Exam MS-500 topic 4 question 48 discussion

Why should editing user1 have any impact on user5's access?

I tried to replicate this is my environment. But in the newest version of Compliance manager "there is no longer a default Guest access role." Which I Believe this question is refering to. "Now each user must be assigned a role in order to access and work within Compliance Manager." So logic says this series of questions is based off the older set up that allowed all users with an Azure AD account to access Compliance manager as a guest. To me it does not make sense to apply lower permissions to another user to counteract no/derfault permissions because user1 already has contributor access and by default reader access so no changes would be made if you added this permission to this user. Same with adding reader access to User5 themselves either way you either made no change at all or the opposite of what you wanted to achieve. With that logic in mind I would say the both this answer and the following is No. I would love to know what Microsoft believe the correct answer to be on this question as I would love to know. https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-overview?view=o365-worldwide

Compliance Manager uses a role-based access control (RBAC) permission model. Only users who are assigned a role may access Compliance Manager, and the actions allowed by each user are restricted by role type. https://learn.microsoft.com/en-us/microsoft-365/compliance/compliance-manager-setup?view=o365-worldwide#set-user-permissions-and-assign-roles I cannot find anything showing that setting a role for user1 will disallow user5. I have looked at all the comments and links provided here to support choosing A and none of it really shows documentation for that answer. I am going with B.

User 5 access is independent from user 1

B --??

Role types The table below shows the functions allowed by each role in Compliance Manager. The table also shows how each Azure AD role maps to Compliance Manager roles. Users will need at least the Compliance Manager reader role, or Azure AD global reader role, to access Compliance Manager. ROLE TYPES User can: Compliance Manager role Azure AD role Read but not edit data Compliance Manager Reader Azure AD Global reader, Security reader Edit data Compliance Manager Contribution Compliance Administrator Edit test results Compliance Manager Assessor Compliance Administrator Manage assessments, and template and tenant data Compliance Manager Administration Compliance Administrator, Compliance Data Administrator, Security Administrator Assign users Global Administrator Global Administrator

The Compliance Manager Contributor, Compliance Manager Assessor, Compliance Manager Administrator all have the Compliance Manager Reader sub role defined under each assignment. Reference : https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide

The correct answer is b, because the user 1 assigment It has nothing to do with user 5 assigment

Compliance Manager Reader can read but not edit data. But "read" means "access" as well in my opinion. Most of the questions and answers here are unclear.

https://docs.microsoft.com/en-us/microsoft-365/compliance/meet-data-protection-and-regulatory-reqs-using-microsoft-cloud?view=o365-worldwide

This question is on the default behaviour. See "By default, this role group may not appear to have any members. However, the Security Reader role from Azure Active Directory is assigned to this role group. Therefore, this role group inherits the capabilities and membership of the Security Reader role from Azure Active Directory. To manage permissions centrally, add and remove group members in the Azure Active Directory admin center. For more information, see Administrator role permissions in Azure Active Directory. If you edit this role group in the Security & Compliance Center (membership or roles), those changes apply only to the Security & Compliance Center and not to any other services." https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide So, if no users are assigned with Compliance Manager Security Reader role, in fact by default, the Security Reader role from Azure Active Directory is used and User5 will have this role. If Compliance Manager Security Reader role is explicitly assigned to User1, all other users, including User5 will be spared this role.

Answer is No Typo in text: Solution: You recommend assigning the Compliance Manager Reader role to User5.

Answer should be = No. Typo in the question, the solution should be: "Solution: You recommend assigning the Compliance Manager Reader role to User5." This solution does not prevent User5 from accessing the Compliance Manager reports. Notice that the question says "The Compliance Manager Reader role is not assigned to any users." That must mean that all users are accessing the compliance manager reports because they have assigned the "Azure AD Global Reader" permission which also gives read permission to Compliance Manager. I believe the correct solution is the one that mention to remove User5 license.

I think in the question where it says "Solution: You recommend assigning the Compliance Manager Reader role to User1." , its a typo.It should be User5 instead of User1 and thats why answer is YES.

The link points to a preview. Preview is not valid and the document does not answer the question. It must be the answer No

This makes no sense... How can I prevent User 5 to see a report by changing the role assignment for User 1?