Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 1 question 16 discussion

Actual exam question from Microsoft's SC-200
Question #: 16
Topic #: 1
[All SC-200 Questions]

Your company deploys the following services:
✑ Microsoft Defender for Identity
✑ Microsoft Defender for Endpoint
✑ Microsoft Defender for Office 365
You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege.
Which two roles should assign to the analyst? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. the Compliance Data Administrator in Azure Active Directory (Azure AD)
  • B. the Active remediation actions role in Microsoft Defender for Endpoint
  • C. the Security Administrator role in Azure Active Directory (Azure AD)
  • D. the Security Reader role in Azure Active Directory (Azure AD)
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
PhilAus
Highly Voted 2 weeks, 6 days ago
Provided answer B and D is correct. Security Reader - can access M365 Security Center. Active Remediation Actions role in Defender for Endpoint meets need to 'approve and reject' pending actions with respect to Defender For Endpoint. Requirement does not need more.
upvoted 23 times
...
Metasploit
Highly Voted 2 weeks, 3 days ago
Selected Answer: BD
This question is tricky. If you follow the question directly, they are not asking either/or. They want you to assign 2 roles to the Analyst each being half of the entire solution. Using least privileges the answer should be BD. Not A = Too many other permissions not needed. B = the Active remediation actions role in Microsoft Defender for Endpoint is enough for the task to be done of approving/rejecting pending actions. Not C = Would be able to fulfill both B and D and (more), not least privilege. D = Quite redundant, but gives reader roles read access to the portal up until RBAC is turned on the defender permissions. Least Privilege. ¯\_(ツ)_/¯
upvoted 8 times
danb67
11 months, 4 weeks ago
B is not enough to approve/reject email related pending actions though is it? https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide So a user assigned only the active remediation roles will not be able to approve or reject email related pending actions. So answer is BC
upvoted 2 times
WORKTRAIN
5 months, 4 weeks ago
You are right. But the question states "The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint", so we don't have to take in consideration the other defender components. B and D are the correct answers.
upvoted 1 times
...
...
...
TOMtheBOMB
Most Recent 2 weeks, 3 days ago
Slight confused by this one, this link suggests the answer is B & C: https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide Remediation action: Microsoft Defender for Endpoint remediation (devices) Required roles and permissions: Security Administrator role assigned in either Azure Active Directory (Azure AD) (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com) --- or --- Active remediation actions role assigned in Microsoft Defender for Endpoint
upvoted 5 times
AlaReAla
3 years ago
Option C will not follow the least prervilige principle. Further, this role is more for administration stuff like editing or deleting roles etc. Checkout the below URL for more info: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user-roles?view=o365-worldwide
upvoted 4 times
...
Xyz_40
2 years, 1 month ago
BC is the correct answer. in D, he would not be able to perform anything but just to view
upvoted 1 times
uday1985
1 year, 6 months ago
does PoLP mean anything to you?
upvoted 2 times
...
...
Holii
1 year, 6 months ago
The link says it right there: --- or --- Active remediation actions role assigned in Microsoft Defender for Endpoint Security Administrator has too many additional roles outside of simply approving/rejecting pending actions. This would breach Least Privilege. Read-only permissions don't have access to the MDE portal once RBAC is enabled in MDE. So you have to enable this role for Security Reader to access. Security Reader will provide a read-only view into the policies.
upvoted 1 times
...
...
1a144a0
2 weeks, 3 days ago
Selected Answer: BD
B. the Active remediation actions role in Microsoft Defender for Endpoint: This role specifically allows the analyst to approve or reject pending remediation actions in Microsoft Defender for Endpoint, which is the primary requirement. D. the Security Reader role in Azure Active Directory (Azure AD): This role provides the analyst with read-only access to security-related information in the Microsoft 365 security center without granting unnecessary administrative privileges. It supports the principle of least privilege by restricting the analyst's permissions to what is necessary for their role.
upvoted 1 times
...
Avaris
3 months, 3 weeks ago
Selected Answer: BC
the security admin should be able to do more while sec reader can't do these action
upvoted 1 times
...
chepeerick
11 months, 3 weeks ago
Selected Answer: BD
Options B and D
upvoted 1 times
...
Oryx360
1 year, 1 month ago
Selected Answer: BC
Reason being that you do not need a Reader Role. The Active remediation actions role in Microsoft Defender for Endpoint: This role grants the analyst the ability to take active remediation actions, which includes approving and rejecting pending actions in Microsoft Defender for Endpoint. The Security Administrator role in Azure Active Directory (Azure AD): While not specific to Defender for Endpoint, this role provides broad access to security-related tasks and configuration across Microsoft 365 services, aligning with the analyst's responsibilities.
upvoted 3 times
paraze
9 months, 3 weeks ago
Security Reader is enough, Security Administrator not needed. Least Priviledge. BD
upvoted 1 times
...
...
TomasValtor
1 year, 3 months ago
The answer should be : B and C Check this article: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide Tip Users who have the Global Administrator role assigned in Azure AD can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the Global Administrator role assigned. We recommend using the Security Administrator, Active remediation actions, and Search and Purge roles listed in the preceding table for Action center permissions.
upvoted 3 times
...
TomG
2 years, 7 months ago
Selected Answer: BD
Given answers are correct
upvoted 2 times
...
Tx4free
2 years, 7 months ago
Selected Answer: BD
Correct answer
upvoted 2 times
...
liberty123
2 years, 8 months ago
Selected Answer: BD
B and D is correct
upvoted 2 times
...
Andreew883
2 years, 9 months ago
B and D are correct. Minimum privilege is requested. The other two options are for administrators.
upvoted 3 times
...
kakakayayaya
2 years, 10 months ago
Active remediation actions role in MDE portal is enough for approve and reject pending actions generated by Microsoft Defender for Endpoint. As soon as you enable Active remediation actions role, Security Reader role is not work in MDE portal. If you don't enable RBAC in MDE portal you can use Security Reader to access.
upvoted 3 times
...
jasonfmj
3 years, 1 month ago
Answer is B and C Security Reader: A user that belongs to this role has viewing rights to Security Center. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes. Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations. https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions
upvoted 4 times
Harold_Finch
2 years, 3 months ago
Not C - Using principle of least privileges, B & D would be the right choices.
upvoted 1 times
...
Ramye
7 months, 1 week ago
Yes, but this sec admin will only take actions on alerts that are coming from MDI and has sufficient permission for that, will that not suffice?
upvoted 1 times
...
...
HSBNZ
3 years, 1 month ago
Please don't approve this and the previous comment here on this question, as it is a mistake. Meant to comment on the above question. Ta.
upvoted 1 times
...
HSBNZ
3 years, 1 month ago
The correct answer it is seems like, as steps for to Create an indicator for files from the settings page 1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules). 2. Select the File hashes tab. 3. Select Add indicator. 4. Specify the following details: 5. Indicator - Specify the entity details and define the expiration of the indicator. * Action - Specify the action to be taken and provide a description. * Scope - Define the scope of the device group. * Review the details in the Summary tab, then select Save.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...