You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-app-registration/10-knowledge-check.yml
+4-4Lines changed: 4 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -18,11 +18,11 @@ content: |
18
18
quiz:
19
19
title: "Check your knowledge"
20
20
questions:
21
-
- content: "Which of the following directories is maintained by Microsoft and used to publish applications?"
21
+
- content: "Microsoft maintains which of the following directories and uses them to publish applications?"
22
22
choices:
23
23
- content: "SaaS directory"
24
24
isCorrect: false
25
-
explanation: "Incorrect. Application publishers/vendors who integrate with Microsoft Entra ID are required to have a SaaS directory."
25
+
explanation: "Incorrect. Application publishers/vendors who integrate with Microsoft Entra ID are required to have an SaaS directory."
26
26
- content: "App gallery directory"
27
27
isCorrect: true
28
28
explanation: "Correct. The two directories that Microsoft maintains are the App gallery directory and the Microsoft services directory."
@@ -33,13 +33,13 @@ quiz:
33
33
choices:
34
34
- content: "Follow the principle of least user access to ensure that your app only requests permissions it actually needs."
35
35
isCorrect: true
36
-
explanation: "Correct. Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they're agreeing to when they attempt to use your app's APIs."
36
+
explanation: "Correct. Provide appropriate names and descriptions for any permissions you expose as part of your app. The description helps users and admins know what they're agreeing to when they attempt to use your app's APIs."
37
37
- content: "Test your app in each tenant to ensure functionality."
38
38
isCorrect: false
39
39
explanation: "Incorrect. You should test your app in a tenant that has configured Conditional Access policies. Testing in every tenant isn't a best practice."
40
40
- content: "Use names and descriptions that are only meaningful to your team."
41
41
isCorrect: false
42
-
explanation: "Incorrect. Provide appropriate names and descriptions for any permissions you expose as part of your app. This helps users and admins know what they're agreeing to when they attempt to use your app's APIs."
42
+
explanation: "Incorrect. Provide appropriate names and descriptions for any permissions you expose as part of your app. The description helps users and admins know what they're agreeing to when they attempt to use your app's APIs."
43
43
- content: "Which two ways do you declare app roles by using the Azure portal?"
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-app-registration/includes/1-introduction.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,4 @@
1
-
In this module, you will plan your line-of-business application registration strategy, implement application registrations, and configure application permissions.
1
+
In this module, you plan your line-of-business application registration strategy, implement application registrations, and configure application permissions.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-app-registration/includes/5-configure-application-permission.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ Microsoft identity platform supports two types of permissions: **delegated permi
36
36
*Effective permissions* are those that your app will have when making requests to the target resource. It's important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to the target resource.
37
37
38
38
- For delegated permissions, the *effective permissions* of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user are determined by policy or by membership in one or more administrator roles. To learn which administrator roles can consent to delegated permissions, see Administrator role permissions in Microsoft Entra ID.
39
-
- For example, assume your app has been granted the *User.ReadWrite.All* delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is a application administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user isn't in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization, because the user whom it has permission to act on behalf of doesn't have those privileges.
39
+
- For example, assume your app has been granted the *User.ReadWrite.All* delegated permission. This permission nominally grants your app permission to read and update the profile of every user in an organization. If the signed-in user is an application administrator, your app will be able to update the profile of every user in the organization. However, if the signed-in user isn't in an administrator role, your app will be able to update only the profile of the signed-in user. It will not be able to update the profiles of other users in the organization, because the user whom it has permission to act on behalf of doesn't have those privileges.
40
40
- For application permissions, the *effective permissions* of your app will be the full level of privileges implied by the permission. For example, an app that has the *User.ReadWrite.All* application permission can update the profile of every user in the organization.
41
41
42
42
## OpenID Connect Scopes
@@ -55,11 +55,11 @@ The email scope can be used with the openid scope and any others. It gives the a
55
55
56
56
### profile
57
57
58
-
The profile scope can be used with the openid scope and any others. It gives the app access to a substantial amount of information about the user. The information it can access includes, but isn't limited to, the user's given name, surname, preferred username, and object ID. For a complete list of the profile claims available in the id\_tokens parameter for a specific user, see the id\_tokens reference.
58
+
The profile scope can be used with the openid scope and any others. It gives the app access to a substantial amount of information about the user. The information it can access includes, but isn't limited to, the user's given name, surname, preferred username, and object ID. For a complete list of the profile claims available in the `id_tokens` parameter for a specific user, see the `id_tokens` reference.
59
59
60
60
### offline\_access
61
61
62
-
The offline\_access scope gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the offline\_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
62
+
The offline\_access scope gives your app access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the "Maintain access to data you have given it access to" permission. When a user approves the `offline_access` scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
63
63
64
64
On the Microsoft identity platform (requests made to the v2.0 endpoint), your app must explicitly request the offline\_access scope to receive refresh tokens. This means that when you redeem an authorization code in the OAuth 2.0 authorization code flow, you'll receive only an access token from the /token endpoint. The access token is valid for a short time, usually expiring in one hour. At that point, your app needs to redirect the user back to the /authorize endpoint to get a new authorization code. During this redirect, depending on the type of app, the user might need to enter their credentials again or consent again to permissions.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/implement-app-registration/includes/6-grant-tenant-wide-admin-consent-application.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ Granting tenant-wide admin consent requires you to sign in as a user that is aut
18
18
5. Review the dialogue box, and then select **Yes.**
19
19
20
20
> [!WARNING]
21
-
> Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf will not be affected.
21
+
> Granting tenant-wide admin consent through App registrations will revoke any permissions that had previously been granted tenant-wide. Permissions previously granted by users on their own behalf won't be affected.
22
22
23
23
## Grant admin consent in Enterprise apps
24
24
@@ -63,7 +63,7 @@ If the application is requesting application permissions and an administrator gr
63
63
## Using the admin consent endpoint
64
64
65
65
> [!NOTE]
66
-
> After granting admin consent using the admin consent endpoint, you've finished granting admin consent and users don't need to perform any further additional actions. After granting admin consent, users can get an access token via a typical auth flow, and the resulting access token will have the consented permissions.
66
+
> After the admin grants admin consent using the admin consent endpoint, you've finished granting admin consent and users don't need to perform any further additional actions. After granting admin consent, users can get an access token via a typical auth flow, and the resulting access token will have the consented permissions.
67
67
68
68
When a Company Administrator uses your application and is directed to the authorized endpoint, Microsoft identity platform will detect the user's role and ask them if they would like to consent on behalf of the entire tenant for the permissions you've requested. However, there's also a dedicated admin consent endpoint you can use if you would like to proactively request that an administrator grants permission on behalf of the entire tenant. Using this endpoint is also necessary for requesting application permissions (which can't be requested using the authorized endpoint).
0 commit comments