Dec 07 2023 12:06 PM
While testing few app integration with Azure. I have noticed we have two ways of giving permissions to applications :
1) Using API permissions under the app registration where we define with Microsoft API Graphs the application has access to. And we do grant admin consent after that
2) The other way is with assigning a role to the app under a specific subscription like : owner or contributor.
Can someone guide me what is the difference between the two ways ?
And in the first way which uses API, Does this mean it includes all subscriptions in the tenant ?
Thanks.
Dec 23 2023 05:31 PM
Please refer on below:
API Permissions: You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token. Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token. Application permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user if scope claim contains read otherwise deny access or grant write access to application only when roles claim contains write.
Role Assignments: Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Feb 13 2024 02:16 AM