6.1: Explore the Microsoft identity platform

Questions and Answers

What is an application object in Microsoft Entra ID?

A set of dynamic properties for the app

A unique identifier for the app

A template used to create service principal objects (correct)

A blueprint for creating multiple applications

Where does the application object reside?

In a separate global repository

In the Azure portal

In every tenant where the application is used

In the Microsoft Entra tenant where the application was registered (correct)

What is a service principal object used for?

To store app-specific secrets and certificates

To customize the branding of the app

To manage Azure portal registrations

To delegate Identity and Access Management functions (correct)

What does registering an application with Microsoft Entra ID create?

An identity configuration for the application

Where can you add secrets or certificates for your app?

In the Azure portal

What is the app or client ID used for?

Globally unique identifier for the app

What is a service principal similar to in object-oriented programming?

An instance of a class

What does registering an app in the Azure portal create automatically?

An application object and a service principal object in your home tenant

What does an application object serve as for service principals?

Template or blueprint for creation

What does the application object describe?

How the service can issue tokens, resources, and actions

What is the purpose of a service principal in a Microsoft Entra tenant?

To represent entities requiring access and define access policy and permissions

What is the relationship between application objects and service principals?

Application object is the global representation, while service principal is local for a specific tenant

When must a service principal be created for an application?

In each tenant where the application is used

What defines the access policy and permissions for a user/application in a Microsoft Entra tenant?

The security principal

What does a single-tenant application have in its home tenant?

Only one service principal created during application registration

What enables core features such as authentication during sign-in and authorization during resource access?

Service principal in each tenant

What serves as a template from which common and default properties are derived for creating corresponding service principal objects?

Application object

What type of representation does an application object provide?

Global representation across all tenants

What kind of entities require representation by a security principal to access resources secured by a Microsoft Entra tenant?

Both users (user principal) and applications (service principal)

What does a managed identity service principal represent?

A managed identity

What can a legacy service principal have that a managed identity service principal cannot?

Credentials and reply URLs

Where is a service principal created when a managed identity is enabled?

In your tenant

What defines what an app can actually do in a specific tenant?

Service principal object

What is the method through which a third-party app can access web-hosted resources on behalf of a user?

OAuth 2.0

In the Microsoft identity platform, what are permission sets often referred to as?

Scopes

How are permissions requested by an app in OAuth 2.0?

By specifying the permission in the scope query parameter

What represents a resource identifier for a web-hosted resource integrating with the Microsoft identity platform?

Application ID URI

What are the two types of permissions supported by the Microsoft identity platform?

Delegated permissions and app-only access

When can high-privilege permissions be granted through administrator consent?

Using the administrator consent endpoint

What are the three consent types in the Microsoft identity platform?

Static user consent, incremental and dynamic user consent, and admin consent

How can an app ignore static permissions defined in the app registration information in the Azure portal?

By using the Microsoft identity platform endpoint

When does an app need admin consent?

When it needs access to certain high-privilege permissions

Where can an app request the permissions it needs in an OpenID Connect or OAuth 2.0 authorization request?

By using the scope query parameter

'Incremental or dynamic consent' applies to which type of permissions?

Delegated permissions only

What is a possible issue with static user consent for developers?

It presents some possible issues for developers

Where must static permissions be set if admin needs to give consent on behalf of the entire organization?

In the app registration portal

Who can consent to app-only access permissions?

Only an administrator

When are delegated permissions used?

When apps need to act as a signed-in user

In what scenario can an app request delegated permissions?

When it needs to act as a signed-in user

In what scenarios does an app require code changes to handle Conditional Access challenges?

When an app indirectly or silently requests a token for a service

What can Conditional Access policies be applied to?

The app and a web API the app accesses

When can an enterprise customer apply and remove Conditional Access policies?

At any time

What is required for an app to continue functioning when a new policy is applied?

Implement challenge handling

What kind of scenarios using Conditional Access might require code changes?

Scenarios involving multifactor authentication

How does Conditional Access impact an app's behavior in most common cases?

It doesn't change the app's behavior or require any changes from the developer

What does Conditional Access enable developers and enterprise customers to do?

Protect services in multiple ways

When might an app require code changes to handle Conditional Access challenges?

When an app indirectly requests a token for a service

Study Notes

Application Object in Microsoft Entra ID

• An application object is a representation of an application in Microsoft Entra ID.
• It resides in the Microsoft Entra ID directory.

Service Principal Object

• A service principal object is used for authentication and authorization.
• It is similar to an instance of a class in object-oriented programming.

Registering an Application

• Registering an application with Microsoft Entra ID creates a service principal object.
• This service principal object is used for authentication and authorization.
• You can add secrets or certificates for your app in the Azure portal.
• The app or client ID is used to identify the application.

Relationship between Application Objects and Service Principals

• An application object serves as a template from which common and default properties are derived for creating corresponding service principal objects.
• The application object describes the properties and behavior of an application.
• A service principal object is created for an application to access resources secured by a Microsoft Entra tenant.

Purpose of Service Principals

• The purpose of a service principal is to define the access policy and permissions for a user/application in a Microsoft Entra tenant.
• It enables core features such as authentication during sign-in and authorization during resource access.

Types of Service Principals

• A managed identity service principal represents a managed identity in Azure.
• A legacy service principal can have a password, but a managed identity service principal cannot.
• A service principal is created when a managed identity is enabled.

Permissions and Consent

• Permissions define what an app can actually do in a specific tenant.
• Permissions are often referred to as permission sets or scopes.
• An app can request permissions through the OAuth 2.0 protocol.
• The resource identifier for a web-hosted resource integrating with the Microsoft identity platform is represented by a URI.
• There are two types of permissions supported by the Microsoft identity platform: delegated and application permissions.
• High-privilege permissions can be granted through administrator consent.

Consent Types

• There are three consent types in the Microsoft identity platform: static, dynamic, and admin consent.
• An app can ignore static permissions defined in the app registration information in the Azure portal by requesting permissions dynamically.
• An app needs admin consent when it requires high-privilege permissions.

Conditional Access

• Conditional Access policies can be applied to users and devices.
• An enterprise customer can apply and remove Conditional Access policies at any time.
• An app requires code changes to handle Conditional Access challenges when it needs to access a resource secured by a Conditional Access policy.
• Conditional Access enables developers and enterprise customers to apply specific policies to access resources.
• In most common cases, Conditional Access does not impact an app's behavior.

Description

Test your knowledge of registering applications with Microsoft Entra ID for identity and access management delegation. This quiz covers the process of creating identity configurations and integrating applications with Microsoft Entra ID.