HOTSPOT -
You have an Azure Active Directory (Azure AD) tenant that contains two users named User1 and User2 and a registered app named App1.
You create an app-specific role named Role1.
You need to assign Role1 to User1 and enable User2 to request access to App1.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Roles and administrators -
Here you will find Role1 and be able to assign User1 to the role.
Box 2: Self Service -
Under Self Service, there is an option to ג€Allow users to request access to this applicationג€.
Answer is wrong I tried it manually on a lab, Roles and Administrators is limited only to a few builtin AD roles I think the answer should be 1. Users and Groups for User1 2. Self-service for User2
You are right, I took the bother of creating a custom App Role and all I could do with it is assign it to a group (already added to the app) from Users and Groups
correct
This is the correct answer
Do you have the steps a link to support it? I found this. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-enterprise-apps#create-a-new-custom-role Assign the role to a user using the Microsoft Entra admin center Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator. Browse to Identity > Roles & admins > Roles & admins. Select the Manage user and group assignments role.
The selected answers are correct. You can create a custom App Role (if you have appropriate licensing) and add it via Roles and Administrators. https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps#create-a-new-custom-role
Agree. Tested in the lab. You can assign a role to the user via Roles and Administrators
If the custom role is created in Azure Entra, you can assign that role from Roles and Administrators blade. If the custom role is created in Azure, you cannot see that role in Roles and Admin and hence cannot assign it. The question doesnt explicitly mention where the role is created, but since the question is explicitly mentioning that we have Azure AD, its assumed that they are talking acount the role created in Azure AD and not Azure. With this understanding, I would think the given answers are correct.
It is neither an Entra role nor an Azure role, it is "an app-specific role" created in the app registration. Users are assigned their roles under "Users and Groups".
Agreed with Parab. User 1 - Users and Groups User 2 - Self-service
Roles and administrators-assign Role1 to User1 Self service-enable User2 to request access to App1
1. Roles and administrators 2. Self-service https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-self-service-access#enable-self-service-application-access-to-allow-users-to-find-their-own-applications Self-service application access is a great way to allow users to self-discover applications, and optionally allow the business group to approve access to those applications. For password single-sign on applications, you can also allow the business group to manage the credentials assigned to those users from their own My Apps portal.
The question is poorly worded. "App-specific role" means nothing. It is not clear if the custom role is an AD (Entra) role and an RBAC role.
It IS clear. It is "an app-specific role" created under "App roles" in the app registration. NOT an Azure AD role, NOT an RBAC role.
It IS clear. It is "an app-specific role" created under "App roles" in the app registration. NOT an Azure AD role, NOT an RBAC role.
Vote for users and groups for #1 since Roles and Administrators section still in preview [As shown in screenshot]
It is not in preview anymore.
The selected answers are correct.
1. Users and Groups for User1 2. Self-service for User2
Box 1:users and groups Box 2: Self Service - Under Self Service, there is an option to Allow users to request access to this application.
Given answer are correct since the question mentioned about custom role. However, in order to add custom role, P1 or P2 license is required. Below from the Azure dashboard - "To create custom roles, your organization needs Microsoft Entra ID Premium P1 or P2".
This is about about Azure AD roles, we have "an app-specific role" created in the app registration.
"An app-specific role" is created in under "App roles" the app registration. Users are assigned their app roles under "Users and Groups". Thus: Users and Groups, and Self-service.
To assign Role1 to User1 and enable User2 to request access to App1, you need to modify the following settings in the App1 enterprise application configuration: Roles and Administrators: This setting is where you can assign Role1 to User1. Navigate to the "Roles and Administrators" section and assign the specific app role (Role1) to User1. Self-service: This setting allows you to enable User2 to request access to the application. By configuring self-service settings, you can enable users to request access to App1 directly from the Azure AD portal.
I checked it in an app, what is under users and groups. I can select a user, but under "select a role" I can only see 'default access'. How can I add a custom role then? (Default access option cannot be mofified)
To grant Role1 to User 1, you assign them that role in the app’s Users and groups blade. To allow User 2 to request access, you enable and configure the app’s Self-service settings.
On exam 07.04.2025