Tutorial / Cram Notes
Managing user permissions for application registrations is a critical aspect of security and governance in Microsoft 365 environments. In the context of the MS-100: Microsoft 365 Identity and Services exam, understanding how to properly set up and control these permissions is essential for any IT professional.
Application registrations in Azure Active Directory (Azure AD) are used when you want to integrate applications with Microsoft 365 services. These registrations determine how an application interacts with Azure AD to access resources, such as user profile data, group membership, or other directory information.
Key Concepts
- Application Registration: This is when an application is registered in Azure AD to enable authentication and permissions.
- Permissions: Defined as scopes or roles, they determine the level of access an application has to resources.
- Consent: The process of granting permissions to an application by a user or an administrator.
Types of Permissions
There are two primary types of permissions:
- Delegated permissions are used by apps that have a user signed in. These permissions delegate user rights, allowing the app to act as the signed-in user when accessing resources.
- Application permissions are used by apps that run without a signed-in user present; this is typical for background services or daemons.
Managing User Permissions
Via Azure Portal
For Azure AD application registrations, you can manage permissions through the Azure portal by following these steps:
- Navigate to the Azure portal and sign in with an account that has the necessary permissions.
- Go to Azure Active Directory > App registrations and select the application you wish to configure.
- Click on “API permissions” to view the permissions that the application requires.
- To add permissions, click “Add a permission” and select the appropriate API.
- For delegated permissions:
- Choose a specific API (e.g., Microsoft Graph)
- Select “Delegated permissions” and choose the permissions the app needs
- For application permissions:
- Choose a specific API (e.g., Microsoft Graph)
- Select “Application permissions” and choose the permissions the app needs
- For delegated permissions:
- After adding permissions, an admin may need to grant admin consent if the permissions require it.
- Review the permissions and ensure they follow the principle of least privilege.
Via PowerShell
Administrators can also manage Azure AD app permissions via PowerShell using the AzureAD or MSGraph modules. Here’s a simplified example of assigning an application permission to an app registration:
Connect-AzureAD -Credential $yourCreds
# Assign Application Permission
$app = Get-AzureADApplication -SearchString “YourAppName”
$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object { $_.AppId -eq $app.AppId }
# Office 365 Exchange Online Application Permissions
$exchangeAppId = “00000002-0000-0ff1-ce00-000000000000”
$exchangePermissionName = “full_access_as_app”
$appRole = $servicePrincipal.AppRoles | Where-Object { $_.Value -eq $exchangePermissionName -and $_.AllowedMemberTypes -contains “Application” }
New-AzureADServiceAppRoleAssignment -Id $appRole.Id -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $servicePrincipal.ObjectId
Best Practices for Managing Permissions
- Least Privilege: Only grant permissions that are necessary for the application to function.
- Regular Reviews: Periodically review and audit permissions to ensure they are still necessary and revoke any that are unnecessary.
- Document Changes: Keep a log of changes made to permissions for future reference and audit purposes.
- Secure Application Secrets: Protect application secrets like client IDs and passwords or certificates and ensure they are not hardcoded.
Consent Framework
The consent framework plays a crucial role in managing permissions:
- User Consent: For delegated permissions, a user can consent to allow the application to access resources on their behalf.
- Admin Consent: For application permissions or delegated permissions that require it, an administrator grants consent for the entire tenant.
Considerations for MS-100 Exam
In preparation for the MS-100 exam, it is important to understand:
- How to register an application in Azure AD
- Differences between delegated and application permissions
- How to assign permissions and consent to an application
- How to monitor and audit app registration permissions
- How to secure application secrets
Being proficient in these areas ensures that you are well-equipped to manage user permissions for application registrations within a Microsoft 365 environment.
Practice Test with Explanation
True or False: User permissions for application registrations can be managed in the Azure Active Directory portal.
- True)
Correct Answer: True
Explanation: Azure Active Directory portal is where administrators can manage user permissions for application registrations.
