ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 2 question 25 discussion

Actual exam question from Microsoft's SC-200
Question #: 25
Topic #: 2
[All SC-200 Questions]

DRAG DROP -
You have an Azure subscription.
You need to delegate permissions to meet the following requirements:
✑ Enable and disable Azure Defender.
✑ Apply security recommendations to resource.
The solution must use the principle of least privilege.
Which Azure Security Center role should you use for each requirement? To answer, drag the appropriate roles to the correct requirements. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions
by Eltooth at Sept. 28, 2021, 6:16 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PJR
Highly Voted 3 years, 7 months ago
Answer is incorrect - the link provided in the answer - https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions shows the least priv roles would be -Sec Admin -Resource Group Owner (this has lower priv than subscription contributor and can still apply security recommendations)
upvoted 63 times
Ramye
1 year, 2 months ago
Correct it should be Resource Group Owner for: Apply security recommendations for a resource (and use Fix)
upvoted 1 times
...
kakakayayaya
3 years, 4 months ago
It is a tricky question. Resource Group Owner - will not provide access to Subscription, so you will not see any configuration in MS defender for cloud (ex.ASC). Sub Contributor will allow to do all tasks.
upvoted 12 times
FrostForrest
3 years, 1 month ago
Look at the question. It states resources within a subscription. Without knowing the design of the subscription, only allocating a Resource Group Owner would be insufficient.
upvoted 3 times
...
prabhjot
3 years, 1 month ago
Avoid assigning broader roles at broader scopes . By limiting roles and scopes, you limit what resources are at risk if the security principal is ever compromised.
upvoted 2 times
prabhjot
3 years, 1 month ago
so Resource Group owner looks fine
upvoted 3 times
shachar_ash
2 years, 9 months ago
what if the resources span across multiple RGs?
upvoted 2 times
...
...
...
...
...
Ramkid
Highly Voted 2 years, 3 months ago
Correct Answer Box1 : Security Admin Box2 : Resource Group Owner https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 22 times
Zak366
2 years, 2 months ago
Perfect link, following principle of least privilege
upvoted 1 times
...
Ramye
1 year, 2 months ago
and a snippet from the article above: " In Defender for Cloud, you only see information related to a resource when you're assigned one of these roles for the subscription or for the resource group the resource is in: Owner, Contributor, or Reader."
upvoted 1 times
...
...
54c341a
Most Recent 2 months, 1 week ago
Contributor and Contributor as per https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 1 times
...
xRiot007
3 months, 1 week ago
Box 1 : Security Admin Box 2 : Depends. If the resources in the subscription are located in ONE rg, then RG Owner role is least privilege. If they are located in multiple subscriptions, then Subscription Contributor is a better choice imho.
upvoted 2 times
...
Avaris
10 months, 2 weeks ago
Enable and disable Azure Defender: Assign Subscription Contributor to manage subscription-level settings, including enabling and disabling Azure Defender. Apply security recommendations to a resource: Assign Security Admin to view and apply security recommendations within the resource groups.
upvoted 1 times
...
LeandroFerraz
1 year, 1 month ago
CORRECT https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 1 times
...
Ramye
1 year, 2 months ago
Who has less permission between Sec Admin vs Contributor? Given the information here https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions the contributor has less permission, therefore, the 1st box should be Contributor. And the 2nd box is also contributor.
upvoted 2 times
Ramye
1 year, 2 months ago
After delving further and considering it's a single resource, the answers should be for the: 1st box: Subscription Contributor 2nd box: Resource Group Owner
upvoted 6 times
...
...
estyj
1 year, 3 months ago
Security admin and Resource Group Owner since it just says a resource (Not resources) not spanning multiple RG. So Resource Group Owner for Principle of least privilege.
upvoted 1 times
...
chepeerick
1 year, 6 months ago
Correct, Contribuitor / Owner Resource group level) then Contributor (Subscription level)
upvoted 1 times
...
IT_Nerd31
1 year, 6 months ago
The answer is . Sec Admin - . Resource Group Owner - "Apply Security recommendations to a resource" (Resource is the key word here.)
upvoted 3 times
...
mali1969
1 year, 8 months ago
To enable and disable Azure Defender, you need the Security Admin role1. This role allows you to update the security policy and enable or disable Azure Defender plans. To apply security recommendations to a resource, you need the Subscription Contributor role. This role grants full access to manage all resources, including the ability to apply security recommendations for a resource
upvoted 2 times
...
donathon
1 year, 8 months ago
https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions Answer is correct based on past contributors
upvoted 1 times
donathon
1 year, 7 months ago
Sorry I change to Security Admin and Resource Group Owner. A resource can only be within a single resource group so this should be enough.
upvoted 1 times
...
...
xping85
1 year, 8 months ago
The solution must use the principle of least privilege Box1: Subscription Contributor Box2: Resource Group Owner reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 3 times
...
tirajvid
1 year, 10 months ago
What if a subscription has hundreds of resource groups belongs to many departments ? Subscription contributor access will provide access to all those additional RGs. ?
upvoted 1 times
...
Veracloud
1 year, 10 months ago
answer is correct, https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 1 times
...
tatendazw
1 year, 10 months ago
Sub Contributor Resource Group owner https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 3 times
...
imsidrai
2 years, 1 month ago
Correct ans is Contributor Contributor , because contributor role at subscription level has both the capabilities https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago