You have an Azure Active Directory (Azure AD) tenant that contains a user named Admin1. Admin1 is assigned the Application developer role.
You purchase a cloud app named App1 and register App1 in Azure AD.
Admin1 reports that the option to enable token encryption for App1 is unavailable.
You need to ensure that Admin1 can enable token encryption for App1 in the Azure portal.
What should you do?
To enable token encryption for an application in Azure AD, the user must have sufficient permissions. Admin1 currently has the Application Developer role, which does not grant permissions to configure token encryption. The appropriate role to manage applications, including configuring token encryption, would be the Cloud Application Administrator role. Assigning Admin1 this role would provide the necessary permissions to enable token encryption for App1 in the Azure portal.
Don't understand as, if the app has been registered. It is an enterprise app !!!
Yes, but the option is only available in portal for Enterprise Apps created as such from start: "The Token encryption option is only available for SAML applications that have been set up from the Enterprise applications blade in the Azure portal, either from the Application Gallery or a Non-Gallery app. For other applications, this menu option is disabled." https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal For plain App Registratrions you edit the application manifest under Manifest (see the same doc above). "Set the value for the tokenEncryptionKeyId attribute."
Created an app registration and it automatically appeared in the Enterprise Applications, so I would say the next thing is to configure the token encryption as per: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption?tabs=azure-portal
Prerequisites To configure SAML token encryption, you need: A Microsoft Entra user account. If you don't already have one, you can Create an account for free. One of the following roles: Cloud Application Administrator, Application Administrator, or owner of the service principal. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal#prerequisites
Cant be Right - C. Add App1 as an enterprise application. when you register app it automatically added as ent app. Seems to me user has no perm to manage enterprise app. Answer : D
To enable token encryption for App1 in the Azure portal, you should upload a certificate for App1. Token encryption in Azure AD requires a public key of a certificate to encrypt the tokens. Once the certificate is uploaded, Admin1, with the Application developer role, should be able to enable token encryption for App1. So, the correct answer is A. Upload a certificate for App1.
According to Microsoft only global admin, cloud app admin, app admin or owner can add the token encryption. The question doesnt state that admin1 was registering the add so it is not the owner, therefore I will go for D
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal
Guys, this question also made me dizzy. But just go one application in your tenant from and go Token Encryption part here I saw this: Token encryption is not available for this application. SP-dev-dt-wiz was created using the App registrations experience. Please go to mydev-test in the App registrations experience to configure token encryption. Your account should have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object). Learn more about admin roles in Microsoft Entra ID. To learn more about what properties you can modify in Enterprise applications and App registrations, see Application and service principal objects in Microsoft Entra ID.
Exam topic does not allow more comments that is why I add additional part here : This point makes sense to choose C but I was also think same as you initially . There is also reason for D tell me why? Question does not say which role do we have since we can register application it means we have at least Application developer role. However to be able to enable token encryption we need to have at least Cloud Application Admin role more role can be Cloud Application administrator role or Application Administrator role or Owner role. So we do not know which role we have we only now since we have registered application to AZURE WE ARE AT LEAST APPLICATION DEVELOPER. But we do not know whether we have these roles or not but I think C makes more sense if read question there says user reports there is no available for token which i saw in the application in my tenant. So I will chose C
Microsoft copilot answers "A" :) consider on it! To enable token encryption for App1 in the Azure portal, you should upload a certificate for App1. Here are the steps: Obtain a public key certificate that matches a private key configured in the application. In the Azure portal, navigate to Azure Active Directory > Enterprise applications. Select the application (App1) that you wish to configure token encryption. On the application page, choose Token encryption. Upload the X.509 certificate file containing the public key.
Answer is C. Here why: The Token encryption option is only available for SAML applications that have been set up from the Enterprise applications blade in the Microsoft Entra admin center, either from the Application Gallery or a Non-Gallery app. For other applications, this menu option is disabled. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal#configure-token-encryption-in-the-microsoft-entra-admin-center Therefore, we need to add the app as an enterprise application.
C is the correct answer reason Token encryption is not available for this application. App was created using the App registrations experience.
User need permission. See prerequisites section
When you register App1, it automatically becomes an enterprise application in Azure AD. Therefore, Admin1 must have the appropriate permissions to configure token encryption for App1 in the Azure portal. There is no need to upload a certificate to meet this specific need. Therefore, no action would be necessary.
I registered an app and it showed up in Enterprise Application. The token Encryption option is only available when the app is accessed from the Enterprise Application blade and not from the registration blade. So I would go with C
To enable token encryption for an application in Azure AD, the user needs to have the necessary permissions. In this case, Admin1 has the application developer role, which might not provide the required permissions for managing encryption settings. The correct action would be: D. Assign Admin1 the cloud application administrator role. The Cloud Application Administrator role is typically assigned to users who need to manage applications in Azure AD, including configuring token encryption settings. By assigning the Cloud Application Administrator role to Admin1, they should gain the necessary permissions to enable token encryption for App1 in the Azure portal. So, the correct answer is option D.
Created an app registration and it automatically appeared in the Enterprise Applications, so I would say the next thing is to configure the token encryption as per: https://learn.microsoft.com/com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption? tabs=azure-portal
Answer is A, from the portal I get the following when trying to enable the Token encryption option(the app already registered as enterprise app): "Please import and make active a certificate to enable token encryption."
Ans is D.Question says app is registered in AD. The used need cloud app admin. Please check this link https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal#prerequisites