HOTSPOT -
You are developing an interactive invoicing application that will be used by end users. The application will have the following features:
✑ Save invoices generated by a user to the user's OneDrive for Business.
✑ Email daily automated reminders.
You need to identify which permissions to grant for the application features. The solution must use the principle of least privilege.
Which permission should you grant for each feature? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Microsoft identity platform supports two types of permissions: delegated permissions and application permissions.
Box 1: Delegated -
✑ Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests, and the app is delegated permission to act as the signed-in user when making calls to the target resource.
Box 2: Application -
✑ Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons.
Application permissions can only be consented by an administrator.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
You need to develop a server-based web app that will be registered with the Microsoft identity platform. The solution must ensure that the app can perform operations on behalf of the user.
Which type of authorization flow should you use?
Answer:
A
In web server apps, the sign-in authentication flow takes these high-level steps:
You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform endpoint. A session cookie is set, which can be used to identify the user on subsequent page requests.
In addition to simple sign-in, a web server app might need to access another web service, such as a REST API. In this case, the web server app engages in a combined OpenID Connect and OAuth 2.0 flow, by using the OAuth 2.0 authorization code flow.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types
You have a single-page application (SPA) named TodoListSPA and a server-based web app named TodoListService.
The permissions for the TodoList SPA API are configured as shown in the TodoList SPA exhibit. (Click the TodoListSPA tab.)
The permissions for the TodoListService API are configured as shown in the TodoListService exhibit. (Click the TodoListService tab.)
You need to ensure that TodoListService can access a Microsoft OneDrive file of the signed-in user. The solution must use the principle of least privilege.
Which permission should to grant?
Answer:
A
A client application gains access to a resource server by declaring permission requests. Two types are available:
"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token.
"Application" permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary#permissions
You are building a server-based web app that will use OAuth2 and will be registered with the Microsoft identity platform.
Which two values does the single-tenant app require to obtain tokens from the token endpoint for the Microsoft identity platform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Answer:
CE
C: The required client_id is the Application (client) ID that the Azure portal ג€" App registrations experience assigned to your app.
E: The authorization code flow begins with the client directing the user to the /authorize endpoint.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
You are developing a daemon application that reads all the emails in the inbox of a specific Microsoft 365 mailbox. Some emails contain meeting dates and room mailbox names.
The application has the following requirements:
✑ Move each processed email to a subfolder in the mailbox.
✑ If an email contains meeting data, create an event in the corresponding room mailbox calendar.
Which Microsoft Graph permissions should you grant for the application?
Answer:
C
Reference:
https://docs.microsoft.com/en-us/graph/permissions-reference
DRAG DROP -
You are developing a server-based application that has the following requirements:
✑ Prompt the user to fill out form that contains a keyword.
✑ Search the OneDrive for Business folder for files that contain the keyword and return the results to the user.
✑ Allow the user to select one of the files from the results.
✑ Copy the selected file to an Azure Blob storage container.
Which four actions should the application perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Answer:
You have an application that uses the Microsoft Graph API.
When users open the application during peak hours, they occasionally receive an HTTP 429 Too Many Requests response status code.
What should you do to mitigate the errors?
Answer:
B
Reference:
https://docs.microsoft.com/en-us/graph/throttling
You are developing a human resources application that will show users where they are in their company's organization chart.
You are adding a new feature that will display the name of a user's manager inside the application.
You need to create a REST query to retrieve the information. The solution must minimize the amount of data retrieved.
Which query should you use?
Answer:
A
Get user's manager. Returns the user or organizational contact assigned as the user's manager.
Syntax:
GET /me/manager -
GET /users/{id | userPrincipalName}/manager
Only the name of the user's manager should be displayed so we use ?select=displayname
To specify a different set of properties to return than the default set provided by the Graph, use the $select query option. The $select option allows for choosing a subset or superset of the default set returned.
Reference:
https://docs.microsoft.com/en-us/graph/api/user-list-manager
https://developer.microsoft.com/en-us/graph/docs/overview/query_parameters
You have an application that uses the Microsoft Graph API.
You need to configure the application to retrieve the groups to which the current signed-in user belongs. The results must contain the extended priorities of the groups.
Which URI should you use?
Answer:
B
Get member groups returns all the groups that the specified user, group, or directory object is a member of. This function is transitive.
Reference:
https://docs.microsoft.com/en-us/graph/api/directoryobject-getmembergroups
HOTSPOT -
You are developing an Azure function to provision a team in Microsoft Teams.
You need to create a group named Project A, add a classification of Private to the group, and then convert Project A to a team group.
How should you complete the REST requests? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: post -
You need to create a group named Project A.
The following example creates an Office 365 group.
POST https://graph.microsoft.com/v1.0/groups
Content-type: application/json -
Content-length: 244 -
{
"description": "Self help community for library",
"displayName": "Library Assist",
"groupTypes": [
"Unified"
],
"mailEnabled": true,
"mailNickname": "library",
"securityEnabled": false
}
Box 2: PATCH -
Add a classification of Private to the group.
You can set the classification property in a PATCH request for the group, if do not set it in the initial POST request that creates the group.
Box 3: put -
Then convert Project A to a team group.
Syntax: PUT /groups/{id}/team -
Reference:
https://docs.microsoft.com/en-us/graph/api/group-post-groups
https://docs.microsoft.com/en-us/graph/api/resources/group
https://docs.microsoft.com/en-us/graph/api/team-put-teams
