06: Implement user authentication and authorization

Questions and Answers

What does the Microsoft identity platform enable users and customers to sign in with?

Microsoft identities or social accounts

When an application is registered with Microsoft Entra ID, what is automatically created in the home tenant?

Application object and service principal object

What is the purpose of the application object in Microsoft Entra tenant?

It is used as a template to create service principal objects

What is the globally unique ID for an app registered in the Azure portal known as?

App or client ID

Where does the application object reside in the Microsoft Entra tenant?

In the application's 'home' tenant

What can be added in the Azure portal to make an app work and customize its branding?

Secrets or certificates and scopes

What is the purpose of a service principal object in Microsoft Entra tenant?

It represents an instance of the application in a specific tenant

What is the application object similar to in object-oriented programming?

A class

Where is an application's 'home' tenant located?

Where the application was registered

What is used to delegate Identity and Access Management functions to Microsoft Entra ID?

Service principals

What is created in every tenant where the application is used?

Service principal

What does the application object describe?

How the service can issue tokens, resources, and actions of the application

What does the service principal object represent?

Entity requiring access, represented by a security principal

What is the relationship between the application object and service principals?

Application object is the global representation, and service principal is the local representation

How many service principals does a single-tenant application have?

One service principal in its home tenant

What must be created in each tenant where the application is used?

Service principal

What does the security principal define?

Access policy and permissions for the user/application

What does the Microsoft Graph Application entity define the schema for?

Application object's properties

What enables core features such as authentication and authorization during resource access?

Security principal

What serves as the template for creating corresponding service principal objects?

Application object

What does a multi-tenant application have in each tenant where a user has consented to its use?

A service principal

What does a legacy service principal represent?

An app created before app registrations were introduced

What can a service principal representing a managed identity do?

Be granted access and permissions

Where is a service principal representing a managed identity created?

In the tenant where the managed identity is enabled

What defines what an app can actually do in a specific tenant?

The service principal object

What is the method through which a third-party app can access web-hosted resources on behalf of a user in the Microsoft identity platform?

OAuth 2.0

What is the representation of a permission in the Microsoft identity platform?

String value

What are the sets of permission in OAuth 2.0 often referred to as?

Scopes

What is the identifier for a web-hosted resource that integrates with the Microsoft identity platform?

Application ID URI

What can third-party apps do when a resource's functionality is chunked into small permission sets?

Request only the necessary permissions

What is the purpose of the scope query parameter in OAuth 2.0?

Specify the permissions needed

What does the Microsoft identity platform follow for giving users and administrators control over data access?

OAuth 2.0 authorization protocol

What is the term often used interchangeably with 'scopes' in OAuth 2.0?

Permissions

What is the purpose of the resource identifier in the Microsoft identity platform?

Identify web-hosted resources

What do third-party apps gain by integrating with the Microsoft identity platform?

Ability to request specific permissions

What is the purpose of the scope parameter in an OpenID Connect or OAuth 2.0 authorization request?

To specify the delegated permissions that the app is requesting

What is the difference between static user consent and incremental or dynamic user consent?

Static user consent requires all permissions to be predefined, while incremental consent allows requesting permissions over time

When is admin consent required for an app?

When the app needs access to certain high-privilege permissions

What is the purpose of the resource-based permissions in the Microsoft identity platform?

To indicate each permission value to the resource's identifier or application ID URI

What is the difference between delegated permissions and app-only access in the Microsoft identity platform?

Delegated permissions are for accessing resources on behalf of a user, while app-only access is for accessing resources without a user context

What does the Microsoft identity platform use to prompt the user to grant requested permissions if consent has not been given before?

User consent endpoint

What does the app need to do if it wants to request more permissions over time as the customer uses more app features?

Specify the new scopes in the scope parameter when requesting an access token

What is the purpose of the admin consent in the Microsoft identity platform?

To ensure that administrators have control before authorizing apps or users to access highly privileged data

What is the significance of the application ID URI in the Microsoft identity platform?

It is used to uniquely identify the application

In an OpenID Connect or OAuth 2.0 authorization request, what does the app use the scope query parameter for?

To request the permissions it needs

What is the impact of Conditional Access on an app in most common cases?

It doesn't change the app's behavior or require any changes from the developer

Under what circumstances does an app require code changes to handle Conditional Access challenges?

When an app indirectly or silently requests a token for a service

What can enterprise customers do with Conditional Access policies?

Apply and remove Conditional Access policies at any time

In what scenarios does an app require code changes to handle Conditional Access challenges?

Some scenarios using Conditional Access to do multifactor authentication

In which scenario does an app require code to handle Conditional Access challenges?

Apps performing the on-behalf-of flow

What is a method of protecting services using Conditional Access?

Allowing only Intune enrolled devices to access specific services

When does an app need to handle Conditional Access challenges?

Web apps calling a resource

What is a method of protecting services using Conditional Access?

Restricting user locations and IP ranges

What are the scenarios that require code to handle Conditional Access challenges?

Apps using MSAL.js