MartinBilda-7257 avatar image
0 Votes"
MartinBilda-7257 asked brtrach-MSFT edited

Why are there delegated rights on an application

Hi, sorry if this isn't the right place to ask this question. I'm new.

I want to use the Microsoft Graph API to control various things in Microsoft teams. For example, I want to use the API to create a new team, or write a message in a channel.

For this I have created an application in the Azure Portal. For this I have defined a Client ID(standard), Tenant ID(standard) and a Client Secret(manual). If I now get a Bearer Token via Client ID and Client Secret, I have authenticated myself via my application and can therefore use permissions that fall under the category Application Permissions. (Correct?)
This means that if I grant my application the right to read my emails and I have a token that is allowed for my application, my application can read my emails without needing a username or password.
If I get a token using a username and password, then I am authenticated with a user, but I can still use application permissions.
Wouldn't it make much more sense to grant certain rights to a user instead of an application?
Also I don't understand the connection. The user has nothing to do with my application, but if I authenticate with this user, I can use all permissions I gave to my application.
Why do I have to give my application permissions when I authenticate with a user and want to read my emails for example?
When I request a token with username and password, Azure does not know which application to use for it, or why it uses an application for it at all.
I give my application a delegated permission to write messages in channels. Now I get a token for my application (with client ID and client secret) to write a message. Does not work, because it is a delegated permission, which needs a logged in user for that.
So I get a token with username and password. Works. But why? Why do I have to give my application the right and not the user? What's the connection?
Please help me, I do not understand.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered amanpreetsingh-msft edited

@MartinBilda-7257 If you have acquired a token via client credentials flow (using client ID and client secret), the token is issued to the application. Now, if you want to perform any task in application context, you need to configure Application Permissions.

However, if the application has to perform some action under User's context, you can still use the token issued to the application but you would need to configure Delegated permissions. For example, you can give Directory.AccessAsUser.All (Access directory as the signed in user) so that the application can access the directory under signed-in user's context.

A simpler example is, if you want to post same picture to your Instagram and Facebook timeline but don't want to upload the picture twice, you can grant delegated permission to Instagram API on Facebook App so that Instagram API can post the picture on your behalf (using application token) to your Facebook timeline. If you use user token (acquired by using username password), you would need to upload the same picture on Instagram and Facebook timeline individually.

Hope I covered all your quesitons.

Please "Accept as answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.