Exam SC-300 topic 1 question 34 discussion

User 1 : User Administrator User 2 : Security Reader

User Admin Security Reader Ref: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task

User 1: User Administrator User 2: Report Reader To achieve this while adhering to the principle of least privilege, you can assign the following roles to User1 and User2: User1: Assign the User Administrator role. This role allows User1 to create access reviews for groups. User2: Assign the Reports Reader role. This role allows User2 to review the history report for all completed access reviews. By assigning these specific roles, you ensure that each user has only the permissions necessary to perform their tasks, adhering to the principle of least privilege.

User1: User Administrator User2: Reports Reader The least privileged role that can create access reviews for groups in Azure Active Directory (Azure AD) is the “User Administrator” role. This role provides the necessary permissions to manage users and groups, including creating access reviews. The least privileged role that can review the history report for all completed access reviews in Azure Active Directory (Azure AD) is the “Report Reader” role. This role allows users to view various reports, including access review history reports, without granting them broader administrative permissions.

User1: User administrator: Allows managing users, groups, and access reviews, but does not provide global admin rights. User2: Reports reader: Allows access to reports and analytics without administrative permissions, aligning with least privilege.

The correct answer is: User1: User administrator User2: Global reader Explanation: User1 needs to create access reviews for groups. To create access reviews, the User administrator role is appropriate. The User administrator can manage user settings, including group memberships and access reviews. User2 needs to review the history report for all completed access reviews. The Global reader role allows users to view reports and other information across Microsoft 365 without granting them permissions to make any changes. This role aligns with the requirement for reviewing access review history, as it provides read-only access. Resource Links: For more details about roles and permissions: User Administrator role Global Reader role

According to https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task, User1: User Administrator "Create, update, or delete access review of a group or of an app" User2: Security Reader "Read access review of a Microsoft Entra role"

To ensure the least privilege principle is followed for each user: User1 needs to create access reviews for groups. The appropriate role for this task is User Access Administrator because it allows users to create and manage access reviews in Azure AD. User2 needs to review the history report for all completed access reviews. The role required for this is Reports Reader, which allows viewing reports without granting the ability to create or manage the reviews themselves. Summary: User1: User Access Administrator User2: Reports Reader

To meet the requirements while adhering to the principle of least privilege, you should assign the following roles: - **User1**: Assign the **User Administrator** role. This role allows User1 to create access reviews for groups¹. - **User2**: Assign the **Global Reader** role. This role allows User2 to review the history report for all completed access reviews without granting any additional administrative permissions².

User1: User Admin (Create, update, or delete access review of a group or of an app) User 2: Security Reader (Read access review of a group or of an app) https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task

User 1 : User Administrator User 2 : Security Reader https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews

https://learn.microsoft.com/en-us/entra/id-governance/deploy-access-reviews#who-will-create-and-manage-access-reviews Global Admin Global Reader security reader does not have permission to read the history for Azure resource roles

User 1 : User Administrator User 2 : Security Reader

Per Copilot: In Azure Active Directory (Azure AD), you can assign different roles to users to manage access reviews. For User1, you should assign the Access Review Contributor role. This role allows the user to create and manage access reviews, but it doesn’t allow them to make decisions on behalf of reviewers. For User2, you should assign the Access Review Reader role. This role allows the user to read access reviews and their decisions, but they can’t create, update, or delete access reviews. These roles follow the principle of least privilege, granting only the necessary permissions to each user for their specific tasks.

Read access review of a group or of an app Least privileged role = Security Reader Additional roles= Security Administrator User Administrator https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task#enterprise-applications

User1: User Admin User 2: security Reader

Create, update, or delete access review of a group or of an app (User Administrator) Read access review of a group or of an app (Security Reader). https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-by-task