PrepAway - Latest Free Exam Questions & Answers

Which type of application should you add?

You manage an Azure Active Directory (AD) tenant
You plan to allow users to log in to a third-party application by using their Azure AD
credentials. To access the application, users will be prompted for their existing third-party
user names
and passwords. You need to add the application to Azure AD. Which type of application
should you add?

PrepAway - Latest Free Exam Questions & Answers

A.
Existing Single Sign-On with identity provisioning

B.
Password Single Sign-On with identity provisioning

C.
Existing Single Sign-On without identity provisioning

D.
Password Single Sign-On without identity provisioning

Explanation:
http://msdn.microsoft.com/en-us/library/azure/dn308588.aspx

26 Comments on “Which type of application should you add?

  3. CastorTray says:

    not “A”

    * Azure AD supports two different modes for single sign-on:
    / Federation using standard protocols
    Configuring Federation-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from Azure AD.
    / Password-based single sign-on

    * Support for user provisioning

    User provisioning enables automated user provisioning and deprovisioning of accounts in third- party SaaS applications from within the Azure Management Portal, using your Windows Server Active Directory or Azure AD identity information. When a user is given permissions in Azure AD for one of these applications, an account can be automatically created (provisioned) in the target SaaS application.

    Reference: Application access enhancements for Azure AD URL: http://msdn.microsoft.com/en-us/library/azure/dn308588.aspx




    0



    0
  5. AzureGuest says:

    Think is D

    Single sign on:
    For example, if there is an application that is configured to authenticate users using Active Directory Federation Services 2.0, an administrator can use the “Existing Single Sign-On”
    Not, because of “By using their Azure AD credentials”.

    So is password Single Sign on.

    Identity:
    User provisioning enables automated user provisioning and deprovisioning of accounts in third-party SaaS applications from within the Azure Management Portal, using your Windows Server Active Directory or Azure AD identity information.

    They will use third-party user-names, so, no Provising.




    0



    0
  8. Tester says:

    https://msdn.microsoft.com/en-us/library/azure/dn308588.aspx
    User provisioning enables automated user provisioning and deprovisioning of accounts in third-party SaaS applications from within the Azure Management Portal, using your Windows Server Active Directory or Azure AD identity information. When a user is given permissions in Azure AD for one of these applications, an account can be automatically created (provisioned) in the target SaaS application.

    From the scenario – Users will be prompted for the EXISTING 3rd party credentials. No need to provision them then.

    Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS application. When you enable this feature, Azure AD collects and securely stores the user account information and the related password.

    Correct is D




    0



    0
  13. Prady says:

    No one is right yet. Answer is B- Password SSO with identity provisioning.
    https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/
    “Configuring password-based single sign-on enables the users in your organization to be automatically signed in to a third-party SaaS application by Azure AD using the user account information from the third-party SaaS application.”
    Since users are prompted with their existing user names and passwords (for the first time only… this should’ve been mentioned), users manage their credentials themselves.
    Link uses the words “User manages credentials” instead of “identity provisioning”
    Identity provisioning can be from the admin or by the user. Both are explained in the link.

    The difference between Password SSO and Existing SSO is that PSSO would have an app with it’s own identity store. ESSO- if using a link to another store where auth happens such as Google ID that a 3rd party app uses for auth. ESSO is also explained in the link… though not the clearest of explanations, we’d have to get this right.

    I know this is confusing as hell, but you need a mental model of the diffs to recall them in the exam.
    Anyway, answer is B.




    0



    0
  14. RobV says:

    Believe it is (D) ‘Without Identity Provisioning’.

    First off, it falls right into definition of Password Single Sign-On, either (B) or (D).

    The trick is “with” or “without” identity provisioning?

    Question says, user will be PROMPTED FOR CREDNTIALS. If so, it has to be “without,” as this configuration asks users for credentials.

    If users were NOT prompted for credentials, then it would be “with” as user is “automatically” logged in.

    Check out this link ==> http://weshackett.com/tag/azure-active-directory/

    •Password based SSO without identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’. It is important to realise that all users authenticated to the Azure AD will see these applications. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they navigate to that app they will be asked to enter the username and password combination for that app. This is then securely stored in Azure AD and linked to their organisation account. The next time the user clicks that app they will be automatically signed in with the credentials they provided. Updating credentials in the third party app needs the user to update their Azure AD stored credentials from the context menu on the app tile.

    •Password based SSO with identity provisioning – These are applications the Azure admin has added with the single sign-on mode set to ‘Password based Single Sign-on’ as well as identity provisioning. The first time a user clicks one of these apps they will be asked to install a lightweight browser plugin for IE or Chrome. Once they restart the browser the next time they will be automatically signed in to the application




    0



    0
    2. Prady says:

      So the “Without” means users will be prompted even on 2nd time login according to weshackett.com? (whoever THAT is)… but will not be prompted from the 3rd time?

      Without: Once they restart the browser the next time they navigate to that app they will be asked to enter the username and password combination for that app. The next time the user clicks that app they will be automatically signed in with the credentials they provided.

      With: Once they restart the browser the next time they will be automatically signed in to the application.

      This is still unclear to me. Microsoft hasn’t explained “identity provisioning” anywhere. Is it the same as “User Provisioning” explained here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/

      If not, then what is the difference between the two explained in http://weshackett.com/tag/azure-active-directory/ ‘cos I don’t see a difference. Both options state “Once they restart the browser the next time they will be automatically signed in to the application.”




      0



      0
      1. Prady says:

        Without says, restart will still prompt for the credentials and the 3rd time (as I read it) will automatically sign them in.
        With says, restart will automatically sign them in.
        So essentially, the “Without” option does ONE additional prompt in the 2nd login, huh?!!!




        0



        0
        1. Byronis says:

          Hi Prady,
          researched this from other forums and found this explanation which made it clearer for me, hope it helps :
          I believe it’s D.

          Identity provisioning is not needed because the question mentions “their existing third-party user names and passwords” — in other words, accounts do not need to be created. Furthermore, the question doesn’t suggest that some kind of third-party account–AD account synchronisation is needed. That makes it C or D.

          Next, the question says that users will “log in to [the] application by using their Azure AD credentials”. Here I assume that “log in” is talking about every time you use the application, like logging in to Windows. So AAD authentication is needed when they want to use the app.

          But the question also says “to access the application, users will be prompted for their existing third-party user names and passwords”.
          For the nuance of the word “access”, see this text (taken from https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/):
          “Administrators can assign applications to end users or groups, and allow the end users to enter their own credentials directly upon accessing the application for the first time in their access panel.”

          So when users want to use the application for the first time, they have to tell AAD what their application username and password are. From then on, users will log in by using their AAD credentials.

          So that makes the answer D, because you’ll enter your username and password once, and AAD will store it for you. After that, you can log in by using your AAD credentials




          0



          0

Leave a Reply