ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 19 discussion

Actual exam question from Microsoft's AZ-204
Question #: 19
Topic #: 4
[All AZ-204 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a website that will run as an Azure Web App. Users will authenticate by using their Azure Active Directory (Azure AD) credentials.
You plan to assign users one of the following permission levels for the website: admin, normal, and reader. A user's Azure AD group membership must be used to determine the permission level.
You need to configure authorization.
Solution:
✑ Configure and use Integrated Windows Authentication in the website.
✑ In the website, query Microsoft Graph API to load the groups to which the user is a member.
Does the solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by jokergester at April 3, 2021, 12:35 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
mlantonis
Highly Voted 4 years ago
Correct Answer: B - No Reference: https://docs.microsoft.com/en-us/archive/blogs/waws/azure-app-service-authentication-aad-groups https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-1.0
upvoted 36 times
lugospod
3 years, 4 months ago
I would say yes. Because if you have AD federation, then just by enabling WINDOWS authentication in your web app you gain access to Azure AD... so it is feasible
upvoted 1 times
mattvasc
3 years, 3 months ago
Authentication isn't the same as authorization, what about the roles? The answer is No.
upvoted 5 times
...
...
...
Tom87
Highly Voted 4 years, 2 months ago
I would say the solution meets the goal, according to this: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication
upvoted 10 times
coffecold
2 years, 7 months ago
No, that is only for desktop or mobile application that runs on Windows. This is a web app in Azure.
upvoted 4 times
warchoon
2 years, 3 months ago
The browser is such an application
upvoted 1 times
...
...
...
Vichu_1607
Most Recent 7 months, 3 weeks ago
Selected Answer: B
No, Solution not meet the goal
upvoted 1 times
...
MysticalSam
1 year, 12 months ago
This question was in today's exam on 10-June-2023
upvoted 5 times
...
hubekpeter
2 years, 6 months ago
Selected Answer: A
It's perfectly doable. Voting for A.
upvoted 1 times
vizay
1 month ago
While querying Microsoft Graph API to check the user's group membership is a valid approach, the first step — using Integrated Windows Authentication (IWA) — is not suitable for most Azure Web Apps that are accessed over the internet. 🔍 Here's why: IWA is mainly for internal networks (like inside a company) — not for internet-based apps like Azure Web Apps. Azure Web Apps typically use OpenID Connect/OAuth 2.0 with Azure AD for authentication — not IWA. Also, IWA doesn't work cross-platform or on non-Windows devices easily. ✔️ A better approach would be: Register your web app in Azure AD. Assign users to Azure AD groups (admin, normal, reader). In your app, decode the JWT token and check the groups claim or call Microsoft Graph to get group membership. Based on the group, set the user's permission.
upvoted 1 times
...
...
OPT_001122
2 years, 6 months ago
Selected Answer: B
Correct Answer: B. No
upvoted 1 times
...
Eltooth
2 years, 11 months ago
Selected Answer: B
B is the correct answer. No.
upvoted 2 times
...
vavra
3 years ago
I think it's B, because of this: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication Federated users only, i.e. those created in an Active Directory and backed by Azure Active Directory. Users created directly in AAD, without AD backing - managed users - cannot use this auth flow. This limitation does not affect the Username/Password flow.
upvoted 2 times
...
minaritochuck
3 years, 1 month ago
Integrated Windows authentication is for "Intranet Application" (Although AD manages it) so don't use it on website
upvoted 2 times
...
minaritochuck
3 years, 2 months ago
It makes sense for app to use Integrated Windows Authentication (Implicit grant) for authentication and authorized by Microsoft Graph to access AD resources. https://docs.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0
upvoted 1 times
...
EwanoE
3 years, 2 months ago
Selected Answer: B
Question says "website that will run as an Azure Web App" and there's no Integrated Windows Authentication in Azure Web App (aka App Service)
upvoted 2 times
...
Freidrich
3 years, 3 months ago
Selected Answer: B
The correct answer is B: No.
upvoted 1 times
...
mattdober
3 years, 4 months ago
Selected Answer: B
I think its B
upvoted 1 times
...
ScubaDiver123456
3 years, 4 months ago
Selected Answer: A
The answer is YES, assuming the application is hosted on a domain-joined VM. This document shows you how to set it up https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Integrated-Windows-Authentication
upvoted 1 times
ScubaDiver123456
3 years, 4 months ago
Sorry. It does say it is an Azure Web App which can only run on Azure App Service. You can't join the underlying VMs to Active Directory. Therefore, I'm changing my vote to NO
upvoted 9 times
...
...
ning
3 years, 9 months ago
No, windows integrated authentication is NOT azure AD, you need app registration to get Azure AD
upvoted 7 times
...
kondapaturi
3 years, 11 months ago
Answer – No, Here you need to create an application in Azure AD. Then set the groupMembershipClaims claims. Then inspect the token in the application to see if the user is part of that group.
upvoted 5 times
...
Idkhow
3 years, 11 months ago
seriously what's the real answer?? in my opinion i think it's a yesn't Configure and use Integrated Windows Authentication in the website. (what does it have to do with the Integrated Windows Authentication) In the website, query Microsoft Graph API to load the group to which the user is a member. (like what the explanation said that it works)
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel