exam questions

Exam AZ-140 All Questions

View all questions & answers for the AZ-140 exam

Exam AZ-140 topic 3 question 14 discussion

Actual exam question from Microsoft's AZ-140
Question #: 14
Topic #: 3
[All AZ-140 Questions]

HOTSPOT -
You have two Azure subscriptions that are linked to an Azure Active Directory (Azure AD) tenant named contoso.com and contain an Azure Virtual Desktop deployment. The tenant contains a user named User1.
When User1 signs in to Azure Security Center, the user receives the message shown in the following exhibit.

You need to ensure that User1 can manage security information for the tenant. The solution must use the principle of least privilege.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Security administrator for contoso.com
Incorrect:
* Not at the subscription level, as there are two subscriptions.
* Not Root management group level
Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Box 2: Privileged Role Administrator
You need to ensure that User1 can manage security information for the tenant.
Privileged Role Administrator - Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
Incorrect:
* External Identity Provider Administrator
This administrator manages federation between Azure AD organizations and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the Azure AD organization to trust authentications from external identity providers.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Leocan
Highly Voted 2 years, 2 months ago
Tested in the lab: Security Admin at the root management group level.
upvoted 6 times
...
hwoccurrence
Most Recent 7 months ago
Role to assign to User1: Security Admin at the root (tenant) management group level. Tenant‐wide visibility in Microsoft Defender for Cloud (Security Center) requires a role assignment at the root management group (also called the “tenant root group”). Assigning “Security Admin” at the root level lets User1 manage security settings across all subscriptions under that tenant, meeting the “tenant‐wide” requirement. Role required to assign the role to User1: Privileged role administrator. The Privileged Role Administrator role can manage role assignments in Azure AD, including high‐privilege directory roles such as Security Admin.
upvoted 1 times
...
impie007
9 months, 3 weeks ago
Role to assign to User1: Security administrator for contoso.com Reason: The "Security administrator" role will allow User1 to manage security information for the entire Azure AD tenant , which provides tenant-wide visibility in Azure Security Center. This role grants the necessary permissions to view and manage security policies and configurations across the tenant. Role required to assign the role to User1: Privileged role administrator Reason: The "Privileged role administrator" role is needed to assign roles such as "Security administrator" to users. This role has the authority to manage role assignments within Azure AD and can delegate the necessary security permissions to User1.
upvoted 2 times
...
JohnBarneveld
2 years, 2 months ago
https://learn.microsoft.com/en-us/azure/defender-for-cloud/tenant-wide-permissions-management In this document somewhre under point 3 it says "The organizational-wide view is achieved by granting roles on the root management group level of the tenant."
upvoted 2 times
...
hydrillo
2 years, 3 months ago
Security Administrator at the tenant level doesn't gives you any rights in Azure. Since there are 2 subscriptions you need the Security Admin at the root management group level.
upvoted 4 times
...
Magis
2 years, 9 months ago
Sounds correct to me.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...