526互联

azure application permissions vs delegated permission

发布时间 2023-03-28 10:09:23作者: ChuckLu

azure application permissions vs delegated permission

In Azure Active Directory (Azure AD), there are two types of permissions that can be granted to an application: application permissions and delegated permissions.

Application permissions are also known as "app-only" permissions. These are permissions that are granted to the application itself, rather than to a user or group. They allow the application to act on its own behalf, without requiring a user to be signed in. Examples of application permissions might include "read all users' full profiles" or "write all groups".

Delegated permissions, on the other hand, are also known as "user-delegated" permissions. These are permissions that are granted to an application on behalf of a signed-in user. They allow the application to act as that user, and perform actions on their behalf. Examples of delegated permissions might include "read the signed-in user's profile" or "send mail on behalf of the user".

In general, application permissions should be used when an application needs to access resources or perform actions that don't require user context or are related to administration of the tenant. Delegated permissions should be used when an application needs to access resources or perform actions on behalf of a user, with that user's consent.

It's important to note that not all permissions can be granted as both application and delegated permissions. Some permissions are only available as one or the other, depending on the API being accessed. Additionally, the permissions that an application can request depend on the configuration of the API and the permissions that the requesting application is authorized to use.

 

So the application permission and delegated permission both use the ClientId and ClientSecret?

Yes, both application permissions and delegated permissions require a registered Azure AD application, which has a unique client ID and client secret (or a certificate, in the case of app-only authentication). The difference is in how the authentication and authorization process works.

For application permissions, the Azure AD app authenticates and authorizes itself to access a resource, such as a Microsoft Graph API, using its own client credentials. This means that the app is acting on its own behalf, rather than on behalf of a user.

For delegated permissions, the Azure AD app is granted permission to access a resource, such as a Microsoft Graph API, on behalf of a user. In this case, the user must grant consent for the app to access their resources, and the app uses an access token obtained through the OAuth 2.0 authorization code flow or another flow that involves user interaction to access the resource.

 

Could you give a sample about how to use delegated permission to get all users under the same TenantId in c#?

Here's an example of how to use delegated permissions to get a list of all users in the same tenant as the signed-in user:

// Set the delegated permission scope required to read user profiles.
string[] scopes = new[] { "User.Read" };

// Create a new instance of the Microsoft Graph client using the signed-in user's access token.
var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
    // Get the current access token for the signed-in user.
    string accessToken = await GetAccessTokenForSignedInUserAsync(scopes);

    // Add the access token to the HTTP Authorization header.
    requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
}));

// Get a list of all users in the tenant.
var users = await graphClient.Users.Request().GetAsync();

foreach (var user in users)
{
    Console.WriteLine(user.DisplayName);
}

In this example, the DelegateAuthenticationProvider is used to get an access token for the signed-in user with the necessary User.Read delegated permission scope. The GraphServiceClient is then initialized with this access token, allowing it to make requests on behalf of the signed-in user.

The Users.Request().GetAsync() method call is used to retrieve a list of all users in the tenant. Finally, a foreach loop is used to iterate through the users and print out their display names.

Note that in order for delegated permissions to work, the signed-in user must have appropriate permissions to access the resources requested by the application. In this case, the signed-in user must have permission to read user profiles in order to retrieve a list of all users in the tenant.