Exam SC-500 Topic 1 Question 45 Discussion

Organization-wide custom plugin management is a tenant-scope administrative action. Setting the plugin setting to Owners only at the tenant scope removes that capability from contributors while leaving their user- scope session plugin ability unaffected. Moving ownership to user scope would not govern tenant-wide plugins correctly. Allowing contributors at tenant scope preserves the problem. The selected setting separates personal experimentation from organization-wide plugin governance. For SC-500, the decisive distinction is whether the control authenticates an identity, grants authorization, or merely changes configuration visibility.
The incorrect choices generally either grant excessive privilege, change the application model, or operate at the wrong scope. Microsoft expects the least-privilege identity path that satisfies the scenario without introducing shared secrets or unnecessary tenant-wide rights. The result is a direct exam-style implementation choice: it changes the required security behavior without relying on unrelated monitoring, manual cleanup, or excessive privilege. Official Microsoft source/topic: SC-500 Study Guide > Security Copilot plugins; Microsoft Learn > manage custom plugins and owner/contributor scope.