True or False: Everyone, including non-administrators, can register applications in Azure AD by default.
- True)
Correct Answer: True
Explanation: By default, any user in the Azure AD tenant can register an application, though this setting can be changed by an administrator.
True or False: Application permissions always require a user’s consent to be granted.
- False)
Correct Answer: False
Explanation: Application permissions do not require user consent; these are granted by administrators at the application level and allow the application to run without a user being signed in.
In which section of the Azure AD application registration can you set who can consent to the app’s permissions?
- A. Authentication
- B. API permissions
- C. Owners
- D. Branding
Correct Answer: B. API permissions
Explanation: Under the API permissions section, you can set who can consent to the application permissions, including admin consent configurations.
Which of the following can grant consent for application permissions for all users in an Azure AD tenant? (Select all that apply)
- A. Global Administrator
- B. Application Administrator
- C. Regular User
- D. Cloud Application Administrator
Correct Answer: A. Global Administrator, B. Application Administrator, D. Cloud Application Administrator
Explanation: Global Administrators, Application Administrators, and Cloud Application Administrators have the rights to grant consent for application permissions for all users in the Azure AD tenant.
True or False: The “Grant admin consent for {Tenant}” option is available to any user within the Azure AD organization.
- False)
Correct Answer: False
Explanation: The “Grant admin consent for {Tenant}” option is only available to users with the necessary administrative privileges such as Global Administrators or certain custom roles with consent rights.
Which PowerShell cmdlet is used to assign an application role to a user or group?
- A. New-AzureADUserAppRoleAssignment
- B. Add-AzureADApplicationPolicy
- C. Set-AzureADUser
- D. Set-AzureADApplication
Correct Answer: A. New-AzureADUserAppRoleAssignment
Explanation: The New-AzureADUserAppRoleAssignment cmdlet is used to assign a user or a group to an application role, which is a part of managing user permissions for application registrations.
True or False: Admin consent is required when the application needs to access resources on behalf of a user.
- False)
Correct Answer: False
Explanation: Admin consent is required for application permissions, which allow access to resources without a user being present. User consent is typically required when the application needs to access resources on behalf of a user (delegated permissions).
What role should a user have to manage all aspects of app registrations in Azure AD?
- A. Global Administrator
- B. Application Developer
- C. Directory Readers
- D. User Administrator
Correct Answer: A. Global Administrator
Explanation: The Global Administrator role has the permissions to manage all aspects of Azure AD, including app registrations.
True or False: You can set application permissions to be ‘read-only’ for certain users in Azure AD.
- True)
Correct Answer: True
Explanation: It is possible to configure permissions such that certain users may have read-only access to application registrations, typically through custom role assignments or limiting their roles like Directory Reader.
What feature allows you to restrict application registration permissions to specific user groups within Azure AD?
- A. Conditional Access Policies
- B. Application Access Control
- C. Application registration policies
- D. Group-based licensing
Correct Answer: C. Application registration policies
Explanation: Application registration policies in Azure AD can be used to restrict who can register applications. You can set these policies to limit registration to certain groups of users.
After an Azure AD application registration, where can you manage the scopes and claims that the application exposes to consuming apps?
- A. Enterprise applications
- B. Expose an API
- C. App registrations overview
- D. Authentication
Correct Answer: B. Expose an API
Explanation: Within the “Expose an API” section of the app registration, you can define the scopes and claims that your application exposes to other applications.
Great insights on managing user permissions for app registrations in MS-100!
Could anyone explain the difference between App roles and API permissions in Microsoft 365?
Remember to use Azure AD Conditional Access policies to better secure your applications.
How do you handle consent requests for API permissions in a large organization?
Can someone clarify the difference between delegated permissions and application permissions?
Don’t forget to periodically review app permissions to ensure they are still required.
Have you experienced any issues with granting API permissions via the Azure portal?
Thanks for the valuable information!