Question 6 of 125

HOTSPOT -

You are developing an application that will run as an overnight background service on a server. The service will access web-hosted resources by using the application's identity and the OAuth 2.0 client credentials grant flow.

You register the application and grant permissions. The tenant administrator grants admin consent to the application.

You need to get the access token from Azure Active Directory (Azure AD).

Which URI should you use for the POST request? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Oauth2 client_id client_secret -

    The authorization code flow begins with the client directing the user to the /authorize endpoint.

    Box 1: token -

    Use the authorization code to request an access token.

    Now that you've acquired an authorization code and have been granted permission by the user, you can redeem the code for an access token to the desired resource, by sending a POST request to the /token endpoint:

    Box 2: authorization_code -

    Use the authorization code to request an access token.

    Example:

    // Line breaks for legibility only

    POST /{tenant}/oauth2/token HTTP/1.1

    Host: https://login.microsoftonline.com

    Content-Type: application/x-www-form-urlencoded

    grant_type=authorization_code

    ...etc.

    Note: At a high level, the entire authorization flow for an application looks a bit like this:

    Reference:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code

Question 7 of 125

You develop a web API named WebApi1.

When validating a token received from a client application, WebApi1 receives a MsalUiRequiredException exception from Azure Active Directory (Azure AD).

You need to formulate the response that WebApi1 will return to the client application.

Which HTTP response should you send?

    Correct Answer: C

    When validating a token, an MsalUiRequiredException from Azure AD typically indicates that the token is missing required claims, has expired, or is otherwise invalid, which means the user needs to perform an interactive authentication flow. In this context, the most appropriate HTTP response to return would be 403 Forbidden, which informs the client that the request was understood but the server is refusing to fulfill it without proper authentication.

Question 8 of 125

You have a backend service that will access the Microsoft Graph API. The backend service is hosted on-premises.

You need to configure the service to authenticate by using the most secure authentication method.

What should you configure the service to use?

    Correct Answer: A

    To securely authenticate a backend service accessing the Microsoft Graph API, the service should use a certificate. Certificate-based authentication is more secure compared to other options such as a client secret, shared key, or hash because certificates can be managed more securely, involve asymmetric cryptography, and can be more easily rotated and enforced with expiry dates. Using a certificate ensures a higher level of security and helps prevent unauthorized access.

Question 9 of 125

You develop a web API named WebApi1.

When validating a token received from a client application, WebApi1 receives a MsalUiRequiredException exception from the Microsoft Identity Platform.

You need to ensure that the client application has the information required to complete the authentication.

Which header should you include in the HTTP response sent from WebApi1 to the client application?

    Correct Answer: C

    When a web API receives an MsalUiRequiredException from the Microsoft Identity Platform, it indicates that additional authentication steps are required. To inform the client application of the necessary actions, the API should include the WWW-Authenticate header in the HTTP response. This header is used to convey authentication challenges, providing the client with information on how to complete the authentication process.

Question 10 of 125

HOTSPOT -

You are developing a single-page application (SPA) named App1 that will be used by the public.

Many users of App1 restrict pop-up windows from opening in their browser.

You need to authenticate the users by using the Microsoft identity platform. The solution must meet the following requirements:

✑ Ensure that App1 can read the profile of a user.

✑ Minimize user interaction during authentication.

✑ Prevent App1 from requiring admin consent for any permissions.

How should you complete the code? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Reference:

    https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token?tabs=javascript1