Question 15 - Microsoft GH-100 Real Exam Questions [Jan 2026 Update]

Q: 15

Why is a GitHub App preferred over a PAT for machine authentication?

Options

Correct Answer:

Explanation

GitHub Apps are preferred for machine authentication due to their superior security model. Unlike a Personal Access Token (PAT) which acts on behalf of a user, a GitHub App has its own distinct identity. It is granted fine-grained, specific permissions, adhering to the principle of least privilege. Most importantly, it authenticates using short-lived installation access tokens that expire after one hour, significantly reducing the risk associated with a compromised credential. This contrasts with PATs, which are often long-lived and have broad permissions tied directly to a user's account.

Why Incorrect

A. GitHub Apps are required to pass SAML assertions

SAML assertions are used for user authentication via an identity provider (IdP) for Single Sign-On (SSO), not for machine-to-machine authentication by a GitHub App.

C. PATs cannot be used in GitHub Actions

This is incorrect. PATs are frequently stored as encrypted secrets and used within GitHub Actions workflows to perform tasks that require permissions beyond those granted to the default GITHUBTOKEN.

D. PATs support fewer GitHub APIs than Apps

This is generally false. The key difference is not the number of APIs but the granularity of permissions and the identity. A PAT with broad scopes (e.g., repo, admin:org) can access a vast range of APIs, often more than a narrowly-scoped App.

References

1. GitHub Docs

"Deciding which integration to use." This document directly compares PATs and GitHub Apps

stating: "GitHub recommends using GitHub Apps for integrations... GitHub Apps have fine-grained permissions... They use short-lived tokens to authenticate." It highlights that PATs are simpler but less secure and flexible.

2. GitHub Docs

"Authenticating with GitHub Apps." Section: "Authenticating as an installation." This page details the authentication flow and explicitly notes: "To keep your integration secure

installation access tokens expire after 1 hour." This confirms the time-limited nature of the tokens mentioned in the correct answer.

3. GitHub Docs

"Using secrets in GitHub Actions." This page provides guidance on using secrets in workflows and includes an example of creating a secret for a PAT: "For example

you can create a secret to store a personal access token (PAT) that you use with a third-party service." This directly refutes option C.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE