Exam AZ-500 topic 2 question 70 discussion

Answer: B The question is about reading and writing ALL user calendars. Delegated permissions only works for the logged in user. https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-8

A appears to be the correct answer here. Delegated Calendars.ReadWrite ===Have full access to user calendars and it Allows the app to create, read, update, and delete events in user calendars. Application Calendars.ReadWrite === Read and write calendars in all mailboxes. Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

Exam question 6th April 2025

B is correct ans: https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-8:~:text=Read%20and%20write%20calendars%20in%20all%20mailboxes

In Exam 07-Feb-2025 52 Questions (5 Case Studies Questions) No Simulation 95% Questions came from exam topics only Kudos to you guys

It clearly says that the application must be able to read ALL user calendars. With delegated permission, it can only read the calendars that the user who uses it has access to. Yes, we must follow the principle of least privilege, but delegated permission would give less privilege than required.

In order to comply with the principle of least priviledge requirement: "Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Calendars.ReadWrite application permission." https://learn.microsoft.com/en-us/graph/permissions-reference#calendarsreadwrite

A - delegated perm to ReadWrite is least privilege. We want only specific users using the app to be able to make appointments.

Answer: B Delegated permission would require you granting a user that access as well which is not less priv. If our goal is to let app write/read cal and do it with least priv, we want to only grant the app permission to it and not give it to a user to then delegate.

Delegated permissions: Also called scopes, allow the application to act on behalf of the signed-in user. Application permissions: Also called app roles, allow the app to access data on its own, without a signed-in user.

In exam 1/28/24

Ahh, tricky one. Hmm, after some 20 min reading and some 15 min testing in a lab, I got to the below conclusion. So, "need to read and change/create events in calendar for ALL users" - the easy way out is to go with the App role (which would be choice B). Buut, the least privileged access would be to have Delegated role, which would still be able to read/create those calendar events for all users, but it's going to be un-behalf of the user (having the access limitations of the user - if the user should have any) which is more secure - aka least privileged concept. These 2 articles are covering the topic well: https://learn.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http Soo, I would go with A here (Delegated role), based on the above reasoning, but take it with a grain of salt, I may be wrong, I hope I'm not cuz that's what I am gonna chose if this question pops up. :D

answer: A

Calendars.ReadWrite Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

To ensure that App1 can read all user calendars and create appointments, while adhering to the principle of least privilege, you should: A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite. This permission allows the application to read and write to user calendars as the signed-in user, without needing more privileged permissions than necessary. Application permissions would grant the app access without a user context and are typically used for background services or daemons, which is not adhering to the principle of least privilege in this context.

Answer: B Explanation: Answer: BThe question is about reading and writing ALL user calendars. Delegated permissions only works for the logged in user. https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-8 Here you'll find very good explanation about these two types of permissions:https://learn.microsoft.com/en- us/graph/permissions-overview?tabs=http

Option (A) "Add a new delegated API permission for Microsoft.Graph Calendars.ReadWrite" does not allow the application to read and write to all users' calendars, which is a requirement of the question, as the delegated permissions apply only to the context of an authenticated user. Therefore, the correct option to satisfy the read and write requirement for all users' calendars is option (B) "Add a new application API permission for Microsoft.Graph Calendars.ReadWrite".