Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?
Click on the arrows to vote for the correct answer
A. B. C. D.B
Delegated permissions - Your client application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission requires administrator consent.
Incorrect Answers:
A, D: Application permissions - Your client application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for public (desktop and mobile) client applications.
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apisTo ensure that App1 can access secrets in Azure Key Vault on behalf of the application users, you need to configure delegated permissions that require admin consent.
Delegated permissions allow an application to perform actions on behalf of a signed-in user, and the admin consent is required when an application requests permissions that could affect other users in the organization.
Here are the details of each answer option:
A. An application permission without admin consent: Application permissions allow an application to perform actions on behalf of itself, rather than on behalf of a user. This option is not appropriate for the scenario because you need App1 to access secrets on behalf of the application users, not on its own behalf.
B. A delegated permission without admin consent: Delegated permissions allow an application to perform actions on behalf of a user, but without admin consent, the application would only be able to access secrets for the signed-in user. This option is not appropriate because App1 needs to access secrets for all application users, not just the signed-in user.
C. A delegated permission that requires admin consent: This option is the correct answer. Delegated permissions require the user's consent and, in some cases, the admin's consent. In this scenario, you want App1 to access secrets in Azure Key Vault on behalf of all application users, so you need to configure a delegated permission that requires admin consent.
D. An application permission that requires admin consent: As mentioned earlier, application permissions allow an application to perform actions on behalf of itself, rather than on behalf of a user. This option is not appropriate for the scenario because you need App1 to access secrets on behalf of the application users, not on its own behalf.
Therefore, the correct answer is C: a delegated permission that requires admin consent.