ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-600 All Questions

View all questions & answers for the MS-600 exam
Go to Exam

Exam MS-600 topic 1 question 3 discussion

Actual exam question from Microsoft's MS-600
Question #: 3
Topic #: 1
[All MS-600 Questions]

You have a single-page application (SPA) named TodoListSPA and a server-based web app named TodoListService.
The permissions for the TodoList SPA API are configured as shown in the TodoList SPA exhibit. (Click the TodoListSPA tab.)

The permissions for the TodoListService API are configured as shown in the TodoListService exhibit. (Click the TodoListService tab.)

You need to ensure that TodoListService can access a Microsoft OneDrive file of the signed-in user. The solution must use the principle of least privilege.
Which permission should to grant?

  • A. the Sites.Read.All delegated permission for TodoListService
  • B. the Sites.Read.All delegated permission for TodoListSpa
  • C. the Sites.Read.All application permission for TodoListSPA
  • D. the Sites.Read.All application permission for TodoListService
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
A client application gains access to a resource server by declaring permission requests. Two types are available:
"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token.
"Application" permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary#permissions
by svramon at Feb. 21, 2022, 8:59 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Vishal961
8 months ago
B is right answer. Sites.Read.All delegated permission for TodoListSPA, which will enable the SPA to access OneDrive on behalf of the user, while still adhering to the principle of least privilege.
upvoted 1 times
...
xupiter
10 months ago
Correct answer should be (B). If you grant Files.Read.All to the TodoListService, it will be able to read *any* file in the tenant. For more details, see https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview
upvoted 1 times
...
svramon
1 year, 8 months ago
The question is bogus because it doesn't state whether you are trying to obtain an access token or an id token.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago