Your company purchases a Microsoft 365 E5 subscription.
A user named User1 is assigned the Security Administrator role.
You need to ensure that User1 can create Microsoft Defender for Cloud Apps session policies.
What should you do first?
Your company purchases a Microsoft 365 E5 subscription.
A user named User1 is assigned the Security Administrator role.
You need to ensure that User1 can create Microsoft Defender for Cloud Apps session policies.
What should you do first?
To ensure that User1 can create Microsoft Defender for Cloud Apps session policies, you should assign the Cloud App Security Administrator role to User1. The Security Administrator role does not have the specific permissions required to manage Defender for Cloud Apps session policies. By assigning the Cloud App Security Administrator role, User1 will have the necessary privileges to create and manage session policies within Microsoft Defender for Cloud Apps.
Answer is B Security admin can manage Microsoft Defender for cloud app policy. To set up Defender for Cloud Apps, you must be a Global Administrator or a Security Administrator in Microsoft Entra ID or Microsoft 365. https://learn.microsoft.com/en-us/defender-cloud-apps/get-started
The correct answer is D. Assign the Cloud App Security Administrator role to User1. According to the Microsoft Entra built-in roles article1, the Cloud App Security Administrator role grants full permissions in Defender for Cloud Apps. Users with this role can create and manage all aspects of Defender for Cloud Apps session policies, which are used to monitor and control user sessions in cloud apps.
B. Security Admin already has permission to create policies Global administrator and Security administrator: Administrators with Full access have full permissions in Defender for Cloud Apps. They can add admins, add policies and settings, upload logs and perform governance actions, access and manage SIEM agents. https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins#microsoft-365-and-azure-ad-roles-with-access-to-defender-for-cloud-apps
the Security Administrator role alone cannot create Microsoft Defender for Cloud Apps (formerly known as Cloud App Security) session policies. The Security Administrator role typically has permissions related to managing security-related aspects of Microsoft 365 services, but it does not include specific permissions for Microsoft Defender for Cloud Apps. To create session policies in Microsoft Defender for Cloud Apps, users need to be assigned the Cloud App Security Administrator role or another role with equivalent permissions specifically related to Microsoft Defender for Cloud Apps administration.
ChatGPT and Copilot concur
wrong. https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins
https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad
Answer . B. Create a Conditional Access policy and select Use Conditional Access App Control. References: https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad#prerequisites-to-using-session-policies "The relevant apps should be deployed with Conditional Access App Control" "Make sure you've configured your IdP solution to work with Defender for Cloud Apps, as follows: - For Azure AD Conditional Access, see Configure integration with Azure AD - For other IdP solutions, see Configure integration with other IdP solutions"
Personally, don't think the options make sense especially A and B, if B turn out to be the answer they want. Yes the Security Admin role is able to create the policy in question, but option B does not make sense as the correct answer to the question. How does "Create a Conditional Access policy and select Use Conditional Access App Control". sound like a likely answer to this question? to me, the question does not have an answer.
I think that Security admin can manage policies already Security admin can in Microsoft Defender for Cloud Apps: Add admins, add policies and settings, upload logs and perform governance actions. So add him Cloud App Security Admin role is not necessary.
D. Assign the Cloud App Security Administrator role to User1. The Cloud App Security Administrator role provides the necessary permissions to create and manage session policies within Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security). By assigning this role to User1, they will have the appropriate privileges to create and configure session policies for securing cloud applications and services. Option C is not the correct choice as the Cloud Application Administrator role is not specifically related to Microsoft Defender for Cloud Apps session policies. Options A and B are not directly related to assigning the necessary permissions for creating session policies within Microsoft Defender for Cloud Apps. These options pertain to setting up Conditional Access policies and Conditional Access App Control, which are different from configuring session policies in Microsoft Defender for Cloud Apps.
The Security Administrator role does not have the permissions to create Microsoft Defender for Cloud Apps session policies. You must assign the Cloud App Security Administrator role to User1. Once you have assigned the Cloud App Security Administrator role to User1, you can create a Conditional Access policy that requires users to use Conditional Access App Control. This will ensure that User1 can create Microsoft Defender for Cloud Apps session policies. D
Security Administrator does have the permissions to create Microsoft Defender for Cloud Apps session policies. https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins#roles-and-permissions
"In order for your session policy to work, you must also have a Microsoft Entra ID Conditional Access policy, which creates the permissions to control traffic." "This procedure provides a high-level example of how to create a Conditional Access policy for use with Defender for Cloud Apps. In Microsoft Entra ID Conditional Access, select Create new policy. Enter a meaningful name for your policy, and then select the link under Session to add controls to your policy. In the Session area, select Use Conditional Access App Control." https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad
NO - This is a necessary step for session policies to take effect, but it does not give User1 the permission to create policies. The user still needs the Cloud App Security Administrator role to manage Defender for Cloud Apps, and the question is "What should you do first?"
What roles grant a user the ability to create Defender for Cloud Apps session policies?
To create a Microsoft Defender for Cloud Apps session policy, you need at least a Security Administrator role in Microsoft Entra ID or Microsoft 365. Looking like answer D
Answer B: (I hate questions like this). The "Security Administrator" role has admin permissions over other Microsoft security products, while the Cloud App Security Administrator is scoped to just Defender for cloud apps. I used 2 different user accounts to test this. 1 with each role. The security administrator was able to create the neccessary Conditional Access Polciy within Entra (this is needed to create an app session policy in defender for cloud) whereas the "Cloud App Security Administrator" could NOT create a conditiona access policy within entra, let alone even read them.