You have an Azure subscription that contains an app named App1. App1 has the app registration shown in the following table.
You need to ensure that App1 can read all user calendars and create appointments. The solution must use the principle of least privilege.
What should you do?
To enable App1 to read all user calendars and create appointments adhering to the principle of least privilege, the correct choice is to add a new Application API permission for Microsoft.Graph Calendars.ReadWrite. Application permissions enable the app to access data on its own, without requiring a signed-in user, which allows it to operate on all users' calendars. This is necessary for accessing and managing all user calendars, not just one associated with a logged-in user, which is crucial for reading and writing data across multiple users' calendars.
Answer: B The question is about reading and writing ALL user calendars. Delegated permissions only works for the logged in user. https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-8
@BillBaits, I think you did not fully understand the documentation on this:| Permission Display String Description Admin Consent Required Microsoft Account supported Calendars.ReadWrite Have full access to user calendars Allows the app to create, read, update, and delete events in user calendars. No Yes
Why B. Delegated permissions would be required on user behalf so that basis the scope of permissions the app1 is allowed to schedule the meetings as per user's calendar. Application permission are used by the application native processes , daemons etc. So I don't think so that B is correct option. Option A is correct here.
@BillBaits, it's says "he solution must use the principle of least privilege". So Delgated permissions is the correct answer
A appears to be the correct answer here. Delegated Calendars.ReadWrite ===Have full access to user calendars and it Allows the app to create, read, update, and delete events in user calendars. Application Calendars.ReadWrite === Read and write calendars in all mailboxes. Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
Since it is asking for principle of at least privilege then logically Delegate permission is the right one
In exam 1/28/24
Ahh, tricky one. Hmm, after some 20 min reading and some 15 min testing in a lab, I got to the below conclusion. So, "need to read and change/create events in calendar for ALL users" - the easy way out is to go with the App role (which would be choice B). Buut, the least privileged access would be to have Delegated role, which would still be able to read/create those calendar events for all users, but it's going to be un-behalf of the user (having the access limitations of the user - if the user should have any) which is more secure - aka least privileged concept. These 2 articles are covering the topic well: https://learn.microsoft.com/en-us/graph/auth/auth-concepts#microsoft-graph-permissions https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http Soo, I would go with A here (Delegated role), based on the above reasoning, but take it with a grain of salt, I may be wrong, I hope I'm not cuz that's what I am gonna chose if this question pops up. :D
Option (A) "Add a new delegated API permission for Microsoft.Graph Calendars.ReadWrite" does not allow the application to read and write to all users' calendars, which is a requirement of the question, as the delegated permissions apply only to the context of an authenticated user. Therefore, the correct option to satisfy the read and write requirement for all users' calendars is option (B) "Add a new application API permission for Microsoft.Graph Calendars.ReadWrite".
Answer is B. The keyword here is "can read all user calendars and create appointments". If the question wouldn't have "can read all user calendars and create appointments", the answer would have been A, because of principle of least privilege keyword.
Ima say b, since all calendars need to be seen. Usually when they are fishing for Delegated permission there's line "On behalf of user"
In order to comply with the principle of least priviledge requirement: "Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Calendars.ReadWrite application permission." https://learn.microsoft.com/en-us/graph/permissions-reference#calendarsreadwrite
A - delegated perm to ReadWrite is least privilege. We want only specific users using the app to be able to make appointments.
Answer: B Delegated permission would require you granting a user that access as well which is not less priv. If our goal is to let app write/read cal and do it with least priv, we want to only grant the app permission to it and not give it to a user to then delegate.
Delegated permissions: Also called scopes, allow the application to act on behalf of the signed-in user. Application permissions: Also called app roles, allow the app to access data on its own, without a signed-in user.
answer: A
Calendars.ReadWrite Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
This was in application permissions
To ensure that App1 can read all user calendars and create appointments, while adhering to the principle of least privilege, you should: A. Add a new Delegated API permission for Microsoft.Graph Calendars.ReadWrite. This permission allows the application to read and write to user calendars as the signed-in user, without needing more privileged permissions than necessary. Application permissions would grant the app access without a user context and are typically used for background services or daemons, which is not adhering to the principle of least privilege in this context.
Answer: B Explanation: Answer: BThe question is about reading and writing ALL user calendars. Delegated permissions only works for the logged in user. https://docs.microsoft.com/en-us/graph/permissions-reference#application-permissions-8 Here you'll find very good explanation about these two types of permissions:https://learn.microsoft.com/en- us/graph/permissions-overview?tabs=http
B. Add a new Application API permission for Microsoft.Graph Calendars.ReadWrite.
Correct Answer is A ! why ? When we add a new Application permission R/W Calendars, it'll have access to all calendars in the tenant, and this scenario doesn't respect the principle of Least Privilege