Examice

Exam SC-200 All QuestionsBrowse all questions from this exam

Go to Exam

Question 37

DRAG DROP

You have an Azure subscription that contains the users shown in the following table.

You need to delegate the following tasks:

• Enable Microsoft Defender for Servers on virtual machines.

• Review security recommendations and enable server vulnerability scans.

The solution must use the principle of least privilege.

Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Correct Answer:

Discussion

wsrudmen

It should be User1 for both! How security reader can enable server vulnerability scans? User1 User1

scruzer

This is correct! It is clearly listed here. https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

Holii

Roles listed here do not include actions for enabling server vulnerability scans. Tested in my demo tenant, Security Reader role can enable vulnerability assessment features on Azure and Hybrid machines. Due to PoLP, answer is: User1, User2.

Holii

I actually tested this out some more... What a weird question. Microsoft Defender for Servers on Virual Machines requires at least Contributor-level on your subscription. To enable Vulnerability assessment for machines (server vulnerability scans on Azure and hybrid machines) you need at least User Access Administrator or Owner on the subscription. Doesn't matter what your RBAC is, cause these changes are all being performed on the subscription; and the settings page is viewable without Reader. I'm going to throw this up and say: User3 (assuming they mean the Contributor from the subscription-level) User2 (assuming you are an Owner/User Access Admin with the least-privilege RBAC role) Please correct me if I am wrong.

ethhacker

Correct. Required roles and permissions: Owner (resource group level) can deploy the scanner.

mb0812

Both are User3. https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

danlo

I would say the answer is User 3 for both, User 1 is an AAD role and not RBAC. Security Administrator != Security Admin. Contributor can enable plans = Servers Plan Contributor can apply fix = Enable vulnerable scan from recommendations

Yurri

User 1. Security Administrator: This role can enable Microsoft Defender plans for servers. This role is granted the minimum permissions to enable and configure security-related settings, but not to create or delete resources in the Azure subscription. User 3. Contributor: This role has permissions to create and manage all types of Azure resources, including security features. Assigning the Contributor role at the resource group level for the specific servers should be sufficient to enable server vulnerability scans.

Ramye

How come the Security Admin has less permission than the Contibutor? Both can enable Microsoft Defender plans but Contributor has less permission based on https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

Ramye

The first box is certainly user 3 - contributor that has less permission than Security Admin. So both boxes User 3 contributor

Ghost042

Required roles and permissions: Owner (resource group level) can deploy the Vulnerability scanner while security Reader can only view findings. Answer is Contributor, Security Admin

kabooze

user 1 & User 3 https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

xping85

The solution must use the principle of least privilege User1 User3

mb0812

For all those vouching for User 2 for either of the boxes, check this link. NOWHERE it is mentioned that Security Reader can Enable Defender Plans or do the scans. So only option is User1 or User3. For second box, it is Contributor (User3) straight away as Security Admin cannot apply security recommendations. For first box, both user1 and 3 can do the job. However, Contributor has lesser privileges. Hence both boxes = User3

mb0812

https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions

hovlund

A VERY big thing to keep in consideration is that Security Administrator is an Entra ID Role, not RBAC, the RBAC role that can administrate Defender for Cloud is Security ADMIN, there is a difference. With that said, i must be contributor for both, or hope that there is different answers in the real test...

hovlund

So the correct answers would be 1: Contributor, 2: Owner. https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

7d801bf

User 1 and User 3

Ramye

Based on the least privilege principles, the answer for both is User3 - Contribute. Explanations are given below: - Contribute has the least privilege who can Enable / disable Microsoft Defender plans - Contribute has the least privilege who can View alerts and recommendations and Enable vulnerable scan from recommendations

Ramye

To clarify Above I meant Contributor when said Contribute.

bitmako

User 1 User 2 https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

Murtuza

Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.

Chris2pher

based on the role matrix only the security admin (S1) can do both. if you select S2 it cannot enable server vulnerability scan while the contributor can do that, the question did not mention subscription level. I think both S1 or S1 and S3

smanzana

User1 User1

chepeerick

Correct User1 and User2

Gurulee

Tricky, tricky! Following least priv., and referring to https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions, I believe User1 for both is the answer. In the referenced link, the table notes show add/assign initiatives and enable/disable Defender plans for Security Admin.