Question 12 - Microsoft SC-200 Security Operations Analyst Real Exam Questions [Jan 2026 Update]

Q: 12

DRAG DROP You have an Azure subscription that contains the users shown in the following table. You need to delegate the following tasks: • Enable Microsoft Defender for Servers on virtual machines. • Review security recommendations and enable server vulnerability scans. The solution must use the principle of least privilege. Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Drag & Drop

Enable JavaScript to use the Drag & Drop feature.

User1
User2
User3

Correct Answer:

Answer Area Enable Microsoft Defender for Servers on virtual machines:: B. User2 Review security recommendations and enable server vulnerability scans:: B. User2

Explanation

The principle of least privilege requires assigning the minimum permissions necessary to perform a task. The Security Admin role (User2) has sufficient permissions to manage security policies, view security states, and apply security configurations in Microsoft Defender for Cloud. This includes enabling Defender plans like Defender for Servers (Microsoft.Security/pricings/write permission) and remediating security recommendations, such as enabling vulnerability scans. The Security Reader role (User1) has read-only access and cannot make any configuration changes. The Owner (User3) and Contributor (User4) roles are overly permissive for these specific security tasks. Therefore, the Security Admin role is the correct choice for both tasks as it adheres to the principle of least privilege.

References

1. Microsoft Learn

"Permissions in Microsoft Defender for Cloud": This document outlines the roles and permissions for managing Defender for Cloud.

Under the "Roles and allowed actions" table

it specifies that Security Admin can "Edit security policy

apply recommendations". This covers enabling vulnerability scans. It also states

"To enable Defender for Cloud plans on a subscription

you must be assigned the role of Subscription Owner

Subscription Contributor

or Security Admin." This confirms Security Admin is the least-privileged role for enabling Defender for Servers.

2. Microsoft Learn

"Azure built-in roles - Security Admin": This page details the specific permissions for the Security Admin role.

The role includes the Microsoft.Security/ permission

which grants full control over security configurations within the Microsoft.Security resource provider

including enabling plans and configuring vulnerability assessments

without granting excessive permissions to manage other Azure resources.

3. Microsoft Learn

"Azure built-in roles - Security Reader": This page details the permissions for the Security Reader role.

The permissions listed are all read-only (e.g.

Microsoft.Security/policies/read

Microsoft.Security/pricings/read)

confirming that this role can view settings but cannot enable any features.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE