06: Implement user authentication and authorization

Questions and Answers

What does the Microsoft identity platform enable users and customers to sign in with?

• Third-party identities
• Microsoft identities or social accounts (correct)
• Only social accounts
• Only Microsoft identities

When an application is registered with Microsoft Entra ID, what is automatically created in the home tenant?

• Identity configuration and application object
• Client ID and identity configuration
• Service principal object and client ID
• Application object and service principal object (correct)

What is the purpose of the application object in Microsoft Entra tenant?

• It holds secrets and certificates for the app
• It is used as a template to create service principal objects (correct)
• It uniquely identifies the app in the Azure portal
• It customizes the branding of the app

What is the globally unique ID for an app registered in the Azure portal known as?

App or client ID (C)

Where does the application object reside in the Microsoft Entra tenant?

In the application's 'home' tenant (B)

What can be added in the Azure portal to make an app work and customize its branding?

Secrets or certificates and scopes (A)

What is the purpose of a service principal object in Microsoft Entra tenant?

It represents an instance of the application in a specific tenant (A)

What is the application object similar to in object-oriented programming?

A class (D)

Where is an application's 'home' tenant located?

Where the application was registered (D)

What is used to delegate Identity and Access Management functions to Microsoft Entra ID?

Service principals (B)

What is created in every tenant where the application is used?

Service principal (A)

What does the application object describe?

How the service can issue tokens, resources, and actions of the application (B)

What does the service principal object represent?

Entity requiring access, represented by a security principal (D)

What is the relationship between the application object and service principals?

Application object is the global representation, and service principal is the local representation (C)

How many service principals does a single-tenant application have?

One service principal in its home tenant (D)

What must be created in each tenant where the application is used?

Service principal (C)

What does the security principal define?

Access policy and permissions for the user/application (D)

What does the Microsoft Graph Application entity define the schema for?

Application object's properties (C)

What enables core features such as authentication and authorization during resource access?

Security principal (A)

What serves as the template for creating corresponding service principal objects?

Application object (B)

What does a multi-tenant application have in each tenant where a user has consented to its use?

A service principal (D)

What does a legacy service principal represent?

An app created before app registrations were introduced (C)

What can a service principal representing a managed identity do?

Be granted access and permissions (C)

Where is a service principal representing a managed identity created?

In the tenant where the managed identity is enabled (A)

What defines what an app can actually do in a specific tenant?

The service principal object (C)

What is the method through which a third-party app can access web-hosted resources on behalf of a user in the Microsoft identity platform?

OAuth 2.0 (D)

What is the representation of a permission in the Microsoft identity platform?

String value (A)

What are the sets of permission in OAuth 2.0 often referred to as?

Scopes (C)

What is the identifier for a web-hosted resource that integrates with the Microsoft identity platform?

Application ID URI (C)

What can third-party apps do when a resource's functionality is chunked into small permission sets?

Request only the necessary permissions (C)

What is the purpose of the scope query parameter in OAuth 2.0?

Specify the permissions needed (C)

What does the Microsoft identity platform follow for giving users and administrators control over data access?

OAuth 2.0 authorization protocol (D)

What is the term often used interchangeably with 'scopes' in OAuth 2.0?

Permissions (C)

What is the purpose of the resource identifier in the Microsoft identity platform?

Identify web-hosted resources (A)

What do third-party apps gain by integrating with the Microsoft identity platform?

Ability to request specific permissions (C)

What is the purpose of the scope parameter in an OpenID Connect or OAuth 2.0 authorization request?

To specify the delegated permissions that the app is requesting (A)

What is the difference between static user consent and incremental or dynamic user consent?

Static user consent requires all permissions to be predefined, while incremental consent allows requesting permissions over time (A)

When is admin consent required for an app?

When the app needs access to certain high-privilege permissions (B)

What is the purpose of the resource-based permissions in the Microsoft identity platform?

To indicate each permission value to the resource's identifier or application ID URI (B)

What is the difference between delegated permissions and app-only access in the Microsoft identity platform?

Delegated permissions are for accessing resources on behalf of a user, while app-only access is for accessing resources without a user context (B)

What does the Microsoft identity platform use to prompt the user to grant requested permissions if consent has not been given before?

User consent endpoint (C)

What does the app need to do if it wants to request more permissions over time as the customer uses more app features?

Specify the new scopes in the scope parameter when requesting an access token (A)

What is the purpose of the admin consent in the Microsoft identity platform?

To ensure that administrators have control before authorizing apps or users to access highly privileged data (C)

What is the significance of the application ID URI in the Microsoft identity platform?

It is used to uniquely identify the application (A)

In an OpenID Connect or OAuth 2.0 authorization request, what does the app use the scope query parameter for?

To request the permissions it needs (C)

What is the impact of Conditional Access on an app in most common cases?

It doesn't change the app's behavior or require any changes from the developer (D)

Under what circumstances does an app require code changes to handle Conditional Access challenges?

When an app indirectly or silently requests a token for a service (D)

What can enterprise customers do with Conditional Access policies?

Apply and remove Conditional Access policies at any time (B)

In what scenarios does an app require code changes to handle Conditional Access challenges?

Some scenarios using Conditional Access to do multifactor authentication (A)

In which scenario does an app require code to handle Conditional Access challenges?

Apps performing the on-behalf-of flow (C)

What is a method of protecting services using Conditional Access?

Allowing only Intune enrolled devices to access specific services (C)

When does an app need to handle Conditional Access challenges?

Web apps calling a resource (B)

What is a method of protecting services using Conditional Access?

Restricting user locations and IP ranges (D)

What are the scenarios that require code to handle Conditional Access challenges?

Apps using MSAL.js (D)