Which permission should to grant?

You have a single-page application (SPA) named TodoListSPA and a server-based web app named TodoListService.

The permissions for the TodoList SPA API are configured as shown in the TodoList SPA exhibit. (Click the TodoListSPA tab.)

The permissions for the TodoListService API are configured as shown in the TodoListService exhibit. (Click the TodoListService tab.)

You need to ensure that TodoListService can access a Microsoft OneDrive file of the signed-in user. The solution must use the principle of least privilege.

Which permission should to grant?
A . the Sites.Read.All delegated permission for TodoListService
B . the Sites.Read.All delegated permission for TodoListSpa
C . the Sites.Read.All application permission for TodoListSPA
D . the Sites.Read.All application permission for TodoListService

View Answer

Answer: A

Explanation:

A client application gains access to a resource server by declaring permission requests. Two types are available:

"Delegated" permissions, which specify scope-based access using delegated authorization from the signed-in resource owner, are presented to the resource at run-time as "scp" claims in the client’s access token. "Application" permissions, which specify role-based access using the client application’s credentials/ identity, are presented to the resource at run-time as "roles" claims in the client’s access token.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/developer­glossary#permissions