I've created a sample web application calling a Web API and using oAuth code grant flow against Azure AD.Application is registered in Azure AD and I have given required permission as well through Azure portal. Everything seems working as expected.
There are two option for permission
Delegate Permission
Application Permission
Is it recommended to use mix kind of permission set (App + delegate) for your application?
If I give similar kind of permission to my API on both Delegate and Application,which permission set will take precedence? Will it depend on oAuth flow e.g. Code grant or Implicit ?
In my code how can I differentiate these permission sets while accessing the same resource.I want to call on user context only even same type of application permission is already there?
Application Permissions and Delegated Permissions are completely independent of one another.
Application Permissions apply when you follow the Client Credential Flow (also known as App Only Flow). When you follow this flow, AAD will try to grant permissions to the client application based on the Application Permissions it has predefined in the app registration. These permissions will appear in an App Only Token in the role claim.
In nearly every other flow, where a user is involved (On-Behalf-Of, Authorization Code Grant Flow, Implicit Grant Flow, etc...) AAD will try to grant permissions to the client based on the Delegated Permissions it has predefined. These permissions will appear in App+User tokens in the scp (scope) claim.
You can control the kinds of permissions your app is granted by adjusting the authentication method when getting an access token to a resource.
Related
I have an app registered in Azure AD with the following approved permissions:
Microsoft Graph: Files.ReadWrite.All, Sites.ReadWrite.All, Sites.Selected, User.Read
and
SharePoint: Sites.ReadWrite.All, Sites.Selected
Yet a request to load a folder at / fails with 403 Forbidden (the same C# application that uses a different, registered earlier, Azure AD application works fine - I just can't figure out what the differences are, and how to get second app's permissions to work like the first app does).
Which permissions do I need to read a folder?
Are there logs that can give me more information?
This depends on which authentication flow you use, because you are only granting application permissions, which are only supported in the client credentials flow. So if you're using the client credentials flow, your permissions are sufficient. However, if you are using auth code flow or ROPC flow, you also need to grant Files.ReadWrite.All and Sites.ReadWrite.All delegated permissions.
It turned out, I needed Sites.Selected permission (which I did). However, I had to use the PowerShell PnP module to explicitly grant write permission to my app for each site I need to access. From what I figured out as of today there is no GUI way to do that configuration (I suspect sites could have been configured when the application's permission request was initially granted, but I am not the one who approved those requests).
My multi-tenant Azure application requires only the app-level EWS legacy permission full_access_as_app to run. This app-level permission can only be consented to by an administrator---it's extremely powerful because it gives the app read and write permissions over every EWS mailbox in a tenancy.
If I, as an admin for my Azure tenancy, grant my application only this single permission behind the scenes in AAD configuration, everything works fine when I run the application for my tenancy.
However when you create a new app in Azure, Azure always assumes you will want the user-level Graph API User.Read permission automatically. When you try to remove the permission you get this ominous warning:
And in the case when I leave it out, interactive OAuth consent forms don't work. The error message looks like this.
The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant.
In other words, it appears that the application won't be able to run for anyone else's tenancy because their admins can't consent to it.
My hypothesis is that this is because Azure is using the User.Read permission to check whether the person signing in through the OAuth form is an administrator. In other words this permission is needed just this one time, before the application is ever run for the admin's tenancy.
Looking at the actual OAuth consent form, this does appear to be the case.The app wants to sign in and read my profile, to check if I am admin... or so it seems to me.
Am I right about this? Documentation I have been able to find is rather scanty.
I am trying to setup an API to be protected using Oauth 2.0 in Azure AD. I follow the steps in here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow.
The API has one scope - one application permission defined. I am able to add the API permission successfully to the client app, and have selected the right scope, as shown in the screenshot.
However, when I test the web app, after authentication the below error is thrown:
The application OAuthClientApp asked for scope approle that doesn
t exist on the resource 2700000003-0000-0000-c000-000000000000.
Contact the app vendor.
App permissions only apply when a client app uses client credentials only for authentication.
So when there is no user involved, app permissions apply.
A client can acquire an access token using their client id + secret/certificate with the scope your-api-client-id/.default or your-api-id-uri/.default.
Documentation for client credentials grant: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.
.default basically means "the permissions required statically by my app in the registration".
Since app permissions must be required statically, it makes sense to use it.
Authorization code grant, implicit grant and a few others involve a user in the authentication and only delegated permissions apply.
Remember to also grant admin consent for the app permission.
In the screenshot it says consent has not been granted.
From below, what I infer is when the application is configured with Delegated Permissions it makes all requests on behalf of the signed-in user.
So, under Delegated Permissions, again we have "Access the directory as the signed-in user" option listed. What does this actually do?
Application Permissions: Your client application needs to access the
Web API directly as itself (no user context). This type of permission
requires administrator consent and is also not available for Native
client applications.
Delegated Permissions: Your client application needs to access the Web
API as the signed-in user, but with access limited by the selected
permission. This type of permission can be granted by a user unless
the permission is configured as requiring administrator consent.
So, under Delegated Permissions, we have "Access the directory as the
signed-in user" option listed. What does this actually do?
In very simple words, the application essentially impersonates you (or the logged in user) in case of delegated permissions.
To give you an example, let's say you created a web application in your Azure AD with delegated permissions to access Azure Service Management API. Now when you login into this application and try to access your Azure resources (storage accounts, VMs etc.), the application will only be able to do things you're granted permission to do in that Azure subscription. For example, if you're in Reader role in your Azure subscription (i.e. you can't create/update/delete resources). If you try to create a resource through your application you will get an error back because the application is impersonating you.
Delegated permissions require a user to login to Azure AD and present the resulting authentication token to your application. Your application can make calls by passing your client id, secret (if applicable) and the user's authentication token. Your application's effective permissions will be the lowest combination of the user and your application. For example, if your application has been granted read/write to a resource but the user only has read, your effective permissions are read. The same is true if the user has read/write but the application only has read.
Application permissions do not require a user to login. Just your client id and secret are enough. If you do not have application permissions and attempt to access the api without also presenting an authenticated user's token you will receive 401 errors.
I am creating an Azure AD app and noticed there are two permissions types, Application Permissions and Delegated Permissions. What is the difference between the two and under what scenario should I use them?
You typically use delegated permissions when you want to call the Web API as the logged on user. Say for example that the Web API needs to filter the data it returns based on who the user is, or execute some action as the logged in user. Or even just to log which user was initiating the call.
Application permissions are used when the application calls the API as itself. For example to get the weather forecast for a certain zipcode (it does not matter which user is logged on). The client can even call the API when there's no user present (some background service calling the API to update some status).
From the documentation here: Configure a client application to access web APIs:
Application Permissions: Your application needs to access the web API directly as itself (no user context). This type of permission
requires administrator consent and is also not available for native
client applications.
Delegation Permissions: Your application needs to access the web API as the signed-in user, but with access limited by the selected
permission. This type of permission can be granted by a user unless
the permission is configured as requiring administrator consent.
Based on this if your application requires user impersonation, then you would need to use Delegation permissions.