|
| 1 | +--- |
| 2 | +title: Application and Delegated Permissions for Access Tokens |
| 3 | +description: Describes application and delegated permissions for access tokens in the Microsoft identity platform. |
| 4 | +ms.reviewer: bachoang, v-weizhu |
| 5 | +ms.service: entra-id |
| 6 | +ms.date: 01/15/2025 |
| 7 | +ms.custom: sap:App registrations |
| 8 | +--- |
| 9 | +# Application and delegated permissions for access tokens in the Microsoft identity platform |
| 10 | + |
| 11 | +This article introduces the differences between application and delegated permissions for access tokens in the Microsoft identity platform to help diagnose issues when applications call web APIs. |
| 12 | + |
| 13 | +## Overview |
| 14 | + |
| 15 | +As described in the [Overview of permissions and consent in the Microsoft identity platform](/entra/identity-platform/permissions-consent-overview) and [Glossary: Microsoft identity platform](/entra/identity-platform/developer-glossary), there are two types of permissions for an access token: delegated permissions and application permissions. Delegated permissions are granted to a signed-in user, whereas application permissions are granted directly to an application. The key difference is that delegated permissions require user sign-in, while application permissions don't; instead, the application authenticates to Microsoft Entra ID using its own application identity (client ID and secret/assertion). |
| 16 | + |
| 17 | +Regardless of permission types, you must [configure API permissions](/entra/identity-platform/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api) on the Microsoft Entra **App Registration** page: |
| 18 | + |
| 19 | +* Select **Application permissions** if your application doesn't need any user to sign in. |
| 20 | +* Select **Delegated permissions** if your application requires a user to sign in so that the access token can be issued for that sign-in. |
| 21 | + |
| 22 | +> [!NOTE] |
| 23 | +> When you select **Application permissions**, admin consent must be granted for the permission to function correctly. |
| 24 | +
|
| 25 | +## Permission type tokens issued from OAuth2 authentication flows |
| 26 | + |
| 27 | +Microsoft Entra ID supports various OAuth2 authentication flows. The kind of authentication flow that an application uses results in specific types of permissions in an access token. |
| 28 | + |
| 29 | +Application permission tokens can only be obtained from the [client credentials grant flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow). |
| 30 | + |
| 31 | +Delegated permission tokens can only be obtained from the following flows: |
| 32 | + |
| 33 | +* [Implicit grant flow](/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) |
| 34 | +* [Authorization code grant flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
| 35 | +* [On-Behalf-Of flow](/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) |
| 36 | +* [Device authorization grant flow](/azure/active-directory/develop/v2-oauth2-device-code) |
| 37 | +* [Resource Owner Password Credentials grant flow](/azure/active-directory/develop/v2-oauth2-device-code) |
| 38 | + |
| 39 | +## Identify the permission type for an access token |
| 40 | + |
| 41 | +To determine whether an access token is a delegated or application permission token, inspect the token claims using a tool like [jwt.ms](https://jwt.ms/). |
| 42 | + |
| 43 | +For application permission tokens, the permissions are in the `roles` claim: |
| 44 | + |
| 45 | +```json |
| 46 | +"oid": "<oid>" |
| 47 | +"roles": [ |
| 48 | + "User.Read.All" |
| 49 | +], |
| 50 | +"sub": "<sub>" |
| 51 | +``` |
| 52 | + |
| 53 | +> [!NOTE] |
| 54 | +> The `scp` claim is absent in application permission tokens. |
| 55 | +
|
| 56 | +For delegated permission tokens, the permissions are in the `scp` claim: |
| 57 | + |
| 58 | +```json |
| 59 | +"scp": "Directory.Read.All User.Read", |
| 60 | +"sub": "<sub>", |
| 61 | +``` |
| 62 | + |
| 63 | +> [!NOTE] |
| 64 | +> The `roles` claim might still appear in a delegated permission token, but it lists the roles assigned to the user in the API app. |
| 65 | +
|
| 66 | +## Identify the permission type an API supports |
| 67 | + |
| 68 | +Understanding what type of permissions an API supports is essential. Many errors such as 400, 401, 403, and 500 occur when applications call different APIs (for example, Microsoft Graph and Power BI) with incorrect permission type tokens. For an API, different REST endpoints might require different permission types. You can refer to the API endpoint documentation to check the supported permission type. You also need to evaluate whether the authentication flow used in the application generates the desired permission tokens. |
| 69 | + |
| 70 | +### Example scenario |
| 71 | + |
| 72 | +Power BI API: While Power BI supports both delegated and application permissions, some tasks, like viewing reports (requiring the **Report.Read.All** permission), can only be performed with a delegated token. On the **App Registration** page, **Application permissions** only support two permissions: **Tenant.Read.All** and **Tenant.ReadWrite.All.** |
| 73 | + |
| 74 | +:::image type="content" source="media/application-delegated-permission-access-tokens-identity-platform/application-permissions-power-bi-api.png" alt-text="Screenshot that shows application permissions for the Power BI API."::: |
| 75 | + |
| 76 | +In contrast, **Delegated permissions** offer a richer feature set: |
| 77 | + |
| 78 | +:::image type="content" source="media/application-delegated-permission-access-tokens-identity-platform/delegated-permissions-power-bi-api.png" alt-text="Screenshot that shows delegated permissions for the Power BI API."::: |
| 79 | + |
| 80 | +## Troubleshoot issues when calling Microsoft Graph REST endpoints |
| 81 | + |
| 82 | +Users often encounter issues when their applications call Microsoft Graph REST endpoints. The requests work successfully in Microsoft Graph Explorer but fail in their applications. To troubleshoot these issues, check the following things: |
| 83 | + |
| 84 | +* Check the permission type the access token has. Microsoft Graph Explorer always uses a delegated permission token. |
| 85 | +* Ensure the same user account is used to sign in to Microsoft Graph Explorer and the application. |
| 86 | +* Verify if the endpoint supports delegated permissions, application permissions, or both. |
| 87 | +* Verify that the access token has the correct permissions to call the endpoint. |
| 88 | + |
| 89 | +[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)] |
0 commit comments