Microsoft Security Operations Analyst — Question 56

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1 and a user named User1.

You need to ensure that User1 can investigate incidents by using Workspace1. The solution must follow the principle of least privilege.

Which role should you assign to User1?

Answer options

• A. Microsoft Sentinel Responder
• B. Microsoft Sentinel Contributor
• C. Microsoft Sentinel Automation Contributor
• D. Microsoft Sentinel Reader

Correct answer: A

Explanation

The Microsoft Sentinel Responder role allows User1 to investigate incidents without giving broader permissions that could be misused, thus adhering to the principle of least privilege. The other roles, such as Contributor and Automation Contributor, provide more permissions than necessary for investigation purposes, while the Reader role does not permit incident investigation.