exam questions

Exam AZ-305 All Questions

View all questions & answers for the AZ-305 exam

Exam AZ-305 topic 1 question 43 discussion

Actual exam question from Microsoft's AZ-305
Question #: 43
Topic #: 1
[All AZ-305 Questions]

HOTSPOT
-

You have an Azure subscription named Sub1 that is linked to an Azure AD tenant named contoso.com.

You plan to implement two ASP.NET Core apps named App1 and App2 that will be deployed to 100 virtual machines in Sub1. Users will sign in to App1 and App2 by using their contoso.com credentials.

App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user.

You need to recommend an authentication and authorization solution for the apps. The solution must meet the following requirements:

• Use the principle of least privilege.
• Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
pkkalra
Highly Voted 1 year, 10 months ago
Important point here is that both apps are deployed to the same machines. So Managed identitied will violate the principle of least privelege. As a user/system managed identity will have to be assigned both read and write permission to user's calendar. App registeration will provide ability to use the service principal per app to set the correct permission required for the app. Use delegated permissions to access user's data as admin allowed/forces users to delegate the permission to the app. answer: App registration Delegated permissions
upvoted 85 times
Mosti
1 year, 9 months ago
Very good point: "As a user/system managed identity will have to be assigned both read and write permission to user's calendar"
upvoted 12 times
...
...
darthfodio
Highly Voted 1 year, 10 months ago
I believe box 1 should be " A user-assigned managed identity" because the apps will be deployed to 100 VMs. Keeping " Minimized administrative effort" in mind, a user-assigned managed identity can be used re-used.
upvoted 34 times
HaniG
1 year, 10 months ago
I agree
upvoted 2 times
...
dimsok
1 year, 10 months ago
Calendar might not be behind Azure AD. Delegated permissions is the correct one
upvoted 5 times
...
malcubierre
1 year, 10 months ago
All are the same App, same identity.... no need user-assigned managed identity, they are ideitified by Application ID
upvoted 5 times
...
...
SeMo0o0o0o
Most Recent 3 weeks, 3 days ago
CORRECT
upvoted 2 times
...
23169fd
5 months, 2 weeks ago
Given answers are correct. Authentication: Application registration in Azure AD: This allows you to register the applications in Azure AD, enabling user authentication via their Azure AD credentials. Authorization: Delegated permissions: These permissions allow the applications to act on behalf of the signed-in user, granting the necessary read and write access to the user's calendar while adhering to the principle of least privilege.
upvoted 1 times
23169fd
5 months, 2 weeks ago
Why Not Other Options? Authentication: System-assigned managed identity: Suitable for accessing Azure resources without credentials, but not for user authentication to an app that requires user-specific permissions. User-assigned managed identity: Similar to system-assigned but managed separately. Not ideal for user-specific access, which requires handling user tokens. Authorization: Application permissions: Grants the application itself broad access, which violates the principle of least privilege as it would give more permissions than needed. Azure role-based access control (Azure RBAC): Best for managing resource access within Azure, but not for specific application-level permissions for user data like calendar access.
upvoted 2 times
...
...
flafernan
6 months ago
You have two applications (App1 and App2) on 100 VMs. App1 needs to read and App2 needs to write to a resource for a "logged in user". Access must be to applications, not VMs, following the principle of least privilege. Logged-in User Identity: Using "user-assigned managed identity" is not appropriate as applications use the logged-in user's identity, requiring delegated permissions. Using Azure RBAC: RBAC assigns permissions directly to applications, but because they need to act on the user's behalf, you must use delegated permissions. Correct Solution: - Application registration in Azure AD - Delegated permissions
upvoted 1 times
...
Lazylinux
7 months, 1 week ago
Given answer is correct App registration to allow integration with Az AD hence App object and Service Principal Delegated permissions to be assigned on behalf of the user
upvoted 1 times
...
Hammer84
1 year ago
Authentication: Application registration in Azure AD Authorization: Azure role-based access control (Azure RBAC) for least privilege and minimal administrative effort.
upvoted 2 times
...
nick_lat12
1 year, 1 month ago
Answer: 1. App Registration 2. Delegated Permissions Read more here :https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview
upvoted 5 times
DTyagi
10 months, 2 weeks ago
Can clear the exam with these questions?
upvoted 1 times
xRiot007
8 months, 3 weeks ago
Take it and find out...
upvoted 2 times
Kalzonee3611
3 days, 8 hours ago
Why so mean
upvoted 1 times
...
...
...
...
sivolko
1 year, 2 months ago
correct answer
upvoted 1 times
...
sieira
1 year, 4 months ago
Important point: Managed identities are used when working with Azure resources and you need an identity to authenticate communication between these services. But for user authentication and authorisation with ASP.NET Core, you're going to be using Azure AD and that involves application registration.
upvoted 9 times
...
techrat
1 year, 7 months ago
The given answer is correct. I passed the exam today with 979. and I gave the same answer to this question: App registration Delegated permissions
upvoted 14 times
...
NotMeAnyWay
1 year, 8 months ago
Question 1. Authentication type? Option 1 - Application registration in Azure AD. For each app (App1 and App2), you should register a separate application in Azure AD. This will allow users to authenticate using their contoso.com credentials and will enable you to request access tokens for accessing protected resources like the calendar. Question 2. Authorization type? Option 3 - Delegated permissions. Delegated permissions allow the apps to perform actions on behalf of the signed-in user, such as reading or writing to their calendar. By configuring delegated permissions for each app, you can ensure that App1 has read access to the calendar while App2 has write access. This approach follows the principle of least privilege and minimizes administrative effort.
upvoted 12 times
...
johnD16
1 year, 8 months ago
Showed in exam 18.03.2023. correct passed 940/1000
upvoted 3 times
jeffa_jaja
1 year, 2 months ago
Get yourself together and stop posting the same message all over the questions
upvoted 2 times
babakeyfgir
1 year ago
it help us..
upvoted 4 times
...
...
...
memyself2
1 year, 9 months ago
This was a question was on my exam today (2/26/23) - Scored 844 I agree with this answer
upvoted 4 times
...
Jacky_exam
1 year, 9 months ago
App1 requires read permissions to access the calendar of the signed-in user. App2 requires write permissions to access the calendar of the signed-in user. If use App registration, how to meet the requirement of principle of least privelege ?
upvoted 1 times
...
zellck
1 year, 9 months ago
1. Application registration in Azure AD 2. Delegated permissions https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-registration To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD, you're creating an identity configuration for your application that allows it to integrate with Azure AD. https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#types-of-permissions Delegated permissions are used in the delegated access scenario. They're permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves couldn't access.
upvoted 6 times
...
OPT_001122
1 year, 9 months ago
App registration Delegated permissions
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...