How to use Admin restricted permissions/scope in non-interactive applications

Question

How to use Admin restricted permissions/scope in non-interactive applications

Stucki Cédric, BKW 0

I need some help interpreting parts of the Microsoft Identity Platform documentation,

Next, add another example scope named Employees.Write.All that only admins can consent to. Scopes that require admin consent are typically used for providing access to higher-privileged operations, and often by client applications that run as backend services or daemons that don't sign in a user interactively.

i am wondering how one is supposed to acquire a Access Token that contains said higher-priviledged scope in the context of a daemon like client application that runs in the background without user interaction? As far as i understood, that kind of client applications can only use the client credentials grant flow which does not allow to define a specific scope (like "Employees.Write.All") when requesting a token. Does anyone have an idea what setup the authors had in mind writing the section mentioned?

Bonus question:

Citing this page

When you assign app roles to an application, you create application permissions. Application permissions are typically used by daemon apps or back-end services that need to authenticate and make authorized API call as themselves, without the interaction of a user.

it seems like App Roles are suggested instead of Scopes for deamon-apps, this is in conflict with the setup proposed in the main questions citation. Which one is correct?

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-08-17T02:58:08.5366667+00:00

@Stucki Cédric, BKW

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

2 answers

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2024-08-17T02:58:08.5366667+00:00

@Stucki Cédric, BKW

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Hi @Stucki Cédric, BKW , you can still use admin-restricted scopes in non-interactive applications by using the "on-behalf-of" flow.

The OBO flow allows a daemon or backend service to obtain an access token for a downstream API on behalf of a user. In this case, the user is an administrator who has consented to the admin-restricted scope. The daemon or backend service can then use the access token to call the downstream API with the higher-privileged operation.

Both app roles and scopes can be used for daemon apps or back-end services that need to authenticate and make authorized API calls as themselves, without the interaction of a user. The choice between app roles and scopes depends on the specific requirements of your application.

Scopes are typically used to control access to specific resources or operations within an API while app roles are typically used to define roles or permissions that are assigned to users or applications.

The admin-restricted scope is used to provide access to higher-privileged operations that can only be consented to by an administrator. This is a scenario where scopes are more appropriate than app roles, as the scope is used to control access to a specific operation within the API.

In other scenarios where you want to define a set of roles or permissions that can be assigned to users or applications, app roles may be more appropriate. For example, if you have an API that provides access to different resources based on the role of the user or application, you may want to define app roles that correspond to each resource.

I hope this helps!

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Stucki Cédric, BKW 0 Reputation points

2024-08-12T08:14:11.7033333+00:00

Hi JamesThank you for your response.

There might be a confusion on my side regarding what exactly non-interactive means, i parsed it in a way that there is no human interaction involved, machine to machine setups so to speak. That is not the case in the OBO flow if i understood that one correctly as it requires a user to authenticate first?

Circling back to the original question, what i am trying to verify is if Scopes are not suitable for setups where the client accesses without a user involved like a scheduled job.

Answer 2

Hi @Stucki Cédric, BKW ,

Thanks for reaching out.

Your understanding and observation are correct here.

As mentioned in portal as well, that scopes create only delegated permissions which allow the application to act on behalf of a signed-in user.

User's image

To get the token using client credential flow, application only scopes or app roles need to define in the application.

It should be "Admin consent are typically used for providing access to higher-privileged delegated permissions and often by client applications that run as backend services or daemons that don't sign in a user interactively".

Let me check with author once if they have other thoughts on this, else will update the document.

Thanks for pointing this.

Hope this will help.

Thanks,

Shweta

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Share via

How to use Admin restricted permissions/scope in non-interactive applications

2 answers

Your answer