Exam SC-300 All QuestionsBrowse all questions from this exam
Go to Exam
Question 34

DRAG DROP

-

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.

You need to ensure that User1 can create access reviews for groups, and that User2 can review the history report for all the completed access reviews. The solution must use the principle of least privilege.

Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Halwagy

User 1 : User Administrator User 2 : Security Reader

oscarpopi

Correct

klayytech

Read access review of a group or of an app Least privileged role = Security Reader Additional roles= Security Administrator User Administrator https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#enterprise-applications

klayytech

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Global Admin Global Reader security reader does not have permission to read the history for Azure resource roles

doch

User Admin Security Reader Ref: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task

oscarpopi

Correct, that's a nice article, I'll bookmark it

poesklap

https://learn.microsoft.com/en-us/entra/id-governance/access-reviews-downloadable-review-history Global Admin Global Reader

curtmcgirt

no. that article is about __history reports__ for access reviews, rather than about access reviews themselves. the specific sentence you read is poorly written, and should probably read "Global Administrator and Global Reader can see --history reports of -- all access reviews."

ak1234

To access an access review, it needs following roles: - Global Administrator - Identity Governance Administrator - Privileged Role Administrator - Review Administrator So, Global Admin and Global reader is correct.

dule27

User 1: User Administrator User 2: Global Reader

dule27

correction: User 1: User Administrator User 2: Security Reader

ItzVerified

User 1 : User Administrator User 2 : Security Reader

klayytech

Read access review of a group or of an app Least privileged role = Security Reader Additional roles= Security Administrator User Administrator https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#enterprise-applications

emartiy

User1: User Admin User 2: security Reader

haazybanj

User1: User Admin User 2: security Reader https://learn.microsoft.com/en-us/azure/active-directory/governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

SumitSahoo

correct!! To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources. To create access reviews for Microsoft Entra roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role.

StarMe

It should be User administrator and Security Reader role considering Least privilege permissions

klayytech

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Global Admin Global Reader security reader does not have permission to read the history for Azure resource roles

Discuss4certi

Neither can a global reader. You need to be assigned the permissions for that resource. Therefore since it's not stated go for user admin for the creation of access review and security reader for the reports.

jtlucas99

Per Copilot: In Azure Active Directory (Azure AD), you can assign different roles to users to manage access reviews. For User1, you should assign the Access Review Contributor role. This role allows the user to create and manage access reviews, but it doesn’t allow them to make decisions on behalf of reviewers. For User2, you should assign the Access Review Reader role. This role allows the user to read access reviews and their decisions, but they can’t create, update, or delete access reviews. These roles follow the principle of least privilege, granting only the necessary permissions to each user for their specific tasks.

RahulX

Create, update, or delete access review of a group or of an app (User Administrator) Read access review of a group or of an app (Security Reader). https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task

Er_01

The question states least privilege as a requirement so GA/GR is does fit this. User 1 : User Administrator User 2 : Security Reader

LanceMatt

Trick question If you read the question correctly, it does not say that User1 needs to create the groups. If User1 needed to create groups it would need the User Administrator roles, but because the groups are already created and follow the least privilege rule, then the Security operator role is sufficient. User2 is correct as the Security Reader

Nyamnyam

Sorry but no. Pls read https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task again. Search for "Create, update, or delete access review of a group or of an app". It is the User Administrator role.

sherifhamed

To ensure that User1 can create access reviews for groups and User2 can review the history report for all the completed access reviews while following the principle of least privilege, you should assign the following roles: User1: Role: User administrator (to create access reviews for groups) User2: Role: Report reader (to review the history report for completed access reviews) These role assignments provide the necessary permissions for each user to perform their respective tasks without granting them excessive privileges.