ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-140 All Questions

View all questions & answers for the AZ-140 exam
Go to Exam

Exam AZ-140 topic 3 question 14 discussion

Actual exam question from Microsoft's AZ-140
Question #: 14
Topic #: 3
[All AZ-140 Questions]

HOTSPOT -
You have two Azure subscriptions that are linked to an Azure Active Directory (Azure AD) tenant named contoso.com and contain an Azure Virtual Desktop deployment. The tenant contains a user named User1.
When User1 signs in to Azure Security Center, the user receives the message shown in the following exhibit.

You need to ensure that User1 can manage security information for the tenant. The solution must use the principle of least privilege.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Security administrator for contoso.com
Incorrect:
* Not at the subscription level, as there are two subscriptions.
* Not Root management group level
Each directory is given a single top-level management group called the root management group. The root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This root management group allows for global policies and Azure role assignments to be applied at the directory level.
Box 2: Privileged Role Administrator
You need to ensure that User1 can manage security information for the tenant.
Privileged Role Administrator - Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management.
Incorrect:
* External Identity Provider Administrator
This administrator manages federation between Azure AD organizations and external identity providers. With this role, users can add new identity providers and configure all available settings (e.g. authentication path, service ID, assigned key containers). This user can enable the Azure AD organization to trust authentications from external identity providers.
Reference:
https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
by Magis at Oct. 30, 2022, 9:49 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 1 year, 8 months ago
Correct Answer: Security Admin at the Root Management Group Level (Tenant Root Group) And Global Administrator This is a poorly written question. The author intentionally misleads the reader using incorrect naming, and poorly phrased objectives. Most of these get thrown out, my condolences to anyone who sees this on an exam.
upvoted 7 times
[Removed]
1 year, 8 months ago
Part 1 asks what role User1 needs to be able to “manage” (read that as Modify/Contribute not just read) security information for the tenant. Tenant here also means the multiple azure subscriptions. Azure Subscription rights are not handled by default Azure AD role assignments. You can be a Global Admin of the Azure AD tenant and not have visibility to the Azure Subscriptions unless it is grated by another admin, or you self-elevate.
upvoted 1 times
[Removed]
1 year, 8 months ago
Instead, Azure Subscription rights are managed by Management Groups. The Tenant level management group is named by default “Tenant Root Group”. While technically this is the “Root Management Group Level” using this language in the exam question is solely intended to throw the reader off as it would typically be referred to as the “Tennant Root Group”. To provide User1 access to manage the security information for all the subscriptions in the tenant the user would need to be assigned the “Security Admin Role” on the Tenant Root Group https://learn.microsoft.com/en-us/azure/defender-for-cloud/tenant-wide-permissions-management
upvoted 2 times
[Removed]
1 year, 8 months ago
Part 2 of the question is tricky as well. It states: “Role Required to” assign the role to User1. It is not asking which role to assign to User1 which would be the Security Admin role. It is instead asking which role “you” need to have in order to assign the appropriate role to User1. Being that the Tenant Root Group does not allow anyone to modify its role assignments by default and only a Global Administrator can self-elevate to the “User Access Administrator role” of the Tenant Root Group, you will require Global Admin rights to achieve the goal. https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
upvoted 2 times
...
...
...
...
Leocan
Highly Voted 1 year, 10 months ago
Tested in the lab: Security Admin at the root management group level.
upvoted 5 times
...
hwoccurrence
Most Recent 3 months, 1 week ago
Role to assign to User1: Security Admin at the root (tenant) management group level. Tenant‐wide visibility in Microsoft Defender for Cloud (Security Center) requires a role assignment at the root management group (also called the “tenant root group”). Assigning “Security Admin” at the root level lets User1 manage security settings across all subscriptions under that tenant, meeting the “tenant‐wide” requirement. Role required to assign the role to User1: Privileged role administrator. The Privileged Role Administrator role can manage role assignments in Azure AD, including high‐privilege directory roles such as Security Admin.
upvoted 1 times
...
impie007
5 months, 4 weeks ago
Role to assign to User1: Security administrator for contoso.com Reason: The "Security administrator" role will allow User1 to manage security information for the entire Azure AD tenant , which provides tenant-wide visibility in Azure Security Center. This role grants the necessary permissions to view and manage security policies and configurations across the tenant. Role required to assign the role to User1: Privileged role administrator Reason: The "Privileged role administrator" role is needed to assign roles such as "Security administrator" to users. This role has the authority to manage role assignments within Azure AD and can delegate the necessary security permissions to User1.
upvoted 2 times
...
JohnBarneveld
1 year, 10 months ago
https://learn.microsoft.com/en-us/azure/defender-for-cloud/tenant-wide-permissions-management In this document somewhre under point 3 it says "The organizational-wide view is achieved by granting roles on the root management group level of the tenant."
upvoted 2 times
...
hydrillo
1 year, 11 months ago
Security Administrator at the tenant level doesn't gives you any rights in Azure. Since there are 2 subscriptions you need the Security Admin at the root management group level.
upvoted 4 times
...
Magis
2 years, 5 months ago
Sounds correct to me.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago