Study Azure AZ-204 Auth and Graph: key concepts, common traps, and exam decision cues.
This lesson covers the identity decisions Microsoft expects developers to make cleanly: how users and apps authenticate, when SAS is the better storage-access path, and how Graph interactions fit into an application design.
Shared access signature (SAS): Time-limited signed token that grants constrained access to storage resources without exposing the primary account key directly.
Microsoft Graph: API surface for Microsoft 365 and Entra-connected identity and organizational data.
AZ-204 is not asking whether you know identity buzzwords. It is testing whether you can separate:
| Need | Strongest first lane | Why it fits |
|---|---|---|
| Users sign in to the application | Microsoft identity platform or Microsoft Entra ID | This is application authentication |
| App needs temporary, scoped access to a storage resource | SAS | This is delegated storage access, not general login |
| App must read directory or Microsoft 365 organizational data | Microsoft Graph | This is Graph-integrated data access |
| App needs to call Azure resources as a workload | Managed identity or service principal path | This is workload authentication, not user sign-in |
| If the question says | Think first about |
|---|---|
| sign in, tokens for users, app authentication, protected web API | Microsoft identity platform / Entra ID |
| limited-time blob or container access without handing out the account key | SAS |
| directory users, groups, organization profile, Microsoft 365 data | Microsoft Graph |
| app calling another Azure service on its own | managed identity or app registration path |
The most common AZ-204 trap here is treating SAS like a general-purpose authentication model. It is narrower than that.
| Question shape | Strongest first interpretation |
|---|---|
| “Give a client temporary access to upload or download one storage resource.” | SAS |
| “Let users sign in and call the app securely.” | Microsoft identity platform / Entra ID |
| “Read tenant or organizational data after consent.” | Microsoft Graph |
flowchart LR
A["Need secure access"] --> B{"Access to what?"}
B -->|App sign-in or API auth| C["Microsoft identity platform / Entra ID"]
B -->|Blob or container with limited scope and time| D["SAS"]
B -->|Directory or Microsoft 365 data| E["Microsoft Graph"]
| Trap | Better reading |
|---|---|
| “SAS replaces user authentication.” | SAS delegates storage access. It does not replace full identity flows. |
| “Microsoft Graph is for any Azure service API.” | Graph is for Microsoft 365 and Entra-connected organizational data. |
| “If Graph is involved, SAS is irrelevant.” | The app may still use SAS for storage even if Graph is also in the design. |
| “Authorization and authentication are the same question.” | AZ-204 often separates sign-in, permission grant, and resource delegation. |
A web app lets signed-in employees view internal reports. Some reports are stored as blobs, and the app should allow a short-lived direct download link without exposing the storage account key. The app also needs to read each employee’s manager and group membership from the organization directory.
The strongest design reading is:
Correct answer: 1. The problem splits into identity, storage delegation, and directory-data access.