Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a new application named App1 that uses the Microsoft identity platform to authenticate to Azure Active Directory (Azure AD).
Currently, App1 can read user profile information.
You need to allow App1 to read the user's calendar.
Solution: From the Azure portal, edit the API permission list for App1. Add the Microsoft Graph API and the Calendars.Read permissions and then grant tenant admin consent.
Does this meet the goal?
Answer:
A
Microsoft Graph Calendars.Read allows the app to read events in user calendars.
For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process.
Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://docs.microsoft.com/en-us/graph/permissions-reference
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a new application named App1 that uses the Microsoft identity platform to authenticate to Azure Active Directory (Azure AD).
Currently, App1 can read user profile information.
You need to allow App1 to read the user's calendar.
Solution: Add https://graph.windows.net/user.read to the list of scopes during the initial login request.
Does this meet the goal?
Answer:
B
Microsoft Graph Calendars.Read allows the app to read events in user calendars.
For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process.
Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://docs.microsoft.com/en-us/graph/permissions-reference
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a new application named App1 that uses the Microsoft identity platform to authenticate to Azure Active Directory (Azure AD).
Currently, App1 can read user profile information.
You need to allow App1 to read the user's calendar.
Solution: In the code of App1, dynamically request the Calendar.Read permission from the Microsoft Graph API.
Does this meet the goal?
Answer:
B
For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process.
Application permissions can only be consented by an administrator.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://docs.microsoft.com/en-us/graph/permissions-reference
You have a custom API that is secured by using Azure Active Directory (Azure AD).
You need to call the API from within a SharePoint Framework (SPFx) web part.
Which object should you use to call the API?
Answer:
A
You can use the Microsoft Graph API to work with Microsoft Teams. In Microsoft Graph, Microsoft Teams is represented by a group resource.
If you are targeting Microsoft Graph, you can use the MSGraphClient client object, which provides a more fluent syntax compared to AadHttpClient.
Note: In versions of the SharePoint Framework starting with v.1.4.1, you can access Microsoft Graph by using either the native graph client (MSGraphClient), or the low-level type used to access any Azure AD-secured REST API (AadHttpClient).
The AadHttpClient client object is useful for consuming any REST API. You can use it to consume Microsoft Graph or any other third-party (or first-party) REST
API.
The MSGraphClient client object can consume the Microsoft Graph only. Internally it uses the AadHttpClient client object and supports the fluent syntax of the
Microsoft Graph SDK.
Reference:
https://docs.microsoft.com/en-us/graph/api/resources/teams-api-overview?view=graph-rest-1.0 https://docs.microsoft.com/en-us/sharepoint/dev/spfx/use-aad-tutorial
HOTSPOT -
You are developing a single-page application (SPA).
You plan to access user data from Microsoft Graph by using an AJAX call.
You need to obtain an access token by the Microsoft Authentication Library (MSAL). The solution must minimize authentication prompts.
How should you complete the code segment? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Box 1: loginPopup -
Box 2: acquireTokenSilent -
The pattern for acquiring tokens for APIs with MSAL.js is to first attempt a silent token request by using the acquireTokenSilent method. When this method is called, the library first checks the cache in browser storage to see if a valid token exists and returns it. When no valid token is in the cache, it sends a silent token request to Azure Active Directory (Azure AD) from a hidden iframe. This method also allows the library to renew tokens.
Box 3: acquireTokenPopup -
//AcquireToken Failure, send an interactive request.
Example:
userAgentApplication.loginPopup(applicationConfig.graphScopes).then(function (idToken) {
//Login Success
userAgentApplication.acquireTokenSilent(applicationConfig.graphScopes).then(function (accessToken) {
//AcquireToken Success
updateUI();
}, function (error) {
//AcquireToken Failure, send an interactive request.
userAgentApplication.acquireTokenPopup(applicationConfig.graphScopes).then(function (accessToken) { updateUI();
}, function (error) {
console.log(error);
});
})
}, function (error) {
console.log(error);
});
Reference:
https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/339
HOTSPOT -
You are developing an application that will run as an overnight background service on a server. The service will access web-hosted resources by using the application's identity and the OAuth 2.0 client credentials grant flow.
