Exam SC-300 topic 3 question 29 discussion

Role: Cloud Apps Admin - Both App admin and Cloud App admin can do the job however Cloud App admin is least privileged among the two. Portal: M365 Defender - Defender for Cloud Apps portal does not exist anymore as it has been integrated with M365 Defender portal.

The "Application Administrator" role indeed has the necessary permissions to view and manage enterprise applications within the Azure and Microsoft 365 ecosystems. However, if the goal is to adhere strictly to the principle of least privilege, the "Cloud Application Administrator" role is more specific and restrictive, granting only the permissions necessary to perform the task without including broader administrative capabilities that an Application Administrator would have. As for the portal choice, the Microsoft 365 Defender portal integrates security management across Microsoft 365 services. However, for app-specific governance and monitoring, Microsoft Defender for Cloud Apps is the specialized portal that provides a dedicated environment for managing cloud app security, including the app governance features. So, while the Application Administrator role and the Microsoft 365 Defender portal could potentially be used to view the App governance dashboard, the Cloud Application Administrator role paired with the Microsoft Defender for Cloud Apps portal is a more direct match for the task, aligning better with the principle of least privilege and the specific focus on app governance.

Cloud Application Administrator Microsoft 365 Defender Portal

Cloud Application Administrator Microsoft 365 Defender Portal

selecting the appropriate role and portal for User1 to view the **App governance dashboard** while using the least privilege principle. ### Correct selections: - **Role**: **Cloud Application Administrator** - This role grants the appropriate permissions to manage cloud apps and view dashboards related to app governance without over-privileging User1. - **Portal**: **Microsoft Defender for Cloud Apps portal** - The **App Governance** feature is accessed through the Microsoft Defender for Cloud Apps portal, making it the appropriate choice for viewing the app governance dashboard.

Portal can be tricky, as https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started says: If your organization satisfies the prerequisites, go to Microsoft Defender XDR > Settings > Cloud Apps > App governance and select Use app governance. I think this depends on what the guy at MS thought.

Cloud Application Administrator Microsoft 365 Defender Portal

Roles You must have one of these roles to turn on app governance: Global Admin Company Admin Security Admin Compliance Admin Compliance Data Admin Cloud App Security admin One of the following administrator roles is required to see app governance pages or manage policies and settings: Application Administrator Cloud Application Administrator Company or Global Administrator Compliance Administrator Compliance Data Administrator Global Reader Security Administrator Security Operator Security Reader (read-only) https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#roles

Cloud Application Administrator Microsoft 365 Defender Portal

Box 1: Application Administrator Box 2: M365 Defender Portal User1 needs to review all Apps and Not Cloud Apps only

Role: Cloud Application Administrator Portal: The Microsoft 365 Defender Portal

Box 1: M365 Defender Portal Box 2: Application Administrator (Read-only) https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-get-started#roles