6.1: Explore the Microsoft identity platform

Questions and Answers

What is an application object in Microsoft Entra ID?

• A set of dynamic properties for the app
• A unique identifier for the app
• A template used to create service principal objects (correct)
• A blueprint for creating multiple applications

Where does the application object reside?

• In a separate global repository
• In the Azure portal
• In every tenant where the application is used
• In the Microsoft Entra tenant where the application was registered (correct)

What is a service principal object used for?

• To store app-specific secrets and certificates
• To customize the branding of the app
• To manage Azure portal registrations
• To delegate Identity and Access Management functions (correct)

What does registering an application with Microsoft Entra ID create?

An identity configuration for the application (A)

Where can you add secrets or certificates for your app?

In the Azure portal (D)

What is the app or client ID used for?

Globally unique identifier for the app (C)

What is a service principal similar to in object-oriented programming?

An instance of a class (A)

What does registering an app in the Azure portal create automatically?

An application object and a service principal object in your home tenant (C)

What does an application object serve as for service principals?

Template or blueprint for creation (D)

What does the application object describe?

How the service can issue tokens, resources, and actions (D)

What is the purpose of a service principal in a Microsoft Entra tenant?

To represent entities requiring access and define access policy and permissions (D)

What is the relationship between application objects and service principals?

Application object is the global representation, while service principal is local for a specific tenant (A)

When must a service principal be created for an application?

In each tenant where the application is used (B)

What defines the access policy and permissions for a user/application in a Microsoft Entra tenant?

The security principal (A)

What does a single-tenant application have in its home tenant?

Only one service principal created during application registration (D)

What enables core features such as authentication during sign-in and authorization during resource access?

Service principal in each tenant (A)

What serves as a template from which common and default properties are derived for creating corresponding service principal objects?

Application object (B)

What type of representation does an application object provide?

Global representation across all tenants (A)

What kind of entities require representation by a security principal to access resources secured by a Microsoft Entra tenant?

Both users (user principal) and applications (service principal) (D)

What does a managed identity service principal represent?

A managed identity (B)

What can a legacy service principal have that a managed identity service principal cannot?

Credentials and reply URLs (C)

Where is a service principal created when a managed identity is enabled?

In your tenant (C)

What defines what an app can actually do in a specific tenant?

Service principal object (B)

What is the method through which a third-party app can access web-hosted resources on behalf of a user?

OAuth 2.0 (C)

In the Microsoft identity platform, what are permission sets often referred to as?

Scopes (A)

How are permissions requested by an app in OAuth 2.0?

By specifying the permission in the scope query parameter (A)

What represents a resource identifier for a web-hosted resource integrating with the Microsoft identity platform?

Application ID URI (A)

What are the two types of permissions supported by the Microsoft identity platform?

Delegated permissions and app-only access (C)

When can high-privilege permissions be granted through administrator consent?

Using the administrator consent endpoint (B)

What are the three consent types in the Microsoft identity platform?

Static user consent, incremental and dynamic user consent, and admin consent (D)

How can an app ignore static permissions defined in the app registration information in the Azure portal?

By using the Microsoft identity platform endpoint (B)

When does an app need admin consent?

When it needs access to certain high-privilege permissions (B)

Where can an app request the permissions it needs in an OpenID Connect or OAuth 2.0 authorization request?

By using the scope query parameter (C)

'Incremental or dynamic consent' applies to which type of permissions?

Delegated permissions only (D)

What is a possible issue with static user consent for developers?

It presents some possible issues for developers (C)

Where must static permissions be set if admin needs to give consent on behalf of the entire organization?

In the app registration portal (A)

Who can consent to app-only access permissions?

Only an administrator (C)

When are delegated permissions used?

When apps need to act as a signed-in user (A)

In what scenario can an app request delegated permissions?

When it needs to act as a signed-in user (D)

In what scenarios does an app require code changes to handle Conditional Access challenges?

When an app indirectly or silently requests a token for a service (B)

What can Conditional Access policies be applied to?

The app and a web API the app accesses (D)

When can an enterprise customer apply and remove Conditional Access policies?

At any time (B)

What is required for an app to continue functioning when a new policy is applied?

Implement challenge handling (D)

What kind of scenarios using Conditional Access might require code changes?

Scenarios involving multifactor authentication (C)

How does Conditional Access impact an app's behavior in most common cases?

It doesn't change the app's behavior or require any changes from the developer (B)

What does Conditional Access enable developers and enterprise customers to do?

Protect services in multiple ways (D)

When might an app require code changes to handle Conditional Access challenges?

When an app indirectly requests a token for a service (B)

Study Notes

Application Object in Microsoft Entra ID

• An application object is a representation of an application in Microsoft Entra ID.
• It resides in the Microsoft Entra ID directory.

Service Principal Object

• A service principal object is used for authentication and authorization.
• It is similar to an instance of a class in object-oriented programming.

Registering an Application

• Registering an application with Microsoft Entra ID creates a service principal object.
• This service principal object is used for authentication and authorization.
• You can add secrets or certificates for your app in the Azure portal.
• The app or client ID is used to identify the application.

Relationship between Application Objects and Service Principals

• An application object serves as a template from which common and default properties are derived for creating corresponding service principal objects.
• The application object describes the properties and behavior of an application.
• A service principal object is created for an application to access resources secured by a Microsoft Entra tenant.

Purpose of Service Principals

• The purpose of a service principal is to define the access policy and permissions for a user/application in a Microsoft Entra tenant.
• It enables core features such as authentication during sign-in and authorization during resource access.

Types of Service Principals

• A managed identity service principal represents a managed identity in Azure.
• A legacy service principal can have a password, but a managed identity service principal cannot.
• A service principal is created when a managed identity is enabled.

Permissions and Consent

• Permissions define what an app can actually do in a specific tenant.
• Permissions are often referred to as permission sets or scopes.
• An app can request permissions through the OAuth 2.0 protocol.
• The resource identifier for a web-hosted resource integrating with the Microsoft identity platform is represented by a URI.
• There are two types of permissions supported by the Microsoft identity platform: delegated and application permissions.
• High-privilege permissions can be granted through administrator consent.

Consent Types

• There are three consent types in the Microsoft identity platform: static, dynamic, and admin consent.
• An app can ignore static permissions defined in the app registration information in the Azure portal by requesting permissions dynamically.
• An app needs admin consent when it requires high-privilege permissions.

Conditional Access

• Conditional Access policies can be applied to users and devices.
• An enterprise customer can apply and remove Conditional Access policies at any time.
• An app requires code changes to handle Conditional Access challenges when it needs to access a resource secured by a Conditional Access policy.
• Conditional Access enables developers and enterprise customers to apply specific policies to access resources.
• In most common cases, Conditional Access does not impact an app's behavior.

Description

Test your knowledge of registering applications with Microsoft Entra ID for identity and access management delegation. This quiz covers the process of creating identity configurations and integrating applications with Microsoft Entra ID.