Understanding App Registration Permission Scopes
When managing applications in Azure AD, it’s important to configure app permissions correctly to ensure the security and compliance of your cloud environment. There are two types of permissions that can be configured for Azure AD app registrations:
- Delegated permissions: Are used by apps that have a signed-in user present. They allow the app to act as the signed-in user when making calls to the targeted resource.
- Application permissions: Are used by apps that run without a signed-in user present, such as background services or daemons. These permissions allow the app to act on its own behalf when making calls to the targeted resource.
Permission Type | When to Use | Consent Varies |
---|---|---|
Delegated | A user is signed in | Yes, based on the signed-in user |
Application | No user is signed in (background tasks, daemons) | Requires admin consent |
Configuring Permission Scopes in Azure AD
To configure permission scopes, follow these general steps:
- Navigate to the Azure portal and sign in.
- Search for and select ‘Azure Active Directory’ from the portal services.
- Select ‘App registrations’ and then choose the application for which you want to configure permissions.
- Click ‘API permissions’ to view the current permissions and to add new ones.
- Add a permission by clicking ‘Add a permission’, where you can choose from Microsoft APIs, your own APIs or other services.
- Choose the required API (For example, Microsoft Graph) and select either ‘Delegated permissions’ or ‘Application permissions’ based on your requirement.
- Select the specific permissions you need for your application. Permissions will typically be listed by resource and then by the action that the app can perform.
- Request admin consent if necessary. Application permissions and some high-privileged delegated permissions require an administrator to consent.
Examples of Configuring Permission Scopes
Example 1: Configuring Delegated Permissions for Microsoft Graph
Suppose you have an application that reads the user’s calendar. The steps to add the required permission would be:
- Under the ‘API permissions’ section of your app registration, select ‘Add a permission’.
- Choose ‘Microsoft APIs’ and then ‘Microsoft Graph’.
- Choose ‘Delegated permissions’ and search for “Calendars.Read”.
- Select the permission and click ‘Add permissions’.
Example 2: Configuring Application Permissions for a Custom API
If you have a daemon application that accesses a custom API to read audit logs, you could configure it as follows:
- Under ‘API permissions’, select ‘Add a permission’.
- Click ‘APIs my organization uses’ and select the custom API.
- Choose ‘Application permissions’.
- Find the permission that allows for reading audit logs, such as “AuditLog.Read”.
- Select it and click ‘Add permissions’.
- Administrative consent will likely be required.
Best Practices for Managing Permission Scopes
- Principle of least privilege: Only request permissions that are absolutely necessary for the application to function.
- Regular review and auditing: Regularly review your app registrations and the permissions they have been granted.
- Use group claims and app roles: To manage user permissions and reduce the number of permissions needed by the app.
- Secure application secrets: Ensure that any application secrets or certificates are stored securely and rotated regularly to avoid unauthorized access through compromised credentials.
When you properly configure permission scopes, you help secure your Azure environment by limiting applications to only the access they require to perform their functions. This is a crucial step in managing application security within Azure and is a key aspect of the skills measured in the AZ-500 Microsoft Azure Security Technologies exam.
If this material is helpful, please leave a comment and support us to continue.