Exam SC-200 topic 2 question 43 discussion

Security Admin has less privileges than the Contributor or Owner roles, but is still able to modify security policies. See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin

Only Security Admin and Owner of the Subsc. can modify policies. SecAdmin has least priv. https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions Security Admin: A user that belongs to this role has the same access as the Security Reader and can also update the security policy, and dismiss alerts and recommendations.

Correct B

Question from ESI: You have an Azure subscription that uses Microsoft Defender for Cloud. You create a user named Admin1. You need to ensure that Admin1 can create and assign security policies in Defender for Cloud. The solution must follow the principle of least privilege. Which role should you assign to Admin1? Right Answer: Contributor in the Azure subscription Wrong Answer: Security Admin in the Azure subscription Comment from MS: Defender for Cloud uses Azure role-based access control (RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure. Azure AD roles do not have permissions in Defender for Cloud. Only Contributor and Owner roles at the Azure subscription level have sufficient permissions to create and assign security policies in Defender for Cloud. Contributor has less permissions than Owner, and because of that you should assign Admin1 the Contributor role. ***Maybe the Contributor is the right answer.

B-Security Admin

Security reader: Has rights to view Defender for Cloud items such as recommendations, alerts, policy, and health. Can't make changes. Security admin: Has the same view rights as security reader. Can also update the security policy and dismiss alerts.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy#who-can-edit-security-policies