Share via

Will Entra ID app registration "delegated" API permissions allow unauthorized user queries?

Neville, Eric 0 Reputation points
2025-04-08T17:05:12.02+00:00

Hey all! Looking for insights from folks who've worked with:

  • A tenant for business/work
  • Microsoft Entra ID "app registrations"
  • Graph API permissions, particularly for "delegated" permissions and API endpoints requiring "admin consent" on behalf of all tenant users

Case:

We have an Entra ID app registration that was created solely to act as an interface for authenticated users to query the Graph API.

Via the "API permissions" view for the app registration, we add an API permission:

The "delegated" type API permission requires additional admin consent, because its objects are considered sensitive, security-wise.

A user authenticates against the app registration via a device code flow and receives a token they can use for API queries (e.g., like in the tutorial app for delegated authentication).

However, they do not have the individual role or permissions to read/write to the objects covered by the delegated API permission.

For example: they cannot access the Intune dashboard in the browser, and cannot update Intune device identity settings through the dashboard.

Question:

What happens if they try to query the endpoints for that API permission?

Do they...

  • Get an unauthorized error, because the "delegated" type API permission determines that the authenticated user's individual permissions are insufficient to access the endpoints/objects?
  • Or does the app ignore the "delegated" part of the API permission and go ahead with the query?
    • Which should theoretically fail, because in this case the app registration itself hasn't been granted direct access to InTune as a service principal (I think?)

Why we're asking:

We've reached out to Microsoft Support via ticket, and they claimed it'd be the latter result. But based on documentation and similar forum chatter here, it seems like it should be the former?

I really want to test and confirm, but am having trouble getting our global administrator to agree.

So I'm hoping to find folks who have something like this already in place and can help clarify the actual expected behavior. Any insights would be greatly appreciated, thank you!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-10T10:29:38.2+00:00

    Hello @Neville, Eric,

    I understand the confusion you have about delegated API permissions in Microsoft Entra ID application.

    Note: Even though the app has the delegated permission to access certain resources (e.g., DeviceManagementServiceConfig.ReadWrite.All for Intune), the app can only access those resources if the signed-in user has the correct permissions.

    • If the user doesn't have the necessary role or permissions (e.g., Intune admin role), they cannot access those Intune objects, and the API will return an unauthorized error (403 Forbidden).

    To test the same, I granted DeviceManagementServiceConfig.ReadWrite.All API permission to the Microsoft Entra ID application:

    enter image description here

    Generated access token with the user with no Admin role:

    
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id: ClientID

grant_type: authorization_code

scope: DeviceManagementServiceConfig.ReadWrite.All

redirect_uri: RedirectURL

code: Code

client_secret: Secret

    enter image description here

    When I tried to call the List windowsAutopilotDeviceIdentities API, I got 401 Unauthorized error:

    
GET https://graph.microsoft.com/v1.0/deviceManagement/windowsAutopilotDeviceIdentities

    enter image description here

    Now, I tried to generate the access token with the user having Admin role the API call is successful:

    Got empty response as there are no identities in my environment

    enter image description here

    Hence, If the authenticated user does not have sufficient individual privileges, even though the app has been granted admin consent for the delegated permission, the request will fail with a 403 Unauthorized.

    • Delegated Permissions means the app is acting on behalf of a user, and can do only what that user can do, unless explicitly elevated by roles (like being an Intune Admin).
    • Even after a global admin consents to the permission in Entra ID, this only means “This app is allowed to ask for this scope when a user logs in.”
    • It does not grant the app or the user any additional backend access beyond what the user already has. It just means the scope is available for the access token.

    Hope this helps!

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.