You need to authenticate the user to the corporate website as indicated by the architectural diagram. Which two values should you use? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
You need ID Token Claims for authorisation.
You need to validate ID Token signature as a part of authentication.
So the correct answer is A.
Having both D & E does not make sense, URI has tenant ID in it, so answer D.
couldn't agree more.
ID Token signature should be validated to Authenticate User
To get token you need to make a request to Microsoft Identity Platform Endpoint which also contains tenant.
So most appropriate are A and D
https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation
To validate the ID token we need to validate its signature (to ensure it has not been tampered= and we need to validate the AUD claim (The application ID is sent as the audience (‘aud’) claim in the access token.)
So I believe it's A and B
For Authentication is DE, you need the endpoint and the tenant you are authenticating against
Post Authentication is AB post autentication we will use claims and can use signature to verify the response
so it depends what the guys are asking.
I think they are asking what will you use to authenticate and in that case it has to be DE.
not AB which you don't know prior to authenticate. the Signature and claims are received after sending the authentication request when we perform a id_token request
I Was wrong for a few reasons.
It is not the URL but rather the URI, which means that D) already contains E)
That said in order for the authentication to be completed the signature needs to be veridfied and that is done comparing the response with the id_token signature
I think the correct answer is A and B based on the following: https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#validate-the-id-token
"Receiving an ID token in your app might not always be sufficient to fully authenticate the user. You might also need to validate the ID token's signature and verify its claims per your app's requirements."
Since the app Id is mentioned in the requirements, I assume that you need to validate the signature and the aud claim
Guys this is a standard Sign-in flow. I think the correct answer is AE. First you need to know the tenant it so you'll be able to send a sign in request GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize? and in reply you'll get a id_token (JWT), which in turn can be used to get an access token to UserInfo endpoint. I'm not 100% sure, but this way, it makes sense to me.
Answer A+ B
"Each correct answer presents part of the solution"
From a JWT the header and signature are used to verify the authenticity of the token. The signature is raw information to verify so A is correct.
The claims in the header you need to validate this signature of the token , especially the 'kid' claim. So you need header claims (these are token claims, answer B) as well.
https://learn.microsoft.com/en-us/azure/active-directory/develop/id-tokens
https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
"Which two values should you use?" Where, Microsoft, where? While forwarding the request to an authorize endpoint to retrieve an ID token? Or while validating the id-token-signature? The question creator had something in his mind when he suddenly stopped thinking. We have to guess where he stopped. This is a psychology question
I want to go for ID token signature and the token-claims as the answer.
To check authentication, one need to validate first the signature to be sure it is correct. Check the audience is the the application and then of course check the service principal (combination of oid and sub claims). But all these are in the ID token (claims and the signature). So I just need the ID token.
wait a minute, I'm overthinking. I do not think this certification department from Microsoft understands difference between Authentication and Authorization. So, right answer at the level of Microsoft intelligence is DE. Look at the "steps to authenticate" they mention access token there. That clearly shows they do not understand the authentications steps. Because it uses an access_token it cannot be A and B.
1. The user have to authenticate clicking on a link in the web app. It means that the "tenant ID" of the AD is used here, not the URI.
2. You have to use the aud claim to ensure that the user intended to call the application. If the identifier of the resource isn't in the aud claim, reject it.
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#validating-tokens
In my opinion, the right answers are:
B: ID token claims
E: Azure AD tenant ID
Not sure at all, but there was the right options choose by others exam website.
Claims are for authorization. The signature is used for authentication, and the endpoint url includes the tenant id, so A&D are correct by process of elimination.
Authentication is not sign in!
So for example API Management needs to check whether the user is as stated.
So it needs
* D to find the correct authentication "service".
* And to check if the user is as stated "A" is needed, since this is the only option that contains information about the user.
B is not viable since the claims alone are not trustworthy.
I don't know why E would help and it can surely not replace A or D.
C is surely not needed since it contains neither information about the user nor the AD.
To authenticate, you need to know the url of auth service api and the tenant id i.e. https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
after visiting that url, it will be presented the AD consent and login, then auth code is appended to the redirect url, which can be used to get the access token.
so answer is D and E.
This section is not available anymore. Please use the main Exam Page.AZ-204 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
trance13
Highly Voted 4 years, 2 months agosurprise0011
2 years, 2 months agosurprise0011
2 years, 2 months agofaizalzain
Highly Voted 4 years, 1 month agocmmr
Most Recent 6 months, 2 weeks agooverhill
6 months, 3 weeks agooverhill
6 months, 3 weeks agoptpt1
7 months, 1 week agooskx2
1 year, 2 months agoAlwaysInvade
1 year, 7 months agoVmwarevirtual
2 years agosriazure213
2 years, 5 months agohubekpeter
2 years, 6 months agowarchoon
2 years, 2 months agoOPT_001122
2 years, 7 months agocoffecold
2 years, 8 months agohubekpeter
2 years, 6 months agogmishra88
2 years, 8 months agogmishra88
2 years, 8 months agogmishra88
2 years, 8 months agogmishra88
2 years, 8 months agodamianadalid
2 years agodamianadalid
2 years agoOlivierPaudex
2 years, 10 months agoChrisEvans
3 years, 2 months agoReniRechner
3 years, 3 months agowarchoon
2 years, 2 months agochingdm
3 years, 3 months ago