SC-300 · Question #374
SC-300 Question #374: Real Exam Question with Answer & Explanation
This question tests knowledge of the PowerShell commands required to onboard an Azure subscription to Microsoft Entra Permissions Management using the principle of least privilege.
Question
Hotspot Question You have an Azure subscription named Sub1. You plan to deploy Microsoft Entra Permissions Management. You need to ensure that Permission Management can onboard Sub1. The solution must follow the principle of least privilege. How should you complete the PowerShell command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of the PowerShell commands required to onboard an Azure subscription to Microsoft Entra Permissions Management using the principle of least privilege.
Approach. To onboard an Azure subscription to Microsoft Entra Permissions Management, you need to create a service principal and assign it the correct role. The PowerShell command should use 'New-AzRoleAssignment' to assign the 'Reader' role (not Owner or Contributor) to the Permissions Management service principal at the subscription scope, following least privilege. The correct scope parameter is '/subscriptions/<subscription-id>' and the role definition name should be 'Reader', as Permissions Management only needs read access to discover and analyze permissions. The service principal is identified by its ApplicationId, which corresponds to the Microsoft Entra Permissions Management application (CloudKnox Permissions Management, App ID: b46c3ac5-9da6-418f-a849-0a07a10b3c6c). The command structure is: New-AzRoleAssignment -ApplicationId <PermissionsManagementAppId> -RoleDefinitionName 'Reader' -Scope '/subscriptions/<Sub1-Id>'.
Concept tested. Microsoft Entra Permissions Management onboarding requires assigning the Reader role (least privilege) to the Permissions Management service principal on the target Azure subscription using New-AzRoleAssignment, ensuring only read access is granted for permissions discovery and analysis.
Community Discussion
No community discussion yet for this question.