Tutorial / Cram Notes
Application permissions in Microsoft 365 are configured within Azure Active Directory (Azure AD), which is responsible for handling authentication and authorization for users and applications. Two types of permissions that can be granted to an application are:
- Delegated permissions: These are used by apps that have a signed-in user present. For these apps, the user’s permissions are delegated to the application. For example, an application might get permission to access the user’s mailbox, but only if the user consents and is signed in at the time of access.
- Application permissions: These are needed by apps that run without a signed-in user present; for example, apps that run as background services or daemons. These permissions are granted directly to the app by an admin, and the app can perform operations that a user could typically do, based on the permissions granted.
Configuring Application Permissions
The process for configuring application permissions generally involves the following steps:
- Register the application in Azure AD.
- Grant the application either delegated permissions or application permissions.
- Optionally, configure admin consent for permissions requested by the application.
Step by Step: Registering an Application
- Go to Azure Portal > Azure Active Directory > App registrations > New registration.
- Name the application, and specify the supported account types (e.g., accounts in this organizational directory only).
- After registering, note down the Application (client) ID and the Directory (tenant) ID. These will be used in your application’s code or configuration.
Granting Permissions to an Application
- In the App registrations settings, find your application and select API Permissions.
- Click on Add a permission, choose an API you want to grant access to (e.g., Microsoft Graph).
- Select the type of permissions (delegated or application permissions) and then the specific permissions within that category.
- After adding permissions, click on Grant admin consent if required by your organization’s policies.
Here’s an example table outlining some common permissions that might be configured for an application using Microsoft Graph:
Permission Type | Delegated (work or school account) | Application Permissions | Description |
---|---|---|---|
Read user profiles | User.Read | User.Read.All | Allows the app to read user profiles. |
Send mail as a user | Mail.Send | Mail.Send | Allows the app to send mail as the signed-in user. |
Read user mail | Mail.Read | Not available | Allows the app to read user’s email through Outlook. Must be a user signed-in context. |
Read directory data | Directory.Read.All | Directory.Read.All | Allows the app to read data in your organization’s directory, such as users, groups, etc. |
Manage user data | Not available | User.ReadWrite.All | Allows the app to read and write all user’s full profiles. Must be an app-only permission. |
Admin Consent
Granting admin consent is crucial for application permissions, as these do not require a user to be present. Because this type of permission can be potentially expansive and risky, it requires an admin to approve the permissions, ensuring that only trusted applications receive such access.
To grant admin consent:
- Navigate to API permissions for your app registration in the Azure portal.
- Select the permissions that require admin consent.
- Click the “Grant admin consent for [Your Organization]” button to apply the changes.
Monitoring and Reviewing Permissions
- Use the Enterprise Applications section in Azure AD to monitor and manage application permissions.
- Regularly review permissions, particularly for applications that no longer need certain permissions or ones that perhaps require additional permissions due to updates in functionality.
Managing Consent and Permissions
Proper management of consent and permissions not only involves configuration but also monitoring and potentially adjustment of permissions over time. For example:
- When a new feature is implemented in an application, a review should determine if additional permissions are necessary.
- Regular auditing can help ensure that permissions that are no longer needed are revoked to reduce potential attack vectors.
Through this careful management of application permissions, you contribute significantly to the security and compliance posture of your organization, a key skill for anyone working with Microsoft Identity and Access, including those pursuing the SC-300 certification.
Practice Test with Explanation
True or False: Application permissions are always consented by a user at runtime.
- Answer: False
Application permissions are configured at the application level, not at the user level, and typically require an administrator’s consent.
True or False: Delegated permissions are used by applications that run in the context of a signed-in user.
- Answer: True
Delegated permissions allow an application to act on behalf of a signed-in user and are granted by the user or administrator.
Which Azure AD role can consent to application permissions that require admin consent?
- A. Application Developer
- B. User
- C. Global Administrator
- D. Application Support Engineer
Answer: C. Global Administrator
Global Administrators are allowed to grant admin consent for permissions requested by applications in Azure AD.
True or False: After an application has been assigned permissions by an administrator, the application will not require further consent from the user.
- Answer: True
Once an admin has granted consent to the application’s requested permissions, the application does not typically prompt the user for additional permissions.
In Azure AD, which of the following is correct regarding consent grants?
- A. Consent can only be granted by Global Administrators.
- B. Users can grant consent to any application permissions.
- C. Admin consent is required for permissions classified as high-privilege.
- D. Application permissions do not require consent since they are not user-specific.
Answer: C. Admin consent is required for permissions classified as high-privilege.
High-privilege permissions normally require an administrator to grant consent in Azure AD.
True or False: Application permissions can be used by both public client (mobile/desktop) and confidential client (web/API) applications.
- Answer: True
Application permissions can be granted to both public clients and confidential clients, depending on the app’s architecture and requirements.
True or False: An application that has been given delegated permissions can perform actions even when the user is not logged in.
- Answer: False
Delegated permissions require the user to be authenticated; the application acts on behalf of the user who must be signed in.
When configuring application permissions, what is the importance of the “scope” parameter?
- A. It indicates the maximum number of user tokens that can be issued.
- B. It defines the permissions that the application requires.
- C. It specifies the lifetime of the access token.
- D. It is used to define the network topology for the application.
Answer: B. It defines the permissions that the application requires.
The “scope” parameter in OAuth is used to specify the permissions that the application is requesting from the user or administrator.
Multiple Select: Which of the following entities can grant admin consent for application permissions in Azure AD?
- A. Users
- B. Cloud Application Administrator
- C. Global Administrator
- D. Application Administrator
Answer: B. Cloud Application Administrator, C. Global Administrator, D. Application Administrator
Besides Global Administrators, roles such as Cloud Application Administrator and Application Administrator have the necessary privileges to grant admin consent for application permissions in Azure AD.
True or False: The “Application.ReadWrite.All” permission allows an app to read and update application registration information in Azure AD.
- Answer: True
The “Application.ReadWrite.All” permission does indeed allow an application to read and make changes to application registration details in Azure AD.
Which type of permission should an application use to access Microsoft Graph in order to read data from a user’s Outlook calendar without the user being signed in?
- A. Delegated permissions
- B. Application permissions
- C. Role-based permissions
- D. Directory permissions
Answer: B. Application permissions
Application permissions are used for scenarios where the application needs to run without a user being signed in, such as for background services or daemons.
True or False: The OAuth 0 authorization code grant cannot be used with applications that require delegated permissions.
- Answer: False
The OAuth 0 authorization code grant is specifically designed for applications that require delegated permissions, as it allows applications to receive an authorization code that can be exchanged for an access token.
Interview Questions
What is an application permission in Azure AD?
An application permission in Azure AD is an authorization to access an application or its resources. It defines the level of access that an application has to a specific resource.
How is an application permission different from a delegated permission?
An application permission allows an application to perform operations on behalf of any user, while a delegated permission allows an application to perform operations on behalf of the signed-in user.
How can you manage application permissions in Azure AD?
You can manage application permissions in Azure AD by going to the Azure portal, selecting the application, clicking on the “API permissions” tab, and then managing the permissions that are associated with the application.
What are the different types of permissions that can be granted to an application?
The different types of permissions that can be granted to an application include application permissions, delegated permissions, and Microsoft Graph permissions.
How can you view the permissions granted to an application in Azure AD?
You can view the permissions granted to an application in Azure AD by going to the Azure portal, selecting the application, clicking on the “API permissions” tab, and then reviewing the list of permissions that are associated with the application.
How can you add or remove permissions for an application in Azure AD?
You can add or remove permissions for an application in Azure AD by going to the Azure portal, selecting the application, clicking on the “API permissions” tab, and then adding or removing the necessary permissions.
How can you request permission for an application to access a user’s data?
You can request permission for an application to access a user’s data by adding the necessary permissions to the application’s manifest file, and then prompting the user to consent to the permissions when they sign in to the application.
What are the best practices for managing application permissions in Azure AD?
The best practices for managing application permissions in Azure AD include using the principle of least privilege, limiting the number of permissions granted to an application, and regularly reviewing and auditing application permissions.
What is the difference between an application permission and a role permission?
An application permission is an authorization to access an application or its resources, while a role permission is an authorization to perform a specific task or function within an application.
How can you control access to an application’s resources based on the user’s role?
You can control access to an application’s resources based on the user’s role by using Azure AD’s role-based access control (RBAC) feature, which allows you to assign roles to users and then grant or deny access to resources based on those roles.
Great post! The walkthrough on configuring application permissions was really helpful.
When setting up permissions, how do you handle scenarios with multiple applications needing different levels of access?
Thanks! This was exactly what I needed.
Can someone explain the difference between delegated and application permissions in Azure?
The blog didn’t cover the scenario where permissions need to be granted to a third-party app. Can someone shed some light on this?
App registrations and API permissions are still a bit confusing for me. Any tips on simplifying the process?
Super informative post!
How often should application permissions be reviewed and what best practices should be followed?