Question 1hardmultiple choice
Full question →Question 35 of 324
hardmultiple choiceObjective-mapped
AZ-204 Practice Question: Daemon service calling Microsoft Graph with…
This AZ-204 practice question tests your understanding of daemon service calling microsoft graph with…. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: application permissions. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A background data pipeline runs on a schedule and must read user profile data from Microsoft Graph. No user is present during execution. The service authenticates to Microsoft Entra ID and calls the Graph API. Which permission type and OAuth 2.0 flow are correct for this scenario?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Application permissions with the on-behalf-of flow, passing the calling user's token to the Graph API
The on-behalf-of (OBO) flow is used when a middle-tier API receives a user token and needs to call a downstream API on the user's behalf. It requires an incoming user access token. A background daemon has no incoming user token to exchange, so OBO cannot be used.
B
Best answer
Application permissions with the client credentials flow, authenticating with the app's client ID and secret (or certificate)
Application permissions are granted by an admin via the app registration manifest. The client credentials flow does not require user interaction — the service presents its own credentials to the token endpoint and receives a token scoped to the application. This is the standard pattern for background services, daemons, and scheduled jobs that call Microsoft Graph.
C
Distractor review
Delegated permissions with the authorization code flow, initiating a browser redirect to collect user consent
The authorization code flow requires an interactive browser session where a user signs in and grants consent. A background pipeline running on a schedule cannot open a browser — there is no user present to authenticate. Delegated permissions require a user token.
D
Distractor review
Delegated permissions with the device code flow, prompting a user to authenticate on a separate device
The device code flow still requires a human to open a browser and enter a code. It is designed for devices with limited input capabilities (TVs, IoT devices), not for fully automated background jobs. A scheduled job cannot wait for a human to complete authentication.
Common exam trap
Common exam trap: answer the scenario, not the keyword
Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.
Technical deep dive
How to think about this question
Treat this as a scenario question. Identify the problem, the constraint, and the best action. Then compare each option against those facts.
KKey Concepts to Remember
- application permissions
- client credentials flow
- daemon service
- Microsoft Entra ID
- delegated vs application permissions
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
application permissions
Related practice questions
Related AZ-204 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled?
Question 2
You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?
Question 3
A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.
Question 4
You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?
Question 5
You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?
Question 6
You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?
Practice this exam
Start a free AZ-204 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-204 question test?
application permissions
What is the correct answer to this question?
The correct answer is: Application permissions with the client credentials flow, authenticating with the app's client ID and secret (or certificate) — When no user is present at runtime, delegated permissions cannot be used because they require a signed-in user to grant consent and provide a user token. Application permissions are granted by an Azure AD administrator at registration time and allow the app to act as itself (not on behalf of a user). The client credentials flow (OAuth 2.0 RFC 6749 §4.4) is the correct flow for daemon/service scenarios: the app authenticates using its own credentials (client ID + secret, or certificate) and receives an access token that represents the application, not a user.
What should I do if I get this AZ-204 question wrong?
Review application permissions, then practise related AZ-204 questions on the same topic to reinforce the concept.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Discussion
Loading comments…
Sign in to join the discussion.
This AZ-204 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-204 exam.