Exam SC-200 topic 3 question 43 discussion

The correct answer is D. Reader. The Reader role in Defender for Cloud allows users to view recommendations, alerts, a security policy, and security states, but cannot make changes. This is the least privileged role that allows User1 to export alert data from Defender for Cloud. The other options are incorrect. Option A: The User Access Administrator role allows users to manage user access to Defender for Cloud. It does not allow users to export alert data. Option B: The Owner role allows users to do everything that the Reader role allows, plus they can make changes to the security policy and recommendations. This is more privileged than necessary. Option C: The Contributor role allows users to do everything that the Reader role allows, plus they can apply recommendations and dismiss alerts. This is more privileged than necessary.

should be C since least privilege

Reader can not export data, next possible role with permission to do this is C, Contributor.

I think C - The Contributor (C) role allows full management of resources, including the ability to export alert data from Defender for Cloud. The Reader (D) role only allows viewing resources and data, without the permission to export or modify anything. So, Contributor is necessary because it grants the required permissions to perform the export, while Reader does not.

Can a Reader export alert data from Defender for CLoud? No, a Reader cannot export alert data from Microsoft Defender for Cloud. The Reader role has read-only access and can view recommendations, alerts, and security policies, but it cannot perform actions like exporting data1. To export alert data, you would need at least the Security Admin role, which has the necessary permissions to perform exports. Can a contributor export alert data from Defender for Cloud? Yes, a Contributor can export alert data from Microsoft Defender for Cloud. The Contributor role has the necessary permissions to set up continuous export and export alert data to a Log Analytics workspace or other targets1.

Why Not Use Reader for Exporting? Exporting is considered an action: Even though it may seem like a read-only task, exporting typically involves interaction with an external service, API, or storage (e.g., copying data to a storage account or triggering a script), which requires write permissions. The Reader role is strictly limited to viewing data and does not support programmatic access to move or export the data. Security Reader vs. Contributor: Capability Security Reader Contributor View alerts and recommendations ✅ ✅ View compliance data ✅ ✅ Export alert data (manual or programmatic) ❌ ✅ Create integrations or automations ❌ ✅

D. is correct. Reader is the least privileged role in this question and Readers CAN export from Azure.

can't a reader do that? A user with the Reader role has read-only access to the resources and data in Defender for Cloud but doesn't have the permissions to export alert data.

You can download a CSV report from the Security Alerts page of the Defender for Cloud portal. This will requires only the Reader role. However, since the question exporting data instead of downloading a report, I'll go with the Owner role as my answer

I don't think it should be owner. Please read: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/general#reader If reader is too limiting. Then contributor... The thing is the question only state exporting. Nothing more. So reader should work.

Reader (The key is “The solution must use the principle of least privilege”)

Detailed Role Information for Reader The Reader role in Azure provides the following permissions: View all resources. Access and export alert data from Microsoft Defender for Cloud. Read-only access to monitoring data and other resource properties.

Based on others comment and docs

Admin or Owners can export ! So the answer would be Admin ! https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export

correct answer is Reader

https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal#availability

While a reader can view the alerts the question says we need to be able to export them. All the docs for defender for cloud regarding exporting alerts are talking about setting up SIEM integration which requires owner perms.