AZ-500 · Question #566
AZ-500 Question #566: Real Exam Question with Answer & Explanation
This question tests knowledge of the minimum required RBAC role and correct resource scope needed to allow a user to modify Azure Logic Apps workflows used as playbooks in Microsoft Defender for Cloud security automation.
Question
Hotspot Question You have an Azure subscription named Sub1 and use Microsoft Defender for Cloud. Sub1 contains a user named User1 and a resource group named RG1. RG1 contains a Log Analytics workspace named Workspace1. You need to ensure that User1 can modify Azure Logic Apps workflows triggered in response to security incidents. The solution must follow the principle of least privilege. Which role should you assign to User1, and to which resource should you assign the role? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of the minimum required RBAC role and correct resource scope needed to allow a user to modify Azure Logic Apps workflows used as playbooks in Microsoft Defender for Cloud security automation.
Approach. To modify Logic Apps workflows triggered in response to security incidents (playbooks), User1 needs the 'Logic App Contributor' role, which grants permissions to manage Logic Apps without granting access to the broader subscription or workspace. The role should be assigned at the resource group level (RG1), because Logic App playbooks reside within a resource group, and scoping to RG1 follows least privilege by not granting subscription-wide access. Assigning to Workspace1 or Sub1 would be either too narrow (workspace has no bearing on Logic Apps) or too broad (subscription-wide violates least privilege). The Logic App Contributor role specifically allows creating and modifying Logic Apps, which is exactly what is needed to edit automation workflows in Defender for Cloud.
Concept tested. Least-privilege RBAC role assignment for managing Microsoft Defender for Cloud automation playbooks (Azure Logic Apps), including choosing the correct role (Logic App Contributor) and the appropriate resource scope (resource group RG1) rather than subscription-level or workspace-level assignments.
Reference. https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation#permissions-required
Topics
Community Discussion
No community discussion yet for this question.