Delegated permissions are not necessary to get user consent

Rusu, Stelian 1 Reputation point

I am confused abut the Delegated Permissions and I would like to explain why.

  • I have created a app registration for a Backend API with 2 Scopes - Portfolio.Read and Portfolio.Write
  • I have registered a client application for my Angular App. From that Angular App javascript code I am asking for the user to consent to api://BackendAppId/Portfolio.Read and api://BackendAppId/Portfolio.Write via the MSIL library...and it works - the user is shown the popup to consent and I get a JWT token containing in the scope the two consented permissions. I can use this token to call the BackendApi and the check on the scope is successfull

It is confusing because I was expecting the Portfolio.Read and Portfolio.Write to be added as Delegated Permission to the client App in order for this to work, but it is not necessary. So why then do I have to do this? What is the use case?
All the documentation and examples from Microsoft are requiring that the Delegated Permission to be configured...but if you skip this step, it still works.
Has anyone any idea regarding what am I doing wrong and where is the gap in my understanding?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,708 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Cristian SPIRIDON 4,471 Reputation points

    Hi @Rusu, Stelian ,

    You will add those permision as Delegated Permision when you need that the permisions to be consented by an admin of the final user.
    The admin of the client user can consent those permisions ahead of time and the final user can have a better user experience. Also there are some permisions that can only consented by an admin.

    More details at:

    Hope this helps!