Exam AZ-500 topic 5 question 13 discussion

Answer is correct - have validated

in the exam

Keywoard "On-Behalf of" mean admin need to consent for other users. Question asking about how to configure not how to use. Therefore the answer should be you need to configure C. a delegated permission that required admin conset . Once configured App1 can access the Key Vault secret on behalf of the users. Admin consent During admin consent, a Privileged Administrator might grant an application access on behalf of other users (usually, on behalf of the entire organization). Also during admin consent, applications or services provide direct access to an API, which is used by the application if there's no signed-in user. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview#admin-consent

C. a delegated permission that requires admin consent. This ensures App1 can access the Key Vault secrets on behalf of the users, with admin consent typically required for higher-level permissions like accessing secrets in a Key Vault.

To access the secrets the user needs user_impersonation which is a delegated permission that needs admin consent

in exam 13 Oct

use delegated permissions that require admin consent for better security and control.

B. a delegated permission without admin consent Outdated?

Correct answer. In exam Dec 21. 40 questions, 1 case study, no labs.

#exam ques # 29 Sep

In exam today

## Exam Question - 17 Sept 2021 ##

In order to achieve what is being asked, you need to assign API permission to the registered App. The API permission is Azure Key Vault user_impersonation and that is of type 'Delegated' and Admin Consent Required 'No' Hence B is correct.

Provided answer is correct. The term "on behalf of" always means "delegation" in OAuth2. Therefore it has to be the permission of the logged in user. However, since this is just a read of a keyvault (not high privileged), the app does not need the admin privilege.

"On-Behalf of" says that answer should be B. No admin consent needed. Let me explain Delegated permission with an Example, assume your app has been granted the User.ReadWrite.All delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a global administrator, your app can update the profile of every user in the organization. However, if the signed-in user doesn't have an administrator role, your app can update only the profile of the signed-in user. It can't update the profiles of other users in the organization because the user that it has permission to act on behalf of doesn't have those privileges. This is "On-Behalf of" permission which ques mentioned.

NO YES NO

Answer:B. a delegated permission without admin consent Between Application and Deleted permissions, you have to choose Delegated permissions, becausethis can be done on behalf of the user.