ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-500 All Questions

View all questions & answers for the MS-500 exam
Go to Exam

Exam MS-500 topic 2 question 19 discussion

Actual exam question from Microsoft's MS-500
Question #: 19
Topic #: 2
[All MS-500 Questions]

HOTSPOT -
Your company has a Microsoft 365 subscription that contains the users shown in the following table.

The company implements Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP includes the roles shown in the following table:

Microsoft Defender ATP contains the machine groups shown in the following table:

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by kiketxu at March 11, 2021, 10:11 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Joshing
Highly Voted 3 years, 9 months ago
Correct answer is Y/N/Y. With RBAC logging into this security portal you will get Full Access "Defender for Endpoint Global administrator role" (which is the default) if you are a Global Admin or Security Admin. Security Reader will get Read-only variants. The same full access Role can be assigned to users as well. Which in this case either has been or has been inherited as the user is a Global/Security Admin. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide#before-you-begin "Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments."
upvoted 28 times
WMG
3 years, 8 months ago
Correct, the built in admin role gives you access to all devices, so no assignment needed.
upvoted 3 times
...
...
stromnessian
Highly Voted 3 years, 8 months ago
Despite MS making this information super hard to find, it's YNY. Y - "Alerts investigation" permission required to run scans. N - "Alerts investigation" permission required to download investigation package. Y - At least "Active remediation actions" required to isolate device. Admin has full permissions and access to all machines regardless of group.
upvoted 13 times
...
zerrowall
Most Recent 2 years, 3 months ago
Regarding User2 see here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user-roles?view=o365-worldwide#permission-options He doesn't have "Alerts investigation" permission, so the answer User is "N".
upvoted 1 times
...
Avaris
2 years, 5 months ago
it's a tricky question User3 doesn't have access to anything this is a silly one :)
upvoted 2 times
...
Trainee2244
2 years, 7 months ago
Y,N,Y is the right Answer
upvoted 3 times
...
Dom1nation
3 years ago
Y-N-N is correct I think. Read all comments.
upvoted 1 times
...
Fernando001
3 years, 3 months ago
User 3 has no access to device 2, it should be no.
upvoted 1 times
...
mkoprivnj
3 years, 4 months ago
Correct answer is Y/N/Y.
upvoted 3 times
...
Rstilekar
3 years, 5 months ago
Y - "Alerts investigation" permission required to run scans. N - "Alerts investigation" permission required to download investigation package. Y - At least "Active remediation actions" required to isolate device. Admin has full permissions and access to all machines regardless of group.
upvoted 4 times
...
laugz92
3 years, 11 months ago
User groups assigned the Microsoft Defender for Endpoint administrator role have access to all device groups. https://securitycenter.microsoft.com/preferences2/machine_groups -> User Access
upvoted 4 times
Cbruce
3 years, 10 months ago
Y,N,Y 1. Y - Correct permissions to run scans on devices in the group 2. N - Does not have access to collect package, needs Alerts Investigation permissions too 3. Y - default administrator, can access all devices, regardless of group
upvoted 9 times
...
...
weabey
3 years, 11 months ago
Yes - No - No View Data - View Data Alerts investigation - Manage alerts - Initiate automated investigations - Run scans - Collect investigation packages - Manage machine tags Active remediation actions - Take responsive actions - Approve or dismiss pending remediation actions ATP-Administrators – ATP Admins, change settings and manage security roles only Manage security settings - Configure alert suppression settings - Manage allowed/blocked lists for automation - Manage folder exclusions for automated (applies globally) - Onboard and offboard machines - Manage email notifications
upvoted 3 times
...
kiketxu
4 years, 1 month ago
Seems this is repeated question... Yes, AV scan is in the allowed actions. No, collection is not allowed. Yes, despite is not clear in the following link, isolate machine is in the remediations actions. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options Check in this other link. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts
upvoted 3 times
Sugar123
4 years, 1 month ago
User 3 cannot isolate Device 1 as it does not have access to this device. Only Group 1 has access to Device 1. "The user needs to have access to the device, based on device group settings (See Create and manage device groups for more information)" https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/isolate-machine So, the answer is correct. Yes - No - No
upvoted 3 times
kiketxu
4 years, 1 month ago
Please check this... https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/rbac#before-you-begin "Someone with a Defender for Endpoint Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments"
upvoted 6 times
Sugar123
4 years, 1 month ago
I'm a little confused. The below link implies that a Defender for Endpoint Global Administrator and a Defender for Endpoint Administrator are different. "Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC." I'm not sure if Group 3 consists of Global Administrators, which would make you right, or if they are regular users assigned the default Defender for Endpoint administrator role. If it is the latter, then I believe the answer is Yes - No - No. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access
upvoted 4 times
JoelB
3 years, 10 months ago
The role in the question says (default), therefore it should be an AAD Global Admin/Security Admin, the quote you provided explains it.
upvoted 1 times
...
...
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago