- (Exam Topic 2)
You have a line-of-business API that is secured by using Azure Active Directory (Azure AD). You deploy a solution to the app catalog. The solution requests permission to the API.
What should you do in the SharePoint admin center to ensure that the solution can access the API?

1. A. Create a SharePoint security group and add the solution
2. B. Create an access policy
3. C. Enable sandbox solutions
4. D. Approve a pending permission request

Correct Answer: D
Developers building a SharePoint Framework solution that requires access to specific resources secured with Azure AD list these resources along with the required permission scopes in the solution manifest. When deploying the solution package to the app catalog, SharePoint creates permission requests and prompts the administrator to manage the requested permissions. For each requested permission, tenant administrators can decide whether they want to grant or deny the specific permission.
All permissions are granted to the whole tenant and not to a specific application that has requested them. When the tenant administrator grants a specific permission, it is added to the SharePoint Online Client Extensibility Azure AD application, which is provisioned by Microsoft in every Azure AD and which is used
by the SharePoint Framework in the OAuth flow to provide solutions with valid access tokens.

- (Exam Topic 2)
You have a single-page application (SPA) named TodoListSPA and a server-based web app named TodoListService.
The permissions for the TodoList SPA API are configured as shown in the TodoList SPA exhibit. (Click the TodoListSPA tab.)

The permissions for the TodoListService API are configured as shown in the TodoListService exhibit. (Click the TodoListService tab.)

You need to ensure that TodoListService can access a Microsoft OneDrive file of the signed-in user. The solution must use the principle of least privilege.
Which permission should to grant?

1. A. the Sites.Read.All delegated permission for TodoListService
2. B. the Sites.Read.All delegated permission for TodoListSpa
3. C. the Sites.Read.All application permission for TodoListSPA
4. D. the Sites.Read.All application permission for TodoListService

Correct Answer: A
A client application gains access to a resource server by declaring permission requests. Two types are available:
"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client's access token.
"Application" permissions, which specify role-based access using the client application's credentials/identity, are presented to the resource at run-time as "roles" claims in the client's access token.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary#permissions

- (Exam Topic 2)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a new application named App1 that uses the Microsoft identity platform to authenticate to Azure Active Directory (Azure AD).
Currently, App1 can read user profile information. You need to allow App1 to read the user’s calendar.
Solution: Add https://graph.windows.net/user.read to the list of scopes during the initial login request. Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: B
Microsoft Graph Calendars.Read allows the app to read events in user calendars.
For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process.
Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
References: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://docs.microsoft.com/en-us/graph/permissions-reference

- (Exam Topic 2)
You are building a server-based web app that will use OAuth2 and will be registered with the Microsoft identity platform.
Which two values does the app require to obtain tokens from the Azure Active Directory (Azure AD) authorization endpoint? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

1. A. the tenant ID
2. B. the context token
3. C. the application ID
4. D. the application secret
5. E. the authorization code

Correct Answer: CE
C: The required client_id is the Application (client) ID that the Azure portal – App registrations experience assigned to your app.
E: The authorization code flow begins with the client directing the user to the /authorize endpoint.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

- (Exam Topic 2)
This question requires that you evaluate the underlined BOLD text to determine if it is correct.
You develop a Microsoft Teams application that uses a messaging extension. Users can invoke the messaging extension from the Teams sidebar menu.
Instructions: Review the underlined text. If it makes the statement correct, select “No change is needed”. If the statement is incorrect, select the answer choice that makes the statement correct.

1. A. No change is needed
2. B. from the compose box of a Teams chat
3. C. by using the Manage teams option for a team
4. D. by using the Add a tab option in the Teams channel

Correct Answer: B
In the app manifest for your Microsoft Teams app you'll define a single messaging extension with up to ten different commands. Each command defines a type (action or search), and the locations in the client it can be invoked from (compose message area, command bar, and/or message).
Reference:
https://docs.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/what-are-messaging-extension