71

I am creating an Azure AD app and noticed there are two permissions types, Application Permissions and Delegated Permissions. What is the difference between the two and under what scenario should I use them?

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
Arjuna
  • 813
  • 1
  • 6
  • 5

2 Answers2

65

You typically use delegated permissions when you want to call the Web API as the logged on user. Say for example that the Web API needs to filter the data it returns based on who the user is, or execute some action as the logged in user. Or even just to log which user was initiating the call.

Application permissions are used when the application calls the API as itself. For example to get the weather forecast for a certain zipcode (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).

MvdD
  • 22,082
  • 8
  • 65
  • 93
  • 1
    Thanks for the response. I have a background service calling the above mentioned Web API. However for background services (Native applications) app permissions are not available, is there any reason for this. The app will be using its own set of credentials to log into the above mentioned Web API. – Arjuna Jul 16 '15 at 02:22
  • 1
    That is because native apps, like mobile clients are considered insecure (cannot keep secrets). As you'll need to store client credentials inside the code or configuration of the application itself. If you have a background service running on a server, you should be able to store the key used to access the API. – MvdD Jul 16 '15 at 03:35
  • Yes I have a background service, and I can use it to securely store the key. The problem is that as soon as I register the app as a Native app the application permissions section does not show up, should I register the background service as a web app? – Arjuna Jul 16 '15 at 04:25
  • Yes, that is not a problem. – MvdD Jul 16 '15 at 05:30
  • What decides whether a permission is delegated or application? If I am using `oauth2Permissions`, `appRoles` or the `groupMembershipClaims` section of the manifest? – Muhammad Rehan Saeed Dec 22 '15 at 14:26
  • 1
    @MuhammadRehanSaeed, in the appRoles section of your manifest, you define roles with allowedMemberTypes == User or Application. See also: http://bit.ly/1QWHpzE – MvdD Dec 23 '15 at 06:04
  • You can read more in the doc: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference – matteo Jun 14 '17 at 11:00
28

From the documentation here: Configure a client application to access web APIs:

  • Application Permissions: Your application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for native client applications.
  • Delegation Permissions: Your application needs to access the web API as the signed-in user, but with access limited by the selected permission. This type of permission can be granted by a user unless the permission is configured as requiring administrator consent.

Based on this if your application requires user impersonation, then you would need to use Delegation permissions.

BenV
  • 12,052
  • 13
  • 64
  • 92
Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241