permissions to create Microsoft Defender for Cloud Apps session policies. You must assign the Cloud App Security Administrator role to User1.
Once you have assigned the Cloud App Security Administrator role to User1, you can create a Conditional Access policy that requires users to use Conditional Access App Control. This will ensure that User1 can create Microsoft Defender for Cloud Apps session policies.
D
Security Administrator does have the permissions to create Microsoft Defender for Cloud Apps session policies.
https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins#roles-and-permissions
B. Security Admin already has permission to create policies
Global administrator and Security administrator: Administrators with Full access have full permissions in Defender for Cloud Apps. They can add admins, add policies and settings, upload logs and perform governance actions, access and manage SIEM agents.
https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins#microsoft-365-and-azure-ad-roles-with-access-to-defender-for-cloud-apps
D. Assign the Cloud App Security Administrator role to User1.
The Cloud App Security Administrator role provides the necessary permissions to create and manage session policies within Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). By assigning this role to User1, they will have the appropriate privileges to create and configure session policies for securing cloud applications and services.
Option C is not the correct choice as the Cloud Application Administrator role is not specifically related to Microsoft Defender for Cloud Apps session policies.
Options A and B are not directly related to assigning the necessary permissions for creating session policies within Microsoft Defender for Cloud Apps. These options pertain to setting up Conditional Access policies and Conditional Access App Control, which are different from configuring session policies in Microsoft Defender for Cloud Apps.
The correct answer is D. Assign the Cloud App Security Administrator role to User1.
According to the Microsoft Entra built-in roles article1, the Cloud App Security Administrator role grants full permissions in Defender for Cloud Apps. Users with this role can create and manage all aspects of Defender for Cloud Apps session policies, which are used to monitor and control user sessions in cloud apps.
Answer . B. Create a Conditional Access policy and select Use Conditional Access App Control.
References:
https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad#prerequisites-to-using-session-policies
"The relevant apps should be deployed with Conditional Access App Control"
"Make sure you've configured your IdP solution to work with Defender for Cloud Apps, as follows:
- For Azure AD Conditional Access, see Configure integration with Azure AD
- For other IdP solutions, see Configure integration with other IdP solutions"
This section is not available anymore. Please use the main Exam Page.SC-300 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Siraf
Highly Voted 1 year, 6 months agoCrazyEyes007
Most Recent 3 months agoCrazyEyes007
3 months agoObi_Wan_Jacoby
4 months agoObi_Wan_Jacoby
4 months agoObi_Wan_Jacoby
4 months agoperkp
6 months, 3 weeks agoFrank9020
6 months, 2 weeks agoHopkins121
1 year, 3 months agorvln7
5 months, 2 weeks agoLabelfree
9 months, 1 week agoTaigr
1 year, 8 months agoMacDanorld
1 year, 8 months agovaaws
1 year, 9 months agore_zen
1 year, 9 months agoJimboJones99
1 year, 9 months agoitismadu
1 year, 9 months agoshuhaidawahab
1 year, 10 months agocgonIT
1 year, 10 months agorikicm
1 year, 10 months ago