Why is "Application permissions" disabled in Azure AD's "Request API permissions"?

Question

I'm trying to give a console app permission to call an API in Azure AD.

When I go to "Add permissions," "application permissions" is grayed out and I can only select "delegated permissions."

My understanding is that application permissions is right for the console app because it runs on the back-end and users don't sign into it.

From the help text for "application permissions":

Your application runs as a background service or daemon without a signed-in user.

The help text for "delegated permissions":

Your application needs to access the API as the signed-in user.

Why is "application permissions" disabled?

Answer 1

Per my understanding, you are exposing your custom api protected by Azure AD. If so, you need to define the application permission by editing the manifest of your api app.

manifest:

"appRoles": [         {             "allowedMemberTypes": [                 "Application"             ],             "description": "Apps that have this role have the ability to invoke my API",             "displayName": "Can invoke my API",             "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",             "isEnabled": true,             "lang": null,             "origin": "Application",             "value": "myTestRole"         }     ] 

Then the application permission will show up.

Answer 2

you actually don't give it permissions that way. It's really confusing. Instead you add your registered app to your subscription and apply a reader role, sort of through IAM. See here:

https://medium.com/@crlmas07/programmatic-access-to-azure-portal-d925ea90831e