Building apps that secure identity through permissions and consent

This article continues from the Zero Trust identity and access management development best practices article to help you, as a developer, to use a Zero Trust approach to identity in your software development lifecyle (SDLC). Below, you'll find an overview of the Permissions and access articles in this Developer Guide so that you can dive into identity components that include authentication, authorization, and identity management.

  • Supported identity and account types for single- and multi-tenant apps explains how you can choose if your app allows only users from your Azure Active Directory (Azure AD) tenant, any Azure AD tenant, or users with personal Microsoft accounts by configuring your app to be either single tenant or multitenant during app registration in Azure and ensure the Zero Trust principle of least privilege access so that your app only requests permissions it needs.
  • Acquiring authorization to access resources helps you to understand how to best ensure Zero Trust when acquiring resource access permissions for your application. To access protected resources like email or calendar data, your application needs the resource owner's authorization. The resource owner can consent to or deny your app's request. Your app will receive an access token when the resource owner grants consent; your app won't receive an access token when the resource owner denies access.
  • Developing delegated permissions strategy helps you to implement the best approach for managing permissions in your application and develop using Zero Trust principles. As described in Acquiring authorization to access resources, delegated permissions are used with delegated access to allow an application to act on behalf of a user, accessing only what the user can access. Application permissions are used with direct access to allow an application to access any data with which the permission is associated. Only administrators and owners of service principals can consent to application permissions.
  • Developing application permissions strategy helps you to decide upon your application permissions approach to credential management when you use the Microsoft identity platform to authenticate and authorize your applications and manage permissions and consent.
  • Requesting permissions that require administrative consent describes the permission and consent experience for a scenario where you're writing your application code to request application permissions that will require administrative consent. Example screenshots of permission and consent dialogs and the Microsoft Entra admin center give you an idea of what your users and tenant admins experience so that you can better collaborate with admins and implement the Zero Trust principle of least privilege in your applications.
  • When you're building non-user applications, you don't have a user whom you can prompt for a username and password or Multifactor Authentication (MFA). You need to provide the application's identity on its own. Providing application identity credentials when there's no user explains why the best Zero Trust client credentials practice for services (non-user applications) on Azure is Managed Identities for Azure resources.
  • Authorization best practices helps you to implement the best authorization, permission, and consent models for your applications.
  • The demonstrations in Example of API protected by Microsoft identity consent framework help you to design your application permissions strategy to provide the best experience for your users and tenant admins when you implement the Zero Trust principle of least privilege.

Next steps