Blog Post

Microsoft Defender for Cloud Blog
12 MIN READ

Become a Microsoft Defender for Cloud Ninja

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Aug 25, 2020
[Last update: 08/29/2025] All content has been reviewed and updated for August 2025.   This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Cent...
Updated Aug 29, 2025
Version 87.0
cloud security posture management
microsoft defender for servers
microsoft defender for storage
Secure Score
threat protection
JMonty's avatar
JMonty
Copper Contributor
Dec 20, 2023

Thank you for the resources.

I wasn't sure how to offer feedback on the exam so I'll do it here.

 

The test makes some references to "Azure Defender" which is no longer a thing.


"Which one of the actions below is the only one that a user with Security Admin role cannot perform?" has misleading answers.

It appears to be referencing knowledge from https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions

While it is true that the Security Admin does not deploy the agents and extensions, since this is handled via managed identities, the Security Admin would still be the account to manage auto-provisioning.

 

"What are the two roles that allow you to create a resource exemption in Microsoft Defender for Cloud?" has confusing resources.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions claims the security admin cannot exempt resources.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource published two months later claims that they can.

 

This creates a scenario where official resources can lead to different sets of "correct" answers in the multiple choice.

Per the https://learn.microsoft.com/en-us/azure/role-based-access-control documentation all of the roles save for Security Reader should have the access--Security Admin and Resource Policy Contributor get it explicitly via Microsoft.Authorization/policyExemptions/*, and Owner has it implicitly as they have all actions available to a resource.

Unless this is supposed to be about suppressing alerts.

 

"What capabilities below are part of Microsoft Defender for Servers?"

Wording suggests it might be asking about the capabilities of a specific plan or could be Defender of Servers as a whole. Would suggest clarifying.

 

"Microsoft Defender for DNS protects resources that are connected to Azure DNS. Which one scenario is not supported?"

Every scenario in the answer is supported per https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-introduction#what-are-the-benefits-of-microsoft-defender-for-dns unless the test is trying to be very sly about its wording around communication with malicious servers or DNS, which I would recommend against.


Regards