A delegated permission grant authorizes a client service principal (representing a client application) to access a resource service principal (representing an API), on behalf of a signed-in user, for the level of access limited by the delegated permissions which were granted.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
If successful, this method returns a 200-series response code and a new oAuth2PermissionGrant object in the response body. The following table shows the properties that are required when you create the oAuth2PermissionGrant.
The id of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API. Required.
Indicates whether authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required.
The id of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is AllPrincipals this value is null. Required when consentType is Principal.
The id of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.
A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the oauth2PermissionScopes property of the resource service principal. Must not exceed 3850 characters in length.
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new OAuth2PermissionGrant
ClientId = "ef969797-201d-4f6b-960c-e9ed5f31dab5",
ConsentType = "AllPrincipals",
ResourceId = "943603e4-e787-4fe9-93d1-e30f749aae39",
Scope = "DelegatedPermissionGrant.ReadWrite.All",
var result = await graphClient.Oauth2PermissionGrants.PostAsync(requestBody);
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new OAuth2PermissionGrant();
$requestResult = $graphServiceClient->oauth2PermissionGrants()->post($requestBody);