SC-200 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-200 Exam - Question 186

HOTSPOT

-

You have a Microsoft Sentinel workspace named sws1.

You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in sws1.

You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:

• Minimize administrative effort.

• Use the principle of least privilege.

How should you configure the credentials? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Exam SC-200 Question 186
Show Answer
Correct Answer:
Exam SC-200 Question 186

Discussion

12 comments
Sign in to comment
evilprime
Mar 29, 2023

guess it should be 'reader' with 'managed' see https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticate-with-managed-identity

nsss
Jan 26, 2024

You guessed wrong, the reader role does not have the necessary permissions to run a logic app. You can use it to authenticate, sure, but it's not enough for running it.

user636
Aug 26, 2024

The logic app does not need the responder because it will create incident in the external system & not in Sentinel. Reader is enough for the logic app to read the incidents generated in Sentinel.

user636
Aug 26, 2024

The logic app does not need the responder because it will create incident in the external system & not in Sentinel. Reader is enough for the logic app to read the incidents generated in Sentinel.

billo79152718
Aug 6, 2023

A managed identity Microsoft Sentinel Reader

ACSC
Jan 29, 2023

Answer is correct. https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticate-with-managed-identity https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-specific-roles

PhoenixSlasher
Feb 14, 2023

Surely Reader is all that is required if MS Reader can view Incidents (doesn't mention in scenario whether the Logic App will manage the Incident on Sentinel side, only raise an incident in an ITSM elsewhere when incident is raised in sentinel <> view required only?

donathon
Aug 17, 2023

A managed identity Microsoft Sentinel Reader

Ramye
Mar 2, 2024

Based on the Sentinel role permission (RBAC), I think the answers are: - Managed Identity - Sentinel Responder (because this can assign incident as outlined below) Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).

Ramye
Mar 2, 2024

Upon further reading the link shared be Evilprime, it’s most likely Sentinel Reader. Permissions required Roles / Connector components Triggers "Get" actions Update incident, add a comment Microsoft Sentinel Reader ✓ ✓ ✗ Microsoft Sentinel Responder/Contributor ✓ ✓ ✓

uday1985
May 11, 2024

it dictates "raising" not "updating" an incident

uday1985
May 11, 2024

it dictates "raising" not "updating" an incident

RV025
Aug 31, 2023

I would say: Service principle since that can be assigned the least privilege without having to create a user in the AD. Since no automation creation of incident handling is needed, sentinel reader role would suffice

SaHaGe
Sep 29, 2023

The same scenario tells you that the logic app is going to generate an incident. "You plan to create an Azure logic app that will raise an incident..." The reader can only view incidents, the responder has the ability to generate them. The suggested answer is correct.

wheeldj
Apr 26, 2024

the logic app is raising the incident in the ITSM tool, not sentinel so this has no bearing on which sentinel role to choose.

chepeerick
Oct 17, 2023

Correct answer

smanzana
Jul 29, 2024

Managed identity Microsoft Sentinel Reader

chepeerick
Oct 29, 2023

Correct Option

kabooze
Oct 29, 2023

I hate these kind of questions. Honestly I can't tell what is "easier" a managed identity or a service principal. I know that the documentation says service principal is preffered. Sigh....

a_kto_to
Apr 14, 2025

ChatGTP: ✅ Answer: Role to assign: Microsoft Sentinel Responder Scope to assign the role: Resource group that contains the Sentinel workspace 🧠 Explanation: Microsoft Sentinel Responder Can view incidents and update their status or comments, which is sufficient for triggering actions in a logic app when incidents are created. Cannot create analytics rules, workbooks, or change workspace settings, so it aligns well with least privilege. Scope at resource group level: This limits the permissions to just the resource group that contains sws1, again helping follow least privilege.