Exam MS-600 topic 1 question 25 discussion

Actual exam question from Microsoft's MS-600

Question #: 25
Topic #: 1

You are building an app that will use the Microsoft Graph API and the Microsoft identity platform to enable users to perform the following tasks:
✑ Sign in to Azure Active Directory (Azure AD).
✑ View all the Microsoft 365 groups that they own.
Each week, the app will also email the users a list of the Microsoft 365 groups to which they belong.
You need to identify which permissions to assign to the app. The solution must use the principle of least privilege.
What should you identify?

A. User.Read delegated, Group.Read delegated, Group.Read application, and Mail.Send application permissions
B. User.Read delegated, Group.Read application, and Mail.Send delegated permissions
C. User.Read delegated, User.Read application, Group.Read application, and Mail.Send application permissions
D. User.Read delegated, Group.Read delegated, and Mail.Send delegated permissions

Show Suggested Answer

Suggested Answer: D 🗳️
Microsoft Graph API mail.send delegated permission is less privileged than mail.send application permission.
The same is true for Group.Read delegated compared to Group Read application.
Reference:
https://docs.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/permissions-reference

by zodraz at Dec. 7, 2022, 7:35 p.m.