What are "delegated permissions" in the context of an Azure Active directory Application?

Question

From below, what I infer is when the application is configured with Delegated Permissions it makes all requests on behalf of the signed-in user.

So, under Delegated Permissions, again we have "Access the directory as the signed-in user" option listed. What does this actually do?

Application Permissions: Your client application needs to access the Web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for Native client applications.

Delegated Permissions: Your client application needs to access the Web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission is configured as requiring administrator consent.

Answer 1

So, under Delegated Permissions, we have "Access the directory as the signed-in user" option listed. What does this actually do?

In very simple words, the application essentially impersonates you (or the logged in user) in case of delegated permissions.

To give you an example, let's say you created a web application in your Azure AD with delegated permissions to access Azure Service Management API. Now when you login into this application and try to access your Azure resources (storage accounts, VMs etc.), the application will only be able to do things you're granted permission to do in that Azure subscription. For example, if you're in Reader role in your Azure subscription (i.e. you can't create/update/delete resources). If you try to create a resource through your application you will get an error back because the application is impersonating you.