I am creating an Azure AD app and noticed there are two permissions types, Application Permissions and Delegated Permissions. What is the difference between the two and under what scenario should I use them?
Delegated and application permissionsSome delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent. Application permissions are used by apps that run without a signed-in user present.
Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.
Grant admin consent in App registrationsSelect Azure Active Directory, and then select App registrations. Select the application to which you want to grant tenant-wide admin consent. Select API permissions. Carefully review the permissions that the application requires.
If you're calling the Microsoft Graph Security API from a custom or your own application: The Azure AD tenant admin must explicitly grant consent to your application. This is required both for application-level authorization and user delegated authorization.
You typically use delegated permissions when you want to call the Web API as the logged on user. Say for example that the Web API needs to filter the data it returns based on who the user is, or execute some action as the logged in user. Or even just to log which user was initiating the call.
Application permissions are used when the application calls the API as itself. For example to get the weather forecast for a certain zipcode (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).
From the documentation here: Configure a client application to access web APIs:
- Application Permissions: Your application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for native client applications.
- Delegation Permissions: Your application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission is configured as requiring administrator consent.
Based on this if your application requires user impersonation, then you would need to use Delegation permissions.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With