Delegated permissions are not necessary to get user consent

Question

I am confused abut the Delegated Permissions and I would like to explain why.

• I have created a app registration for a Backend API with 2 Scopes - Portfolio.Read and Portfolio.Write
• I have registered a client application for my Angular App. From that Angular App javascript code I am asking for the user to consent to api://BackendAppId/Portfolio.Read and api://BackendAppId/Portfolio.Write via the MSIL library...and it works - the user is shown the popup to consent and I get a JWT token containing in the scope the two consented permissions. I can use this token to call the BackendApi and the check on the scope is successfull

It is confusing because I was expecting the Portfolio.Read and Portfolio.Write to be added as Delegated Permission to the client App in order for this to work, but it is not necessary. So why then do I have to do this? What is the use case?
All the documentation and examples from Microsoft are requiring that the Delegated Permission to be configured...but if you skip this step, it still works.
Has anyone any idea regarding what am I doing wrong and where is the gap in my understanding?

Answer 1

Hi @Rusu, Stelian ,

You will add those permision as Delegated Permision when you need that the permisions to be consented by an admin of the final user.
The admin of the client user can consent those permisions ahead of time and the final user can have a better user experience. Also there are some permisions that can only consented by an admin.

More details at:

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#permission-types

Hope this helps!