Exam AZ-500 topic 2 question 65 discussion

Don't understand as, if the app has been registered. It is an enterprise app !!!

Created an app registration and it automatically appeared in the Enterprise Applications, so I would say the next thing is to configure the token encryption as per: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal

Answer: A, Upload a certificate for App1 Reason: To enable token encryption for an application in Azure AD, you must first upload a certificate that will be used as the encryption key. Without a valid certificate uploaded to the application, the token encryption option remains unavailable, regardless of user permissions.

To support the answer: To enable Admin1 to enable token encryption for App1 in the Azure portal, you should assign Admin1 the Cloud Application Administrator role. Here's why: 1. The Application Developer role, which Admin1 currently has, is limited in its permissions. It primarily allows users to create application registrations and manage their own applications. 2. The Cloud Application Administrator role has more extensive permissions for managing enterprise applications, including the ability to manage all aspects of enterprise applications and application registrations. 3. The Cloud Application Administrator role grants the necessary permissions to configure advanced settings like token encryption for applications. Answer = D

While uploading a certificate is a required step for token encryption, Admin1 currently does not have permission to do this. Admin1 needs the correct role to enable token encryption. The Cloud Application Administrator role grants full control over enterprise applications and app registrations, including the ability to manage certificates and secrets, which is required to enable token encryption.

To enable token encryption for an application in Azure AD, the Cloud Application Administrator or Global Administrator role is required

To enable token encryption for App1, Admin1 needs to have one of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal

The correct solution is to assign Admin1 the Cloud Application Administrator role (Option D) because it grants the necessary permissions to manage application settings, including enabling token encryption. The other options either address different aspects of application management or do not provide the required permissions.

as the Microsoft Documentation: To configure token encryption, you need to upload an X.509 certificate file that contains the public key to the Microsoft Entra application object that represents the application. Reference-Link: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal this points to A, but ...: One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal. Reference-Link: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal#prerequisites which points to D. I decided to choose A, but which is correct -> only MS knows

Correct answer is "D". Assign Admin1 the Privileged Role Administrator or Global Administrator role temporarily to allow them to enable token encryption for App1 in the Azure portal. Once the configuration is complete, you can revoke the elevated permissions.

Correct Answer: A. Upload a certificate for App1 Token encryption in Azure AD requires the application to have a certificate uploaded. This certificate is used to encrypt the tokens issued to the app. Without a certificate uploaded, the option to enable token encryption will not be available in the Azure portal. B. API permissions are unrelated to enabling token encryption. They are used to define what APIs the app can access. C. Registering an app and adding it as an enterprise application are separate processes. While this step might be part of integrating an app, it does not affect token encryption settings. D. The Application developer role already allows Admin1 to manage app registrations. The inability to enable token encryption is not due to permissions but the lack of a certificate uploaded to the application.

To ensure that Admin1 can enable token encryption for App1, you should assign Admin1 either the Application Administrator or the Cloud Application Administrator role. These roles allow the user to manage all aspects of application registration and configuration, including enabling token encryption. In summary: * Assign the Application Administrator or Cloud Application Administrator role to Admin1. * Admin1 will then be able to enable token encryption for App1 in the Azure portal.

Answer D - follow de Microsoft Docs "To configure SAML token encryption, you need: A Microsoft Entra user account. If you don't already have one, you can Create an account for free. One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal." https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal

Ans - D checked on chat gpt.

Answer from Microsoft Copilot: "To enable token encryption for App1, Admin1 needs to have the appropriate role that allows managing application configurations. The Application developer role does not have the necessary permissions to enable token encryption. Therefore, you should: D. Assign Admin1 the Cloud application administrator role. This role provides the required permissions to configure application settings, including enabling token encryption." https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption

C because "the Token encryption option is only available for SAML applications that have been set up from the Enterprise applications blade in the Azure portal." Not A, uploading a certificate is also required but that is part of 'enabling token encryption'. The missing certificate is NOT the reason why the that option is unavailable to the user.

Prerequisites To configure SAML token encryption, you need: A Microsoft Entra user account. If you don't already have one, you can Create an account for free. One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal#prerequisites