SC-300 Question #371: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription that is linked to a Microsoft Entra tenant. The tenant contains a registered app named App1. You have a partner organization that has a Microsoft Entra tenant. The tenant contains a registered app named App2. You need to ensure that App1 can access App2. Which two types of credentials can App1 use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

• Acertificate
• Bmanaged identity
• Csecret
• Duser account
• Eone-time password

Explanation

App-to-App Authentication in Microsoft Entra

When one registered application needs to authenticate to another registered application (service-to-service or app-to-app communication), it must use application credentials - specifically, a certificate (A) or a client secret (C). These are the two credential types supported by the OAuth 2.0 client credentials flow, which is the standard mechanism for app identity authentication without user involvement. Certificates are the preferred option as they are more secure, while client secrets are simpler but still widely used.

Why the distractors are wrong:

• B (Managed Identity): Managed identities work for Azure resources authenticating to Azure services, but they cannot be assigned to a registered app in a partner/external tenant - the key constraint here is cross-tenant access.
• D (User account): App1 is acting autonomously (no user present), so using a user account would require delegated permissions and interactive login, which breaks the service-to-service model.
• E (One-time password): OTP is a human authentication mechanism and is not a supported credential type for registered applications.

💡 Memory Tip: Think "Apps use C's" - Certificates and Client secrets are the only two credential types for app registrations. If a human isn't logging in, it must be one of these two.

No community discussion yet for this question.