HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains a user named User1.
You configure app governance integration.
User1 needs to view the App governance dashboard. The solution must use the principle of the least privilege.
Which role should you assign to User1, and which portal should User1 use to view the dashboard? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Role: Cloud Apps Admin - Both App admin and Cloud App admin can do the job however Cloud App admin is least privileged among the two. Portal: M365 Defender - Defender for Cloud Apps portal does not exist anymore as it has been integrated with M365 Defender portal.
Note: We don't know if Microsoft has updated this question or not. Prior to integration Cloud Apps portal was the correct answer however post integration M365 Defender portal is the right answer.
The "Application Administrator" role indeed has the necessary permissions to view and manage enterprise applications within the Azure and Microsoft 365 ecosystems. However, if the goal is to adhere strictly to the principle of least privilege, the "Cloud Application Administrator" role is more specific and restrictive, granting only the permissions necessary to perform the task without including broader administrative capabilities that an Application Administrator would have. As for the portal choice, the Microsoft 365 Defender portal integrates security management across Microsoft 365 services. However, for app-specific governance and monitoring, Microsoft Defender for Cloud Apps is the specialized portal that provides a dedicated environment for managing cloud app security, including the app governance features. So, while the Application Administrator role and the Microsoft 365 Defender portal could potentially be used to view the App governance dashboard, the Cloud Application Administrator role paired with the Microsoft Defender for Cloud Apps portal is a more direct match for the task, aligning better with the principle of least privilege and the specific focus on app governance.
Box 1: Application Administrator Box 2: M365 Defender Portal User1 needs to review all Apps and Not Cloud Apps only
Role: Cloud Application Administrator Portal: The Microsoft 365 Defender Portal
Cloud Application Administrator Microsoft 365 Defender Portal
Roles You must have one of these roles to turn on app governance: Global Admin Company Admin Security Admin Compliance Admin Compliance Data Admin Cloud App Security admin One of the following administrator roles is required to see app governance pages or manage policies and settings: Application Administrator Cloud Application Administrator Company or Global Administrator Compliance Administrator Compliance Data Administrator Global Reader Security Administrator Security Operator Security Reader (read-only) https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#roles
Portal can be tricky, as https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started says: If your organization satisfies the prerequisites, go to Microsoft Defender XDR > Settings > Cloud Apps > App governance and select Use app governance. I think this depends on what the guy at MS thought.
Cloud Application Administrator Microsoft 365 Defender Portal
Box 1: M365 Defender Portal Box 2: Application Administrator (Read-only) https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#roles
Role: Cloud Application Administrator Portal: The Microsoft 365 Defender Portal According to your link, Cloud Application Administrator has the same permissions to the M365 Defender Portal and has less total privileges than Application Administrator. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference