Effects of 'Delegated Type' permissions under 'API Permissions' on registered application?

CloudMe 21 Reputation points
2019-12-09T15:39:21.233+00:00

Hello,

I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent.
What is the point then of configuring the 'Delegated Type' permissions?

Thank You.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,198 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2019-12-09T15:55:01.297+00:00

    @CloudMe , When you register an application from the portal, by default the following (in the screenshot below) "Delegated Permission" gets added

    alt text

    This delegated permission allows the application to pull the details about the user who is currently logged into the app, as usually you login to the Graph Explorer and try to test the graph api to check your own profile details like the /me endpoint.

    By default it can only connect to the Graph API Resource and perform only the read user's own profile details and no other Azure AD resource can be accessed.

    Hope this helps.

    0 comments No comments

  2. CloudMe 21 Reputation points
    2019-12-09T22:23:45.57+00:00

    As i noted in my question:
    "I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent."

    Even after Removing all default permissions and not adding any new ones, my registered app is still able to access resources granted by the user's consent.

    I understand the "Application permissions" are there to enable the application access to resources on its own, without any user interaction. But what is the point of the "Delegated permissions" if the users consent is the one that counts?

    Thanks.