You register the application and grant permissions. The tenant administrator grants admin consent to the application.
You need to get the access token from Azure Active Directory (Azure AD).
Which URI should you use for the POST request? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Oauth2 client_id client_secret -
The authorization code flow begins with the client directing the user to the /authorize endpoint.
Box 1: token -
Use the authorization code to request an access token.
Now that you've acquired an authorization code and have been granted permission by the user, you can redeem the code for an access token to the desired resource, by sending a POST request to the /token endpoint:
Box 2: authorization_code -
Use the authorization code to request an access token.
Example:
// Line breaks for legibility only
POST /{tenant}/oauth2/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
...etc.
Note: At a high level, the entire authorization flow for an application looks a bit like this:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
You develop a web API named WebApi1.
When validating a token received from a client application, WebApi1 receives a MsalUiRequiredException exception from Azure Active Directory (Azure AD).
You need to formulate the response that WebApi1 will return to the client application.
Which HTTP response should you send?
Answer:
D
The HyperText Transfer Protocol (HTTP) 412 Precondition Failed client error response code indicates that access to the target resource has been denied. This happens with conditional requests on methods other than GET or HEAD when the condition defined by the If-Unmodified-Since or If-None-Match headers is not fulfilled. In that case, the request, usually an upload or a modification of a resource, cannot be made and this error response is sent back.
MsalUiRequiredException -
The "Ui Required" is proposed as a specialization of MsalServiceException named MsalUiRequiredException. This means you have attempted to use a non- interactive method of acquiring a token (e.g. AcquireTokenSilent), but MSAL could not do it silently. this can be because:
✑ you need to sign-in
✑ you need to consent
✑ you need to go through a multi-factor authentication experience.
The remediation is to call AcquireTokenInteractive
try
{
app.AcquireTokenXXX(scopes, account)
.WithYYYY(...)
.ExecuteAsync()
}
catch(MsalUiRequiredException ex)
{
app.AcquireTokenInteractive(scopes)
.WithAccount(account)
.WithClaims(ex.Claims)
.ExcecuteAsync();
}
Incorrect Answers:
A: A 307 Temporary Redirect message is an HTTP response status code indicating that the requested resource has been temporarily moved to another URI , as indicated by the special Location header returned within the response
B: The 400 Bad Request Error is an HTTP response status code that indicates that the server was unable to process the request sent by the client due to invalid syntax.
C: The 403 Forbidden Error happens when the web page (or other resource) that you're trying to open in your web browser is a resource that you're not allowed to access.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-handling-exceptions https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/exceptions
You have a backend service that will access the Microsoft Graph API. The backend service is hosted on-premises.
You need to configure the service to authenticate by using the most secure authentication method.
What should you configure the service to use?
Answer:
A
You can authenticate to the Graph API with two primary methods: AppId/Secret and certificate based authentication. Certificate is the preferred and more secure way of authenticating.
Reference:
https://adamtheautomator.com/microsoft-graph-api-powershell/
You plan to deploy a SharePoint Framework (SPFx) solution to the tenant app catalog.
Which attribute should you configure in the package-solution.json file to ensure that the solution is available immediately to all site collections?
Answer:
A
You can configure your SharePoint Framework components to be immediately available across the tenant when the solution package is installed to the tenant app catalog. This can be configured by using the skipFeatureDeployment attribute in the package-solution.json file.
Reference:
https://docs.microsoft.com/en-us/sharepoint/dev/spfx/tenant-scoped-deployment
What should you add to a SharePoint Framework (SPFx) solution to ensure that the solution can be used as a Microsoft Teams tab?
Answer:
D
You need to update the web part manifest to make it available for Microsoft Teams. Locate the manifest json file for the web part you want to make available to
Teams and modify the supportedHosts properties to include "TeamsTab".
Reference:
https://docs.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/get-started/using-web-part-as-ms-teams-tab
