AZ-500 · Question #57
AZ-500 Question #57: Real Exam Question with Answer & Explanation
Explanation: Cosmos DB Resource Token Authentication > Note: The dropdown options and resource table weren't fully captured in the question as shared. Based on the scenario described, here is the technical explanation of the concept and what each resource's role would be. --- Cor
Question
Hotspot Question You have an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com. You plan to implement an application that will consist of the resources shown in the following table. Users will authenticate by using their Azure AD user account and access the Cosmos DB account by using resource tokens. You need to identify which tasks will be implemented in CosmosDB1 and WebApp1. Which task should you identify for each resource? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
Explanation: Cosmos DB Resource Token Authentication
Note: The dropdown options and resource table weren't fully captured in the question as shared. Based on the scenario described, here is the technical explanation of the concept and what each resource's role would be.
Core Concept: Resource Token Broker Pattern
When users authenticate via Azure AD but access Cosmos DB using resource tokens, the architecture follows the Resource Token Broker pattern:
User → Azure AD → WebApp1 (broker) → CosmosDB1
↓
Generates resource token
↓
User accesses Cosmos DB directly
Dropdown 1: CosmosDB1
Correct Answer: None (or: "Create users and permissions")
Why: Cosmos DB does not natively understand Azure AD tokens. Its role in this pattern is passive - it stores data and exposes a permission model (users + permission objects). The master key never leaves the web app. CosmosDB1 itself does not perform authentication logic; it simply honors valid resource tokens presented to it.
- CosmosDB1 does not validate Azure AD tokens
- CosmosDB1 does not generate resource tokens on its own in this flow
- It may need Cosmos DB users/permissions created (so the broker can generate scoped tokens), but no active task runs on it
Dropdown 2: WebApp1
Correct Answer: None (or: "Generate resource tokens / Act as resource token broker")
Why: WebApp1 is the resource token broker. Its tasks are:
- Validate the user's Azure AD token
- Use the Cosmos DB master key (stored securely in the app) to generate a scoped resource token
- Return that resource token to the client
The client then uses that token to talk directly to Cosmos DB.
Why Other Options Would Be Wrong
| Option | Why Wrong |
|---|---|
| CosmosDB1 authenticates Azure AD users | Cosmos DB has no native Azure AD token validation |
| CosmosDB1 generates resource tokens | Resource tokens are generated using the master key, which lives in WebApp1 |
| WebApp1 stores data | Storage is Cosmos DB's role |
| WebApp1 validates resource tokens | Resource tokens are validated by Cosmos DB, not the web app |
Key Takeaway
The master key stays in WebApp1. Users get only short-lived, scoped resource tokens - they never see the master key. This is the correct security boundary for this architecture pattern.
Topics
Community Discussion
No community discussion yet for this question.