To check what permissions are granted by our clients, we use application mode and get the servicePrincipal, this works fine for the permissions of type applications. The problem lies in the delegated permissions. Currently, oAuth2PermissionGrant exposes only resourceId (servicePrincipalId which is different from tenant to tenant) and no resourceAppId. So we need to get this servicePrincipal by this resourceId to get the appId. The problem here is that we are not allowed to do this unless we have an Application.Read.All which we cannot ask or justify to our clients because it is an elevated permission.
No CommentsBe the first to comment