question

CloudMe-0421 avatar image
CloudMe-0421 asked ·

Effects of 'Delegated Type' permissions under 'API Permissions' on registered application?

Hello,

I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent.
What is the point then of configuring the 'Delegated Type' permissions?

Thank You.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
soumi-MSFT answered ·

@CloudMe-0421, When you register an application from the portal, by default the following (in the screenshot below) "Delegated Permission" gets added

alt text



This delegated permission allows the application to pull the details about the user who is currently logged into the app, as usually you login to the Graph Explorer and try to test the graph api to check your own profile details like the /me endpoint.

By default it can only connect to the Graph API Resource and perform only the read user's own profile details and no other Azure AD resource can be accessed.

Hope this helps.


Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CloudMe-0421 avatar image
CloudMe-0421 answered ·

As i noted in my question:
"I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent."

Even after Removing all default permissions and not adding any new ones, my registered app is still able to access resources granted by the user's consent.

I understand the "Application permissions" are there to enable the application access to resources on its own, without any user interaction. But what is the point of the "Delegated permissions" if the users consent is the one that counts?

Thanks.


2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@CloudMe-0421, Thank you for taking me through this once again. I get the issue. Can you please share me the request what you are sending to the token endpoint, so that we can check that once and share updates based on that.

0 Votes 0 · ·

I'm using the 'Oauth Authorization Grant Flow' to make my application connect to users OneDrive (https://graph.microsoft.com/v1.0/drives...).
Everything works fine with No permissions under the 'App registrations -> API permissions', which brings me to the question What are the delegated permissions good for in the first place..

0 Votes 0 · ·