Exam SC-200 topic 1 question 16 discussion

Provided answer B and D is correct. Security Reader - can access M365 Security Center. Active Remediation Actions role in Defender for Endpoint meets need to 'approve and reject' pending actions with respect to Defender For Endpoint. Requirement does not need more.

This question is tricky. If you follow the question directly, they are not asking either/or. They want you to assign 2 roles to the Analyst each being half of the entire solution. Using least privileges the answer should be BD. Not A = Too many other permissions not needed. B = the Active remediation actions role in Microsoft Defender for Endpoint is enough for the task to be done of approving/rejecting pending actions. Not C = Would be able to fulfill both B and D and (more), not least privilege. D = Quite redundant, but gives reader roles read access to the portal up until RBAC is turned on the defender permissions. Least Privilege. ¯\_(ツ)_/¯

BD correct

Slight confused by this one, this link suggests the answer is B & C: https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide Remediation action: Microsoft Defender for Endpoint remediation (devices) Required roles and permissions: Security Administrator role assigned in either Azure Active Directory (Azure AD) (https://portal.azure.com) or the Microsoft 365 admin center (https://admin.microsoft.com) --- or --- Active remediation actions role assigned in Microsoft Defender for Endpoint

B. the Active remediation actions role in Microsoft Defender for Endpoint: This role specifically allows the analyst to approve or reject pending remediation actions in Microsoft Defender for Endpoint, which is the primary requirement. D. the Security Reader role in Azure Active Directory (Azure AD): This role provides the analyst with read-only access to security-related information in the Microsoft 365 security center without granting unnecessary administrative privileges. It supports the principle of least privilege by restricting the analyst's permissions to what is necessary for their role.

the security admin should be able to do more while sec reader can't do these action

Options B and D

Reason being that you do not need a Reader Role. The Active remediation actions role in Microsoft Defender for Endpoint: This role grants the analyst the ability to take active remediation actions, which includes approving and rejecting pending actions in Microsoft Defender for Endpoint. The Security Administrator role in Azure Active Directory (Azure AD): While not specific to Defender for Endpoint, this role provides broad access to security-related tasks and configuration across Microsoft 365 services, aligning with the analyst's responsibilities.

The answer should be : B and C Check this article: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-action-center?view=o365-worldwide Tip Users who have the Global Administrator role assigned in Azure AD can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the Global Administrator role assigned. We recommend using the Security Administrator, Active remediation actions, and Search and Purge roles listed in the preceding table for Action center permissions.

Given answers are correct

Correct answer

B and D is correct

B and D are correct. Minimum privilege is requested. The other two options are for administrators.

Active remediation actions role in MDE portal is enough for approve and reject pending actions generated by Microsoft Defender for Endpoint. As soon as you enable Active remediation actions role, Security Reader role is not work in MDE portal. If you don't enable RBAC in MDE portal you can use Security Reader to access.

Answer is B and C Security Reader: A user that belongs to this role has viewing rights to Security Center. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes. Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations. https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions

Please don't approve this and the previous comment here on this question, as it is a mistake. Meant to comment on the above question. Ta.

The correct answer it is seems like, as steps for to Create an indicator for files from the settings page 1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules). 2. Select the File hashes tab. 3. Select Add indicator. 4. Specify the following details: 5. Indicator - Specify the entity details and define the expiration of the indicator. * Action - Specify the action to be taken and provide a description. * Scope - Define the scope of the device group. * Review the details in the Summary tab, then select Save.