QUESTION: 43 Exam Topic: Implement Azure security questions

HOTSPOT (Drag & Drop is not supported)
You have a single page application (SPA) web application that manages information based on data returned by Microsoft Graph from another company’s Azure Active Directory (Azure AD) instance.

Users must be able to authenticate and access Microsoft Graph by using their own company’s Azure AD instance.

You need to configure the application manifest for the app registration.
How should you complete the manifest? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

See Explanation section for answer.

Answer(s): A

Explanation:

Box 1: true
The oauth2AllowImplicitFlow attribute Specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like JavaScript single-page apps.

In implicit flow, the app receives tokens directly from the Azure Active Directory (Azure AD) authorize endpoint, without any server-to-server exchange. All authentication logic and session handling is done entirely in the JavaScript client with either a page redirect or a pop-up box.

Box 2: requiredResourceAccess
With dynamic consent, requiredResourceAccess drives the admin consent experience and the user consent experience for users who are using static consent. However, this parameter doesn't drive the user consent experience for the general case.

resourceAppId is the unique identifier for the resource that the app requires access to. This value should be equal to the appId declared on the target resource app.
resourceAccess is an array that lists the OAuth2.0 permission scopes and app roles that the app requires from the specified resource. Contains the id and type values of the specified resources.

Example:
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],

Incorrect Answers:
The legacy attribute availableToOtherTenants is no longer supported.
The addIns attribute defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This parameter will let services like Microsoft 365 call the application in the context of a document the user is working on.

Example:
"addIns": [
{
"id": "968A844F-7A47-430C-9163-07AE7C31D407",
"type":" FileHandler",
"properties": [
{
"key": "version",
"value": "2"
}
]
}
],

Box 3: AzureADMyOrg
The signInAudience attribute specifies what Microsoft accounts are supported for the current application. Supported values are:
-AzureADMyOrg - Users with a Microsoft work or school account in my organization's Azure AD tenant (for example, single tenant)
-AzureADMultipleOrgs - Users with a Microsoft work or school account in any organization's Azure AD tenant (for example, multi-tenant)
-AzureADandPersonalMicrosoftAccount - Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

Reveal Solution Next Question

QUESTION: 44 Exam Topic: Implement Azure security questions

You manage a data processing application that receives requests from an Azure Storage queue.
You need to manage access to the queue. You have the following requirements:

-Provide other applications access to the Azure queue.
-Ensure that you can revoke access to the queue without having to regenerate the storage account keys.
-Specify access at the queue level and not at the storage account level.

Which type of shared access signature (SAS) should you use?

Service SAS with a stored access policy
Account SAS
User Delegation SAS
Service SAS with ad hoc SAS

Answer(s): A

Explanation:

A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys.

Incorrect Answers:
Account SAS: Account SAS is specified at the account level. It is secured with the storage account key.
User Delegation SAS: A user delegation SAS applies to Blob storage only.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Reveal Solution Next Question

QUESTION: 45 Exam Topic: Implement Azure security questions

HOTSPOT (Drag & Drop is not supported)
You are developing an application to store and retrieve data in Azure Blob storage. The application will be hosted in an on-premises virtual machine (VM). The VM is connected to Azure by using a Site-to-Site VPN gateway connection. The application is secured by using Azure Active Directory (Azure AD) credentials.

The application must be granted access to the Azure Blob storage account with a start time, expiry time, and read permissions. The Azure Blob storage account access must use the Azure AD credentials of the application to secure data access. Data access must be able to be revoked if the client application security is breached.

You need to secure the application access to Azure Blob storage.
Which security features should you use? To answer select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

See Explanation section for answer.

Answer(s): A

Explanation:

Box 1: Shared access signature (SAS) token
When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.

Box 2: Stored access policy
Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys.

A shared access signature can take one of the following two forms:
-Service SAS with stored access policy. A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. The stored access policy can be used to manage constraints for one or more service shared access signatures. When you associate a service SAS with a stored access policy, the SAS inherits the constraints – the start time, expiry time, and permissions – defined for the stored access policy.
-Ad hoc SAS.

Reference:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

Reveal Solution Next Question

QUESTION: 46 Exam Topic: Implement Azure security questions

You are building a web application that uses the Microsoft identity platform for user authentication.
You are implementing user identification for the web application.
You need to retrieve a claim to uniquely identify a user.
Which claim type should you use?

aud
nonce
oid
idp

Answer(s): C

Explanation:

oid -The object identifier for the user in Azure AD. This value is the immutable and non-reusable identifier of the user. Use this value, not email, as a unique identifier for users; email addresses can change. If you use the Azure AD Graph API in your app, object ID is that value used to query profile information.

Incorrect:
Not A: aud - Who the token was issued for. This will be the application's client ID.

Reference:

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/claims

Reveal Solution Next Question

Free AZ-204 Exam Braindumps (page: 33)

QUESTION: 43 Exam Topic: Implement Azure security questions

Explanation:

Reference:

QUESTION: 44 Exam Topic: Implement Azure security questions

Explanation:

Reference:

QUESTION: 45 Exam Topic: Implement Azure security questions

Explanation:

Reference:

QUESTION: 46 Exam Topic: Implement Azure security questions

Explanation:

Reference: