Tutorial / Cram Notes
Understanding App Registration Permission Scopes
When managing applications in Azure AD, it’s important to configure app permissions correctly to ensure the security and compliance of your cloud environment. There are two types of permissions that can be configured for Azure AD app registrations:
- Delegated permissions: Are used by apps that have a signed-in user present. They allow the app to act as the signed-in user when making calls to the targeted resource.
- Application permissions: Are used by apps that run without a signed-in user present, such as background services or daemons. These permissions allow the app to act on its own behalf when making calls to the targeted resource.
Permission Type | When to Use | Consent Varies |
---|---|---|
Delegated | A user is signed in | Yes, based on the signed-in user |
Application | No user is signed in (background tasks, daemons) | Requires admin consent |
Configuring Permission Scopes in Azure AD
To configure permission scopes, follow these general steps:
- Navigate to the Azure portal and sign in.
- Search for and select ‘Azure Active Directory’ from the portal services.
- Select ‘App registrations’ and then choose the application for which you want to configure permissions.
- Click ‘API permissions’ to view the current permissions and to add new ones.
- Add a permission by clicking ‘Add a permission’, where you can choose from Microsoft APIs, your own APIs or other services.
- Choose the required API (For example, Microsoft Graph) and select either ‘Delegated permissions’ or ‘Application permissions’ based on your requirement.
- Select the specific permissions you need for your application. Permissions will typically be listed by resource and then by the action that the app can perform.
- Request admin consent if necessary. Application permissions and some high-privileged delegated permissions require an administrator to consent.
Examples of Configuring Permission Scopes
Example 1: Configuring Delegated Permissions for Microsoft Graph
Suppose you have an application that reads the user’s calendar. The steps to add the required permission would be:
- Under the ‘API permissions’ section of your app registration, select ‘Add a permission’.
- Choose ‘Microsoft APIs’ and then ‘Microsoft Graph’.
- Choose ‘Delegated permissions’ and search for “Calendars.Read”.
- Select the permission and click ‘Add permissions’.
Example 2: Configuring Application Permissions for a Custom API
If you have a daemon application that accesses a custom API to read audit logs, you could configure it as follows:
- Under ‘API permissions’, select ‘Add a permission’.
- Click ‘APIs my organization uses’ and select the custom API.
- Choose ‘Application permissions’.
- Find the permission that allows for reading audit logs, such as “AuditLog.Read”.
- Select it and click ‘Add permissions’.
- Administrative consent will likely be required.
Best Practices for Managing Permission Scopes
- Principle of least privilege: Only request permissions that are absolutely necessary for the application to function.
- Regular review and auditing: Regularly review your app registrations and the permissions they have been granted.
- Use group claims and app roles: To manage user permissions and reduce the number of permissions needed by the app.
- Secure application secrets: Ensure that any application secrets or certificates are stored securely and rotated regularly to avoid unauthorized access through compromised credentials.
When you properly configure permission scopes, you help secure your Azure environment by limiting applications to only the access they require to perform their functions. This is a crucial step in managing application security within Azure and is a key aspect of the skills measured in the AZ-500 Microsoft Azure Security Technologies exam.
Practice Test with Explanation
True or False: When configuring app registration in Azure, permission scopes are set at the API level.
- True
- False
Answer: True
Explanation: Permission scopes are indeed set at the API level. This defines what type of access an application has to the API it is interfacing with.
True or False: Admin consent is always required for delegated permissions in app registrations.
- True
- False
Answer: False
Explanation: Admin consent is required for delegated permissions that require access to data that the signing-in user cannot consent to on their own. However, for less privileged permissions, an admin consent might not be necessary.
Which Azure role is required to grant consent for permissions requested by an app registration?
- Azure Global Administrator
- Subscription Owner
- Application Administrator
- User Access Administrator
Answer: Azure Global Administrator or Application Administrator
Explanation: An Azure Global Administrator or an Application Administrator has the appropriate permissions to grant consent for application permissions.
True or False: Only one redirect URI can be set up in the authentication section of an app registration.
- True
- False
Answer: False
Explanation: An application can have multiple redirect URIs configured in its authentication settings.
True or False: Microsoft Graph API requires explicit permission scopes to be defined in app registration in Azure AD.
- True
- False
Answer: True
Explanation: Any API, including the Microsoft Graph API, requires explicit permission scopes to be defined for app registration to ensure the application has the correct level of access to resources.
What type of permission should be granted if an application needs to access resources on behalf of the user?
- Application permissions
- Delegated permissions
- User permissions
- Shared permissions
Answer: Delegated permissions
Explanation: Delegated permissions are used when an application accesses resources on behalf of a user.
True or False: Application permissions are used when the application operates without a signed-in user present.
- True
- False
Answer: True
Explanation: Application permissions are appropriate for scenarios where the application needs to operate as a background service or daemon without a signed-in user.
API permissions in app registration are categorized into which of the following sets?
- Managed and Unmanaged
- Standardized and Customized
- Microsoft APIs and Third-party APIs
- Delegated and Application
Answer: Delegated and Application
Explanation: API permissions in Azure AD app registration can be categorized into Delegated permissions and Application permissions.
Which one of the following manifests to edit if manual modifications are required for app registration in Azure AD?
- Application manifest
- Service manifest
- User manifest
- Subscription manifest
Answer: Application manifest
Explanation: The application manifest can be edited manually to modify the app registration settings, including setting up required permission scopes.
True or False: Any user in the Azure AD tenant can grant consent to API permissions for an application if the API permits user consent.
- True
- False
Answer: True
Explanation: As long as the API allows for user consent and the user has the right permissions, any user can grant consent for application permissions.
When you add a permission to an app registration in Azure AD, what step must be performed for it to take effect if it requires administrative consent?
- Generate a new secret
- Run the application once
- Admin must grant the consent
- Restart the Azure AD tenant
Answer: Admin must grant the consent
Explanation: If the permission requires administrative consent, an admin must grant consent to the permissions for them to take effect. This is often done in the Azure portal.
True or False: API permissions requested by app registrations can be incremental, which means consent can be granted to additional permissions without affecting previously granted consent.
- True
- False
Answer: True
Explanation: API permissions support incremental consent, allowing applications to ask users or admins for consent to additional permissions incrementally, without requiring consent for the permissions that have already been granted.
Interview Questions
What are app registration permission scopes?
App registration permission scopes are a way of controlling what actions an application can take on behalf of a user.
Why is it important to configure permission scopes in app registration?
Configuring permission scopes in app registration can improve security, simplify development, and provide a better user experience for your application users.
How do you add a new permission scope to an app registration in Azure Active Directory (AAD)?
You can add a new permission scope by selecting “API permissions” in the left-hand menu of your app registration and then clicking “Add a permission.”
What is the purpose of consent in AAD?
Consent is the process by which users are asked to grant permission to an application to access their AAD resources.
How does AAD manage user consent?
AAD allows users to review and approve or deny consent requests for their data by applications.
What is delegated permissions in AAD?
Delegated permissions are permissions that an application is granted to access resources on behalf of a signed-in user.
What is application permissions in AAD?
Application permissions are permissions that an application is granted to access resources independent of any signed-in user.
What is the difference between delegated permissions and application permissions in AAD?
Delegated permissions are granted to an application to access resources on behalf of a signed-in user, while application permissions are granted to an application to access resources independent of any signed-in user.
How do you request permission to access AAD resources from users?
You can request permission to access AAD resources from users by including the appropriate permission scopes in your app registration and then prompting users to grant consent.
Can permission scopes be changed after an app is deployed?
Yes, permission scopes can be changed after an app is deployed, but changes may require additional consent from users.
Great article on configuring app registration permission scopes! It really helped me understand the process.
Could someone explain the difference between delegated and application permissions in Azure AD?
Thanks for the step-by-step guide!
I’m having trouble setting up the API permissions correctly, any tips?
Why do I need to configure permissions for app registrations? Isn’t having access to the app enough?
Can these permission scopes be restricted based on the user roles in the organization?
How do we test if the permissions are set up correctly after configuring them?
Make sure to carefully review the permissions you grant to minimize security risks.