Effects of 'Delegated Type' permissions under 'API Permissions' on registered application?

asked 2019-12-09T15:39:21.233+00:00
CloudMe 21 Reputation points

Hello,

I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent.
What is the point then of configuring the 'Delegated Type' permissions?

Thank You.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,574 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. answered 2019-12-09T15:55:01.297+00:00
    soumi-MSFT 11,591 Reputation points Microsoft Employee

    @CloudMe , When you register an application from the portal, by default the following (in the screenshot below) "Delegated Permission" gets added

    alt text

    This delegated permission allows the application to pull the details about the user who is currently logged into the app, as usually you login to the Graph Explorer and try to test the graph api to check your own profile details like the /me endpoint.

    By default it can only connect to the Graph API Resource and perform only the read user's own profile details and no other Azure AD resource can be accessed.

    Hope this helps.

    No comments

  2. answered 2019-12-09T22:23:45.57+00:00
    CloudMe 21 Reputation points

    As i noted in my question:
    "I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent."

    Even after Removing all default permissions and not adding any new ones, my registered app is still able to access resources granted by the user's consent.

    I understand the "Application permissions" are there to enable the application access to resources on its own, without any user interaction. But what is the point of the "Delegated permissions" if the users consent is the one that counts?

    Thanks.