Azure App Infra App permissions vs Role Assignment under subscription

Copper Contributor

While testing few app integration with Azure. I have noticed we have two ways of giving permissions to applications :


1) Using API permissions under the app registration where we define with Microsoft API Graphs the application has access to. And we do grant admin consent after that 


2) The other way is with assigning a role to the app under a specific subscription like : owner or contributor. 


Can someone guide me what is the difference between the two ways ?

And in the first way which uses API, Does this mean it includes all subscriptions in the tenant ?




2 Replies



Please refer on below:


API Permissions: You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token. Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token. Application permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user if scope claim contains read otherwise deny access or grant write access to application only when roles claim contains write.

Role Assignments: Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.

App Permissions:

These are configured under the App Registration in Azure.
App Permissions are concerned with the permissions that an application needs to operate within the Azure ecosystem, specifically for accessing various Microsoft APIs.
They are typically set to define the level of access the application has, such as read, write, etc., based on the roles present in the access token.
These permissions are applied when the application acts under its own context (service principal context) or under a user's context (delegated permissions).
Example: If a web application needs to read data from Azure AD, you can configure it with the appropriate API permissions, and access control is done based on these permissions.
Role Assignments:

Role Assignments are used to assign permissions to users or service principals directly on Azure Resources.
This form of authorization is managed by Azure itself, not by the end application.
Role Assignments are more about controlling access to Azure resources, not specifically tied to an application's functionality.
Example: Assigning a user or an application the role of 'Contributor' or 'Owner' on a specific Azure resource like a storage account or a virtual machine.