AZ-500 · Question #141
AZ-500 Question #141: Real Exam Question with Answer & Explanation
The correct answer is C: Create database users and generate resource tokens. Explanation Option C is correct because in Azure Cosmos DB's resource token authentication model, the CosmosDB account itself is responsible for creating database users and generating resource tokens - it does not interact directly with Azure AD. The Web App (middle tier) handles
Question
A company has an Azure subscription and an Azure tenant. The company is planning on deploying a web application which will work with a CosmosDB account. The CosmosDB account will consist of a database that will be the back-end tier for the application. The Web application will be deployed using the Azure Web App service. Users will need to authenticate using their Azure AD account and access the CosmosDB account by using resource tokens. Which of the following task would you implement for the CosmosDB account for authentication purposes?
Options
- AAuthenticate Azure AD users and generate resource tokens
- BAuthenticate Azure AD users and relay resource tokens
- CCreate database users and generate resource tokens
- DCreate database users and relay resource tokens
Explanation
Explanation
Option C is correct because in Azure Cosmos DB's resource token authentication model, the CosmosDB account itself is responsible for creating database users and generating resource tokens - it does not interact directly with Azure AD. The Web App (middle tier) handles Azure AD authentication, then calls the CosmosDB account to generate resource tokens, which are scoped permissions passed back to the authenticated user.
Why the distractors are wrong:
- A & B are incorrect because the CosmosDB account does not authenticate Azure AD users - that is the responsibility of the Web App tier using Azure AD. CosmosDB has no native Azure AD authentication capability for this pattern.
- D is incorrect because the CosmosDB account generates resource tokens (creates them), it does not relay them. Relaying (passing tokens along) is the role of the Web App, which receives the tokens from CosmosDB and forwards them to the client.
Memory Tip: Think of the architecture in two distinct layers: the Web App is the "security guard" (authenticates users via Azure AD and relays tokens), while CosmosDB is the "key maker" (creates database users and generates tokens). Match each responsibility to the correct layer - CosmosDB = Create + Generate, Web App = Authenticate + Relay.
Topics
Community Discussion
No community discussion yet for this question.