Practice Identity Questions Now

Start a timed practice session focusing on Microsoft Identity Platform topics from the AZ-204 question bank.

AZ-204 Identity Question Bank (14 Questions)

Browse all 14 practice questions covering Microsoft Identity Platform for the AZ-204 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

Question 1Implement Azure security
An app registration in Azure AD needs to call the Microsoft Graph API on behalf of a signed-in user. Which OAuth 2.0 grant type should be used?
AClient Credentials
BAuthorization Code with PKCE
CResource Owner Password
DImplicit
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 2Implement Azure security
A developer needs to ensure that an application only gets access tokens with the minimum required permissions. Which OAuth concept enforces this in MSAL?
ARequesting specific scopes when calling AcquireToken
BSetting the authority to /common
CUsing the client credentials flow
DEnabling incremental consent
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 3Implement Azure security
What is 'Azure AD Managed Identity' vs 'Service Principal with secret' for application authentication?
AManaged Identity has more permissions
BManaged Identity credentials are managed and rotated by Azure automatically with no stored secrets; Service Principal with secret requires manual secret rotation and secure storage of the secret value
CService Principal is more secure than Managed Identity
DManaged Identity can only be used by Azure Functions
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 4Implement Azure security
An app registration in Azure AD needs to call the Microsoft Graph API as itself (no user involved). Which permission type must be granted?
ADelegated permissions
BApplication permissions
COwner permissions
DReader permissions
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 5Implement Azure security
A developer needs to call Microsoft Graph API from a daemon service running on a VM. The service has a system-assigned Managed Identity. What must be configured in Azure AD to grant the Graph permission?
AAdd a delegated permission in the app registration and have a user consent
BGrant an application permission (e.g., User.Read.All) to the Managed Identity's service principal via PowerShell or Microsoft Graph API
CCreate a client secret for the Managed Identity
DAssign a user account to the Managed Identity
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 6Implement Azure security
An application must access Microsoft Graph API on behalf of a signed-in user. Which OAuth 2.0 flow should be used?
AClient credentials flow
BAuthorization code flow with PKCE
CResource owner password flow
DDevice authorization flow
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 7Implement Azure security
Which Microsoft Identity platform scope must be requested to get a token that allows calling Microsoft Graph API to read user profiles?
Aopenid
BUser.Read
Cprofile
Doffline_access
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 8Implement Azure security
An Azure App Service app has a system-assigned Managed Identity. Which SDK class should be used to obtain a token for calling Azure services?
AClientSecretCredential
BDefaultAzureCredential
CUsernamePasswordCredential
DInteractiveBrowserCredential
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 9Implement Azure security
A developer needs to obtain an access token for Azure Key Vault from inside an Azure VM with a system-assigned Managed Identity. Which endpoint should they call?
Ahttps://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Bhttp://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net
Chttps://vault.azure.net/.well-known/openid-configuration
Dhttp://localhost:50342/oauth2/token
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 10Implement Azure security
You need to implement OAuth 2.0 token validation in an Azure API Management policy. Which inbound policy expression validates a bearer token against Azure AD?
A<check-header>
B<validate-jwt>
C<authenticate-basic>
D<set-backend-service>
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 11Implement Azure security
What is the Azure Active Directory 'token cache' in MSAL and how does it affect developer implementation?
AA database cache for user profile data
BAn in-memory or persistent store for acquired access and refresh tokens, enabling token reuse and silent renewal to minimize authentication round trips
CA CDN cache for authentication requests
DA rate limit cache for MSAL requests
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 12Implement Azure security
What is 'OAuth 2.0 token introspection' endpoint and when would a developer use it?
AAn endpoint for inspecting JWT token structure
BAn endpoint called by a resource server to validate an opaque token issued by an authorization server, determining if the token is active and retrieving its associated claims
CA debugging tool for viewing JWT payload
DAn endpoint for refreshing expired tokens
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 13Implement Azure security
A developer builds a confidential client application that calls an API without user interaction. Which MSAL method should be used to acquire a token?
AAcquireTokenInteractive()
BAcquireTokenSilent()
CAcquireTokenForClient(scopes)
DAcquireTokenByAuthorizationCode()
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz
Question 14Implement Azure security
A developer is building a single-page application that uses the MSAL.js library to authenticate users. To avoid storing tokens in localStorage (XSS risk), which token storage option should be used?
AlocalStorage
BsessionStorage
CIn-memory storage (no persistence)
DHttpOnly cookie
Answer hidden for practice.
Use the interactive quiz to reveal the correct answer and explanation.
Start AZ-204 Quiz

Key Identity Concepts for AZ-204

msaloauthopenid connectmanaged identityservice principalapp registrationtokenmicrosoft graphentra id

AZ-204 Identity Exam Tips

Microsoft Identity Platform questions in AZ-204 are typically scenario-based. Focus on Azure application development, integration services, authentication, and runtime reliability. Priority concepts: msal, oauth, openid connect, managed identity, service principal, app registration.

What AZ-204 Expects

Anchor your answer in choose managed developer services that simplify secure integration and deployment.
Identity scenarios for AZ-204 are frequently mapped to Domain 3 (20-25%), so read the objective carefully before picking controls or architecture.
Expect multi-topic scenarios where Identity interacts with identity, networking, governance, or monitoring patterns rather than appearing as an isolated question.
When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value Identity Concepts

Know the core Identity building blocks cold: msal, oauth, openid connect, managed identity.
Review the edge-case features and limits for service principal, app registration; these details are commonly used to differentiate answer choices.
Practice service-integration reasoning: how Identity pairs with Key Vault, API Management in real deployment patterns.
For AZ-204, explain why the chosen Identity design meets reliability, security, and cost expectations better than the alternatives.

Common AZ-204 Traps

Watch for using infrastructure-heavy answers for app-level requirements.
Questions in Implement Azure Security often include distractors that look correct for Identity but violate least-privilege, compliance, or availability requirements.
Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

Can you compare at least two Identity implementation paths and justify which one best fits the scenario?
Can you map the chosen answer back to Implement Azure Security (20-25%) outcomes for AZ-204?
Can you explain security and access boundaries for Identity without relying on default-open assumptions?
Can you describe how Identity integrates with Key Vault and API Management during failure, scaling, and monitoring events?

Exam Domains Covering Identity

Domain 3Implement Azure Security20-25%

Related Resources

🎯 Free AZ-204 Mock Exam Key Vault Questions API Management Questions

More AZ-204 Study Resources

← AZ-204 Study Hub 30-Day Study Plan Full Practice Exam

👤 Microsoft Identity Platform - AZ-204 Practice Questions