Hi, sorry if this isn't the right place to ask this question. I'm new.
I want to use the Microsoft Graph API to control various things in Microsoft teams. For example, I want to use the API to create a new team, or write a message in a channel.
For this I have created an application in the Azure Portal. For this I have defined a Client ID(standard), Tenant ID(standard) and a Client Secret(manual). If I now get a Bearer Token via Client ID and Client Secret, I have authenticated myself via my application and can therefore use permissions that fall under the category Application Permissions. (Correct?)
This means that if I grant my application the right to read my emails and I have a token that is allowed for my application, my application can read my emails without needing a username or password.
If I get a token using a username and password, then I am authenticated with a user, but I can still use application permissions.
Wouldn't it make much more sense to grant certain rights to a user instead of an application?
Also I don't understand the connection. The user has nothing to do with my application, but if I authenticate with this user, I can use all permissions I gave to my application.
Why do I have to give my application permissions when I authenticate with a user and want to read my emails for example?
When I request a token with username and password, Azure does not know which application to use for it, or why it uses an application for it at all.
I give my application a delegated permission to write messages in channels. Now I get a token for my application (with client ID and client secret) to write a message. Does not work, because it is a delegated permission, which needs a logged in user for that.
So I get a token with username and password. Works. But why? Why do I have to give my application the right and not the user? What's the connection?
Please help me, I do not understand.