You have a Microsoft 365 subscription.
You need to provide a user the ability Security defaults and create Conditional Access policies. The solution must use the principle of least privilege.
Which role should you assign to the user?
You have a Microsoft 365 subscription.
You need to provide a user the ability Security defaults and create Conditional Access policies. The solution must use the principle of least privilege.
Which role should you assign to the user?
To provide a user with the ability to manage security defaults and create Conditional Access policies, the Security Administrator role is suitable. This role includes permissions to configure security defaults and manage Conditional Access policies. Assigning the Global Administrator role would contradict the principle of least privilege due to its broader permissions. The Conditional Access Administrator can manage Conditional Access policies but cannot configure security defaults. Therefore, the Security Administrator role best aligns with the requirements and adheres to the principle of least privilege.
B appears to be correct: To set up security defaults and create Conditional Access policies, a user requires the Conditional Access Administrator or Security Administrator role1. However, the Security Reader or Global Reader role is sufficient if the purpose is solely to read policies1.
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role.
^^^ This guy knows stuff. "To enable security defaults (or confirm they're already enabled) Sign in to the Microsoft Entra admin center as least a Security Administrator." https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa?view=o365-worldwide&tabs=secdefaults Conditional Access Admin can change only CAPs, named locations and auth contexts. No security defaults.
Both Conditional Access Administrator and Security Administrator can change security defaults REF: https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-turn-on-mfa?view=o365-worldwide&tabs=secdefaults#to-enable-security-defaults-or-confirm-theyre-already-enabled When I look at all the permissions Security Administrator has. Its way more compaired to the Conditional Access Administrator role. So I guess the answer is B REF:https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-administrator REF: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#conditional-access-administrator
To provide a user the ability to manage both security defaults and Conditional Access policies, you should assign them the Conditional Access Administrator role1. This role allows the user to create, edit, and delete Conditional Access policies, as well as enable or disable security defaults.
100%100 Agree With Examkiller020 Global administrator, Conditional Access Administrator and Security Administrator can change security defaults But CAA Has a lower level of privileges
B. tested in my tenant CA admin can turn on/off security defaults
B is correct Conditional Access Administrator: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator:~:text=365%20admin%20center-,Conditional%20Access%20Administrator,-This%20is%20a https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#:~:text=If%20your%20organization%20has%20complex%20security%20requirements%2C%20you%20should%20consider%20Conditional%20Access.
Given answer is correct.
B. Conditional Access Administrator. The Conditional Access Administrator role allows users to manage Azure Active Directory Conditional Access policies without giving them broader administrative permissions that come with roles like Global Administrator. This aligns with the principle of least privilege by granting only the necessary permissions for the task.
Answer is C: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#security-administrator Conditional Access Admin role can only edit Conditional Access related settings, they cannot edit Security Defaults
B https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide
Conditional Access Admin CANNOT configure Security Defaults. C fulfils both requirements. Source: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults#enabling-security-defaults To configure security defaults in your directory, you must be assigned at least the Security Administrator role.