Why are there delegated rights on an application

Martin Bilda 166 Reputation points

Hi, sorry if this isn't the right place to ask this question. I'm new.

I want to use the Microsoft Graph API to control various things in Microsoft teams. For example, I want to use the API to create a new team, or write a message in a channel.

For this I have created an application in the Azure Portal. For this I have defined a Client ID(standard), Tenant ID(standard) and a Client Secret(manual). If I now get a Bearer Token via Client ID and Client Secret, I have authenticated myself via my application and can therefore use permissions that fall under the category Application Permissions. (Correct?)
This means that if I grant my application the right to read my emails and I have a token that is allowed for my application, my application can read my emails without needing a username or password.
If I get a token using a username and password, then I am authenticated with a user, but I can still use application permissions.
Wouldn't it make much more sense to grant certain rights to a user instead of an application?
Also I don't understand the connection. The user has nothing to do with my application, but if I authenticate with this user, I can use all permissions I gave to my application.
Why do I have to give my application permissions when I authenticate with a user and want to read my emails for example?
When I request a token with username and password, Azure does not know which application to use for it, or why it uses an application for it at all.
I give my application a delegated permission to write messages in channels. Now I get a token for my application (with client ID and client secret) to write a message. Does not work, because it is a delegated permission, which needs a logged in user for that.
So I get a token with username and password. Works. But why? Why do I have to give my application the right and not the user? What's the connection?
Please help me, I do not understand.


Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,892 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,556 Reputation points

    @Martin Bilda If you have acquired a token via client credentials flow (using client ID and client secret), the token is issued to the application. Now, if you want to perform any task in application context, you need to configure Application Permissions.

    However, if the application has to perform some action under User's context, you can still use the token issued to the application but you would need to configure Delegated permissions. For example, you can give Directory.AccessAsUser.All (Access directory as the signed in user) so that the application can access the directory under signed-in user's context.

    A simpler example is, if you want to post same picture to your Instagram and Facebook timeline but don't want to upload the picture twice, you can grant delegated permission to Instagram API on Facebook App so that Instagram API can post the picture on your behalf (using application token) to your Facebook timeline. If you use user token (acquired by using username password), you would need to upload the same picture on Instagram and Facebook timeline individually.

    Hope I covered all your quesitons.


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful