Exam SC-300 topic 4 question 72 discussion

A. User Access Administrator To use Microsoft Entra Permissions Management to automatically monitor permissions and create and implement right-size roles while following the principle of least privilege, you should assign the User Access Administrator role to the service principal of Permissions Management. The User Access Administrator role allows the service principal to manage user access to Azure resources, including the ability to grant and revoke access, but it does not grant excessive permissions such as Contributor or Owner roles. This aligns with the principle of least privilege, ensuring that the service principal has the necessary permissions to perform its tasks without unnecessary access to modify resources.

User Access Administrator can manage permissions but cannot modify resources. Since Permissions Management also needs to create and assign right-sized roles, this role is not sufficient. Since Microsoft Entra Permissions Management needs the ability to both analyze and modify permissions, Owner is the most appropriate role for its service principal. its about service principal permissions that application has, not about the user (human) permissions needed to manage portal e.g.

For least privileged role it should be User access Administrator

needs access to create the roles, so it's user access admin

Can some of you guys saying A? Hit the voting comment here and select that answer. Nobody has answered that yet, but -- that's the correct answer. Why User Access Administrator is the Correct Role: User Access Administrator allows the service principal to manage permissions for Azure resources, including creating and assigning roles and managing access. This role provides sufficient privileges to monitor permissions and implement the right-sizing of roles in alignment with the least privilege principle. User Administrator allows for the creation of custom roles, role assignments, and the ability to configure access management, which is essential for what is asked here. you can create and manage resources with Contributor but not permissions.

It's reader, appears on John Christopher's video. Then the user that uses the service needs a role that can do that, but to read info from the cloud providers in azure is the reader role.

Correct Answer B: To use Microsoft Entra Permissions Management to automatically monitor permissions and create and implement right-size roles while following the principle of least privilege, you should assign the Contributor role to the service principal12. This role provides the necessary permissions to manage resources without granting full administrative access.