Exam MS-500 topic 4 question 52 discussion

Answer is correct - Security Reader does NOT have the "View-Only Audit Logs". https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide

Security reader Read-only access to security features, sign-in reports, and audit logs. https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?redirectSourcePath=%252farticle%252fAbout-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d&view=o365-worldwide

C is correct. From the links people are providing about the security reader it only shows the ability to read the properties of the audit logs. Not the logs themselves: microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, including privileged properties

Answer is C Security Operator - Default Role Assigned: Compliance Search Manage Alerts Security Reader Tag Contributor Tag Reader Tenant AllowBlockList Manager ***View-Only Audit Logs *** View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts Security Reader - Default Role Assigned: Security Reader Sensitivity Label Reader Tag Reader View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts

Below is the list of extra permissions Security operator gets: Create and delete all resources, and read and update standard properties in ‎Microsoft Cloud App Security.‎ Create and delete all resources, and read and update standard properties in ‎Azure AD Identity Protection‎. Manage all aspects of ‎Azure Advanced Threat Protection.‎ Create and manage support tickets in the ‎Azure portal.‎ Create and delete all resources, and read and update standard properties in the ‎Security & Compliance Center‎. Create and manage service requests in the ‎Microsoft 365 admin center.‎ Manage all aspects of ‎Microsoft Defender Advanced Threat Protection‎. My answer is A. Security reader has access to logs and is read only role.

Too many conflicting opinions and links to follow here, so I just configured it in my lab. With the Security Reader role assigned, I am able to view the audit logs. When I remove that role, the user cannot view the audit logs. Security reader can read the audit logs and has less privileges than security operator, so the answer is clearly A. This was really easy to test -- just try it and you'll get the answer too.

as examdog stated: Roles with "View Only Audit Logs" are (there is no security reader): * Compliance Administrator * Compliance Data Administrator * Global Reader * Organization Management * Security Administrator * Security Operator https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?

Roles with "View Only Audit Logs" are (there is no security reader): * Compliance Administrator * Compliance Data Administrator * Global Reader * Organization Management * Security Administrator * Security Operator https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?

Security operator: Read all properties on audit logs, including privileged properties. Security reader: Read all properties on audit logs, including privileged properties. Straight from the permissions page in azure. So should be reader.

Both of Security Operator and Security Reader can “Read all properties on audit logs, including privileged properties” Answer is Security Reader according to principle of least privilege.

vote for c

Both reader and operator can do this, but reader is less permissive than operator. Description of reader role taken from AAD: Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center

using this link: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-reader It appears that Security Reader has less permissions than Security Operator.

I have added user ALL 4 roles in this question together and Audit Logs are still grayed :/

DO YOUR OWN RESEARCH!!!! Security Reader does NOT have audit log read access. Security Reader: Sensitivity Label Reader Tag Reader View-Only Device Management View-Only DLP Compliance Management View-Only IB Compliance Management View-Only Manage Alerts

I vote for C

The right answer is Security reader as this role has the ability to read audit logs. "Users with this role have global read-only access, including all information in Azure Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365 Security & Compliance Center"