Hi, I’m confused about the demo part. You show that you have assigned two delegated permissions to the app registered in Entra yet the code snippet within the json code block shows that you use the a secret I guess one created in the app registration blade for that app. My question is why. I mean wouldn’t the use of the app id plus secret indicate that I’m going to use the client credentials flow where the app authenticates with its own creds to Entra ? With the delegates app roles set isn’t the app acting on behalf of the user so wouldn’t the token contain claims for the subject which in this would be the user ? Could you please explain? Thank you
@dodonohoe30
Жыл бұрын
Great stuff, thanks. Can I ask what would be a typical use case for using admin consent vs user consent?
@TechMindFactory
Жыл бұрын
Thank you! When it comes to your question. User consent is more typical for the scenarios where application is asking to access user's basic profile details (using User.Read scope), or specific resource, like Microsoft Graph/API on behalf of authenticated user. Then user has to consent and decide whether grant access (to authorize an application to access some data at the protected resource, while acting as that user) or deny. Typical scenario is also when user consent and grant the application specific permission to update the signed-in user's profile information on user's behalf (using User.ReadWrite scope). Admin consent is required when we need higher permissions, beyond the scope of specific user and his/her data. Example: We can grant admin consent to allow the application to read the full set of profile properties, reports, and managers of other users in the organization, on behalf of the signed-in user (using User.Read.All) with Microsoft Graph API. In such scenario, administrator has to consent as such operation gives higher privilege to read information in the directory about other users. Admin consent is also required when granting permissions to applications (in the scenario where we do not have user context, like daemon application, running in the background). I hope this clarifies a bit!
Пікірлер: 4