Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure AD App Application Permissions vs Delegated Permissions

I am creating an Azure AD app and noticed there are two permissions types, Application Permissions and Delegated Permissions. What is the difference between the two and under what scenario should I use them?

like image 906
Arjuna Avatar asked Jul 14 '15 10:07

Arjuna


People also ask

What is the difference between delegated and application permissions?

Delegated and application permissionsSome delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent. Application permissions are used by apps that run without a signed-in user present.

What is delegated permissions in Azure?

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

How do I grant application permissions in Azure?

Grant admin consent in App registrationsSelect Azure Active Directory, and then select App registrations. Select the application to which you want to grant tenant-wide admin consent. Select API permissions. Carefully review the permissions that the application requires.

What is the type of permission that needs to be used for the Microsoft Graph API?

If you're calling the Microsoft Graph Security API from a custom or your own application: The Azure AD tenant admin must explicitly grant consent to your application. This is required both for application-level authorization and user delegated authorization.


2 Answers

You typically use delegated permissions when you want to call the Web API as the logged on user. Say for example that the Web API needs to filter the data it returns based on who the user is, or execute some action as the logged in user. Or even just to log which user was initiating the call.

Application permissions are used when the application calls the API as itself. For example to get the weather forecast for a certain zipcode (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).

like image 125
MvdD Avatar answered Oct 11 '22 08:10

MvdD


From the documentation here: Configure a client application to access web APIs:

  • Application Permissions: Your application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for native client applications.
  • Delegation Permissions: Your application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission is configured as requiring administrator consent.

Based on this if your application requires user impersonation, then you would need to use Delegation permissions.

like image 43
Gaurav Mantri Avatar answered Oct 11 '22 07:10

Gaurav Mantri