SC-300 · Question #307
SC-300 Question #307: Real Exam Question with Answer & Explanation
This question tests knowledge of Microsoft Entra Permissions Management onboarding and the minimum required Azure RBAC role needed to allow Permissions Management to manage role assignments in an Azure subscription, following least privilege principles.
Question
Hotspot Question You have an Azure subscription named Sub1. You plan to onboard Microsoft Entra Permissions Management. You need to ensure that Permissions Management users can manage role assignments for Sub1. The solution must follow the principle of least privilege. Which role should you assign and to which identity should you assign the role? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Microsoft Entra Permissions Management onboarding and the minimum required Azure RBAC role needed to allow Permissions Management to manage role assignments in an Azure subscription, following least privilege principles.
Approach. The correct role to assign is 'User Access Administrator' - this is the minimum Azure built-in role that grants permission to manage role assignments (i.e., assign and revoke roles) without granting full Owner-level access. The role should be assigned to the 'Cloud Infrastructure Entitlement Management' service principal (also referred to as the Permissions Management application/service principal), which is the identity that Microsoft Entra Permissions Management uses to interact with Azure resources. User Access Administrator allows Permissions Management to right-size permissions and remediate over-privileged access by modifying role assignments, while Owner would grant excessive privileges beyond what is needed. Assigning the role to the service principal (rather than individual users) ensures Permissions Management itself can perform the remediation actions on behalf of the platform.
Concept tested. Microsoft Entra Permissions Management onboarding requires the 'Cloud Infrastructure Entitlement Management' service principal to have the 'User Access Administrator' role on the Azure subscription so it can manage (grant/revoke) role assignments. Assigning 'Owner' would violate least privilege, and assigning to individual user accounts instead of the service principal would be incorrect architecture.
Community Discussion
No community discussion yet for this question.