Microsoft Azure Developer Associate AZ-204 Practice Question
You are developing an ASP.NET Core Web API protected with the Microsoft Identity platform (v2 endpoint). Client apps will call the API either on behalf of a signed-in user (delegated flow) or as a daemon service (client-credentials flow). The API must programmatically verify the permission conveyed in the token. Which claim should the API evaluate in each scenario?
Delegated flow - check the scp (scope) claim; client-credentials flow - check the roles claim.
Delegated flow - check the aud claim; client-credentials flow - check the appid claim.
Delegated flow - check the groups claim; client-credentials flow - check the scope claim.
Delegated flow - check the roles claim; client-credentials flow - check the scp (scope) claim.
Access tokens obtained through delegated flows include the scp (scope) claim, which lists the delegated permissions that the user and client app have for the target API. Tokens obtained through the client-credentials flow never carry scp; instead they include the roles claim that lists the application roles (app-only permissions) granted to the calling service principal. Therefore, the API should inspect the scp claim when the call is on behalf of a user and the roles claim when the call is made by a daemon or background service. Inspecting roles for delegated tokens or scp for app-only tokens will always fail, because those claims are not issued in those contexts. Other claims such as aud, appid, or groups do not directly convey the permission being requested.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between delegated flow and client-credentials flow in Microsoft Identity Platform?
Open an interactive chat with Bash
How does the scp (scope) claim function in the token during a delegated flow?
Open an interactive chat with Bash
Why does the client-credentials flow use the roles claim instead of scp?
Open an interactive chat with Bash
Microsoft Azure Developer Associate AZ-204
Implement Azure security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .