ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 4 discussion

Actual exam question from Microsoft's AZ-204
Question #: 4
Topic #: 4
[All AZ-204 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level.
You need to configure authorization.
Solution:
✑ Create a new Azure AD application. In the application's manifest, define application roles that match the required permission levels for the application.
✑ Assign the appropriate Azure AD group to each role. In the website, use the value of the roles claim from the JWT for the user to determine permissions.
Does the solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Adrian1405 at Dec. 9, 2020, 7:04 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 4 years, 3 months ago
I agree that this solution should work as well. The roles get assigned by AD groups, so the requirement "A user's Azure AD group membership must be used to determine the permission level" is met. This solution should be answered with "yes". This scenario has 2 solutions provided as the approach using the "groupMembershipClaims" is possible as well. That's OK as it says "Some question sets might have more than one correct solution, while others might not have a correct solution."
upvoted 63 times
Mal22002
3 years, 1 month ago
There are many solutions when you're writing the code but the question is whether provided solution works or not and it will not work. The second part of the solution failed the requirement "A user's Azure AD group membership must be used to determine the permission level." as it's saying "use the value of roles claim". The answer is No.
upvoted 9 times
Adiu
2 years, 2 months ago
But AD groups are used to assign correct roles to them. So the roles claim is based on user’s AD groups membership.
upvoted 3 times
...
...
...
Adrian1405
Highly Voted 4 years, 4 months ago
This should be the correct answer: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
upvoted 20 times
iiiihhhh
4 years, 4 months ago
I think that without the "groupMembershipClaims" setting you will not be able to obtain group membership information and so the proposal doesn't meet the goal.
upvoted 8 times
bugimachi
4 years, 4 months ago
I am not too sure about this. "groupMembershipClaims" will include AAD groups' IDs in the JWT "group" array, which is one way to go. The other way would be to add a app role in the manifest (which is not necessary for the first approach!) and then add groups to this role. This will include the app roles (but not the group IDs) in the JWT's "roles" array (but not in the "groups" array!). I liked this blog post to understand the difference: https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps
upvoted 13 times
clarionprogrammer
4 years ago
Excellent post! A. Yes. Final answer.
upvoted 6 times
FatSeal
2 years, 8 months ago
A user's Azure AD group membership must be used to determine the permission level!!!!!!!!!!!
upvoted 2 times
warchoon
2 years, 2 months ago
You can use gropes for roles https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#:~:text=In%20the%20Create%20app%20role%20pane%2C%20enter%20the%20settings%20for%20the%20role.
upvoted 1 times
...
...
...
...
...
ALittleBunny
4 years, 4 months ago
You're totally right. It's just managing permissions in two different ways, groupMembershipClaims and assigning the appropriate Azure AD group to each role, which are both correct.
upvoted 7 times
...
ahadjithoma
4 years, 4 months ago
Requirement: A user's Azure AD group membership must be used to determine the permission level. Does that solution meets the above requirement?
upvoted 3 times
bugimachi
4 years, 4 months ago
I think so; you can add groups to app roles defined in manifest.
upvoted 4 times
rdemontis
4 years, 1 month ago
I think you can't instead, because AppRoles are intended for RBAC access control and not AAD group membership as required in the question. See this for more info: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
upvoted 2 times
...
...
...
...
Vichu_1607
Most Recent 6 months, 4 weeks ago
Selected Answer: A
Yes, the solution meets the goal. Defining application roles in the Azure AD application's manifest that match the required permission levels (admin, normal, reader) is a correct step. These roles can then be assigned to users or groups in Azure AD. Assigning the appropriate Azure AD groups to these application roles will ensure that a user's group membership determines their permission level in the application. When a user signs in, their role memberships will be included in their token, and your application can use this information to authorize their actions. Using the value of the roles claim from the JWT to determine permissions in the website is the correct approach. This claim will contain all the roles that the user is a member of.
upvoted 1 times
...
Jass1nonly
1 year, 2 months ago
This seems a valid approach from the links shared in the discussions. My answer is Yes. The given solution meets the goal.
upvoted 1 times
...
FeriAZ
1 year, 2 months ago
Selected Answer: A
This approach is a standard practice for implementing role-based access control (RBAC) in applications that use Azure AD for authentication. It leverages Azure AD's built-in capabilities for managing users, groups, and roles, providing a scalable and manageable method for handling authorization based on group membership.
upvoted 2 times
...
AlbertoBT
1 year, 5 months ago
Selected Answer: B
"Azure AD group membership must be used" https://learn.microsoft.com/en-us/entra/identity-platform/howto-add-app-roles-in-apps#app-roles-vs-groups App roles -> Provided in the roles claim Groups -> Provided in groups claim. Simple as that
upvoted 2 times
...
Weam
1 year, 5 months ago
I will go for (NO) because while adding app roles, we don't have to apply any changes in the mainfest file. The answer would be correct if it didn't state that we will apply changes in the mainfest file. So the correct answer for this case study is to use group claims and apply change to mainfest file to set group claims to (ALL) or (Security Group) or whatever option
upvoted 1 times
...
Dixavado
1 year, 7 months ago
Selected Answer: B
It was on my exam today (2023-09-26) I went with the examtopics answer - score 850
upvoted 1 times
ayush66203
1 year, 6 months ago
These examtopics questions were sufficient for you to score 850? or you prepared from other sources too?
upvoted 1 times
...
...
MysticalSam
1 year, 10 months ago
This question was in today's exam on 10-June-2023
upvoted 2 times
...
Zoriark
2 years ago
ChatGPT A. Yes, the solution meets the goal. The solution correctly suggests creating a new Azure AD application and defining application roles that match the required permission levels. By assigning the appropriate Azure AD groups to each role, the application can determine a user's permission level based on their group membership. The roles claim from the JWT token can then be used in the website to determine the user's permissions. This approach allows for granular access control and ensures that users are assigned the correct permission level based on their group membership.
upvoted 2 times
...
70PineApple
2 years, 2 months ago
Got this in exam today..20/02/23
upvoted 1 times
Jeeaak
2 years, 2 months ago
does the answer is yes
upvoted 2 times
Neckbread
1 year, 3 months ago
yes answer is the does
upvoted 1 times
...
...
...
Esward
2 years, 3 months ago
yes is the correct answer https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
upvoted 1 times
...
andrvelich
3 years ago
Selected Answer: A
should work as well
upvoted 1 times
...
Azprep
3 years ago
Answer should be yes
upvoted 1 times
...
Mal22002
3 years, 1 month ago
Selected Answer: B
The answer is No, the explanation is useless though. Requirement: A user's Azure AD group membership must be used to determine the permission level. The solution that failed the requirement: Assign the appropriate Azure AD group to each role. In the website, use the value of the roles claim from the JWT for the user to determine permissions. Azure AD group membership can be accessed in groups claim not in roles claim. Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
upvoted 4 times
mmdex
2 years, 2 months ago
Read carefully: "A user's Azure AD group membership must be used to determine the permission level." You are not trying to determine user's group membership. You are trying to determine their permission level. You don't need groups claim, roles is enough.
upvoted 1 times
...
...
Freidrich
3 years, 2 months ago
Selected Answer: A
I think the correct answer is A: Yes.
upvoted 3 times
...
idroj
3 years, 2 months ago
Selected Answer: A
The correct answer is yes
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago