0

I am trying to setup an automated way of creating applications at my company (in Azure AD). I got it mostly working, but I realized that to make it so that my users do not need to consent the first time they use our applications (something that will just confuse them), I need to have my automation have the DelegatedPermissionGrant.ReadWrite.All permission.

Before I just ask my System Admin to grant that permission to my automation, I would like to understand what I am asking for. Googling has lead me to believe that this is a powerful permission, but I can't get any specifics.

What kind of things can DelegatedPermissionGrant.ReadWrite.All actually do?

Vaccano
  • 78,325
  • 149
  • 468
  • 850

1 Answers1

0

An app registration portal provides really important automation that many large orgs have written to let developers create apps without overwhelming IT with hundreds of manual operations.

DelegatedPermissionGrant.ReadWrite.All application permissions can do these things (from the docs):

  • Allows the app to grant or revoke any delegated permission for any API (including Microsoft Graph), without a signed-in user.

Addition of delegated permissions could enable an app to perform unexpected actions on behalf of a user without requesting consent. If the user is an admin user this could be damaging. Removal of delegated permissions could cause some unexpected consent prompts. Probably not as bad.

To mitigate risk, I have seen large, security conscious orgs create a low-permissions portal for gathering all the requirements of an app request. If the app has low permission requirements, the portal just creates the app (using App Permissions not delegated permissions). If the app has high requirements, the portal creates a ticket for someone in IT to click a link triggering a different highly-permissioned (like Global Admin) and highly protected app to provision (and log the creation of) the highly permissioned app.

App Permissions allow the app to operate on its own, not in the context of the user. This could be useful if the user doesn't have permissions to perform the required operation.

From StackOverflow: Azure AD App Application Permissions vs Delegated Permissions.

From LinkedIn: https://www.linkedin.com/pulse/azure-app-registration-delegated-vs-application-permission-daniel-kim/.

From Microsoft docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#permission-types

Just my .02.

Arvind Suthar
  • 71
  • 8
  • The question is about `DelegatedPermissionGrant.ReadWrite.All` and you answered about `Directory.ReadWrite.All`. – Gaurav Mantri Aug 17 '23 at 02:48
  • Thank you Gaurav - corrected the answer. – Arvind Suthar Aug 17 '23 at 05:16
  • Thank you for your answer. I am wondering about the part where you indicated that it could be done "using App Permissions". What app permissions can provide user consent besides delegated permissions? (Assuming that the application wants simple things like `User.Read` and `profile`.) – Vaccano Aug 17 '23 at 17:22
  • App Permissions allow the app to operate on its own, not in the context of the user. This could be useful if the user doesn't have permissions to perform the required operation. From SO: https://stackoverflow.com/questions/31404128/azure-ad-app-application-permissions-vs-delegated-permissions. From LI: https://www.linkedin.com/pulse/azure-app-registration-delegated-vs-application-permission-daniel-kim/. From official docs: https://learn.microsoft.com/en-us/azure/active-directory/develop/permissions-consent-overview#permission-types – Arvind Suthar Aug 17 '23 at 18:41