ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 43 discussion

Actual exam question from Microsoft's AZ-204
Question #: 43
Topic #: 4
[All AZ-204 Questions]

HOTSPOT -
You have a single page application (SPA) web application that manages information based on data returned by Microsoft Graph from another company's Azure
Active Directory (Azure AD) instance.
Users must be able to authenticate and access Microsoft Graph by using their own company's Azure AD instance.
You need to configure the application manifest for the app registration.
How should you complete the manifest? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: true -
The oauth2AllowImplicitFlow attribute Specifies whether this web app can request OAuth2.0 implicit flow access tokens. The default is false. This flag is used for browser-based apps, like JavaScript single-page apps.
In implicit flow, the app receives tokens directly from the Azure Active Directory (Azure AD) authorize endpoint, without any server-to-server exchange. All authentication logic and session handling is done entirely in the JavaScript client with either a page redirect or a pop-up box.

Box 2: requiredResourceAccess -
With dynamic consent, requiredResourceAccess drives the admin consent experience and the user consent experience for users who are using static consent.
However, this parameter doesn't drive the user consent experience for the general case. resourceAppId is the unique identifier for the resource that the app requires access to. This value should be equal to the appId declared on the target resource app. resourceAccess is an array that lists the OAuth2.0 permission scopes and app roles that the app requires from the specified resource. Contains the id and type values of the specified resources.
Example:
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
}
],
Incorrect Answers:
✑ The legacy attribute availableToOtherTenants is no longer supported.
✑ The addIns attribute defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This parameter will let services like Microsoft 365 call the application in the context of a document the user is working on.
Example:
"addIns": [
{
"id": "968A844F-7A47-430C-9163-07AE7C31D407",
"type":" FileHandler",
"properties": [
{
"key": "version",
"value": "2"
}
]
}
],

Box 3: AzureADMyOrg -
The signInAudience attribute specifies what Microsoft accounts are supported for the current application. Supported values are:
✑ AzureADMyOrg - Users with a Microsoft work or school account in my organization's Azure AD tenant (for example, single tenant)
✑ AzureADMultipleOrgs - Users with a Microsoft work or school account in any organization's Azure AD tenant (for example, multi-tenant)
✑ AzureADandPersonalMicrosoftAccount - Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
by sghaha at April 29, 2022, 5:36 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
vvlads
Highly Voted 3 years ago
I think the last one should be AzureADMultipleOrgs
upvoted 32 times
Jay456
6 months, 4 weeks ago
That is correct: https://learn.microsoft.com/en-us/entra/identity-platform/supported-accounts-validation
upvoted 3 times
...
OPT_001122
2 years, 6 months ago
I think Gmishra88 is correct. Question states that - "Users must be able to authenticate and access Microsoft Graph by using their own company's Azure AD instance." So it should be AzureADMyOrg
upvoted 6 times
...
SaintBahamut
3 years ago
same, question states that AD data is from external organisation
upvoted 4 times
...
...
plusJoyed
Highly Voted 1 year, 10 months ago
got on my exam 6/22/2023
upvoted 5 times
...
overhill
Most Recent 6 months ago
why implicit flow is used?
upvoted 1 times
...
FeriAZ
1 year, 3 months ago
AzureADMultipleOrgs is correct "signInAudience" Explanation: This property defines the audience that can sign in to the application. Values: "AzureADMyOrg": Only users from your organization can sign in. "AzureADMultipleOrgs": Users from any Azure AD tenant can sign in. "AzureADandPersonalMicrosoftAccount": Allows sign-in from Azure AD (any tenant) and personal Microsoft accounts.
upvoted 1 times
...
isabelisabelisabel
1 year, 5 months ago
the sign in audience for the application manifest should be AzureADMultipleOrgs1. This is because the application needs to support accounts in any organizational directory, which is one of the options for the supported account types in the app registration2. The signInAudience property in the manifest corresponds to the supported account types, and the value AzureADMultipleOrgs indicates that the application can be used by any Microsoft Entra organization
upvoted 2 times
...
the_odd_one
1 year, 6 months ago
Would it be an option to use Azure AD B2B collaboration to invite guest users from tenant B (Microsoft Graph tenant) to access the application in tenant A (application tenant). Would then set signInAudience to "AzureADMyOrg" to restrict sign-ins to users from the specific Azure AD tenant associated with the application (tenant A).
upvoted 2 times
...
apparaog99
2 years, 4 months ago
On my exam 12/31
upvoted 2 times
...
AWAPass
2 years, 4 months ago
On exam 29/12/2022
upvoted 1 times
...
gmishra88
2 years, 7 months ago
Given answers are correct. SigninAudience: Specifies what Microsoft accounts are supported for the current application. The users login with the current organizations AD accounts. This does not talk about the external access. And that is probably the red herring Microsoft added to the mix so that you will make a mistake and they win. Microsoft always wins
upvoted 5 times
TonyMel
2 years, 1 month ago
correct, in 2023Mar24, score: 904/1000.
upvoted 3 times
...
...
Knightie
2 years, 8 months ago
✑ AzureADMyOrg - Users with a Microsoft work or school account in my organization's Azure AD tenant (for example, single tenant) ✑ AzureADMultipleOrgs - Users with a Microsoft work or school account in any organization's Azure AD tenant (for example, multi-tenant) ✑ AzureADandPersonalMicrosoftAccount - Users with a personal Microsoft account, or a work or school account in any organization's Azure AD tenant [Answer]
upvoted 3 times
Knightie
2 years, 8 months ago
first one is the current Tenant, second one is any Tenant under your Org, third one is any Tenant under Any Org... so only the 3rd make sense.
upvoted 1 times
finnishr
2 years, 8 months ago
That makes no sense. Difference between AzureADMultipleOrgs and AzureADandPersonalMicrosoftAccount is that AzureADandPersonalMicrosoftAccount also includes personal Microsoft accounts which we dont want to include.
upvoted 2 times
...
...
...
sghaha
3 years ago
in Korean https://docs.microsoft.com/ko-kr/azure/active-directory/develop/reference-app-manifest
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago