Exam SC-200 topic 1 question 37 discussion

It should be User1 for both! How security reader can enable server vulnerability scans? User1 User1

I would say the answer is User 3 for both, User 1 is an AAD role and not RBAC. Security Administrator != Security Admin. Contributor can enable plans = Servers Plan Contributor can apply fix = Enable vulnerable scan from recommendations

Contributor role. To do that, you'd need a role like Security Reader or Security Administrator, which includes the ability to view recommendations. With the Security Reader role in Microsoft 365 Defender, you can review security recommendations, but you cannot enable server vulnerability scans or make any changes to security configurations. So option should be User 1 for both.

Based on the principle of least privilege, you should assign the tasks to the users as follows: Enable Microsoft Defender for Servers on virtual machines: This task involves enabling a security feature and possibly making changes to resources. The user who should perform this task is User1 (Security Administrator). The Security Administrator has the necessary permissions to manage security features like Microsoft Defender. Review security recommendations and enable server vulnerability scans: This task primarily involves reviewing security information and enabling scans, which can be done by a Security Reader. The user who should perform this task is User2 (Security Reader). Security Readers can view security recommendations and configure scans, making them the most appropriate role for this task. So, the tasks should be assigned as follows: Enable Microsoft Defender for Servers on virtual machines: User1 Review security recommendations and enable server vulnerability scans: User2

User 1 and User 3

The first box is certainly user 3 - contributor that has less permission than Security Admin. So both boxes User 3 contributor

For all those vouching for User 2 for either of the boxes, check this link. NOWHERE it is mentioned that Security Reader can Enable Defender Plans or do the scans. So only option is User1 or User3. For second box, it is Contributor (User3) straight away as Security Admin cannot apply security recommendations. For first box, both user1 and 3 can do the job. However, Contributor has lesser privileges. Hence both boxes = User3

Based on the least privilege principles, the answer for both is User3 - Contribute. Explanations are given below: - Contribute has the least privilege who can Enable / disable Microsoft Defender plans - Contribute has the least privilege who can View alerts and recommendations and Enable vulnerable scan from recommendations

User 1 User 2 https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.

based on the role matrix only the security admin (S1) can do both. if you select S2 it cannot enable server vulnerability scan while the contributor can do that, the question did not mention subscription level. I think both S1 or S1 and S3

User1 User1

Required roles and permissions: Owner (resource group level) can deploy the Vulnerability scanner while security Reader can only view findings. Answer is Contributor, Security Admin

user 1 & User 3 https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management

Correct User1 and User2

A VERY big thing to keep in consideration is that Security Administrator is an Entra ID Role, not RBAC, the RBAC role that can administrate Defender for Cloud is Security ADMIN, there is a difference. With that said, i must be contributor for both, or hope that there is different answers in the real test...

Tricky, tricky! Following least priv., and referring to https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowed-actions, I believe User1 for both is the answer. In the referenced link, the table notes show add/assign initiatives and enable/disable Defender plans for Security Admin.