首页 > 其他分享 >azure application permissions vs delegated permission

azure application permissions vs delegated permission

时间:2023-03-28 10:13:25浏览次数:45  
标签:permission access application vs user delegated permissions

azure application permissions vs delegated permission

In Azure Active Directory (Azure AD), there are two types of permissions that can be granted to an application: application permissions and delegated permissions.

Application permissions are also known as "app-only" permissions. These are permissions that are granted to the application itself, rather than to a user or group. They allow the application to act on its own behalf, without requiring a user to be signed in. Examples of application permissions might include "read all users' full profiles" or "write all groups".

Delegated permissions, on the other hand, are also known as "user-delegated" permissions. These are permissions that are granted to an application on behalf of a signed-in user. They allow the application to act as that user, and perform actions on their behalf. Examples of delegated permissions might include "read the signed-in user's profile" or "send mail on behalf of the user".

In general, application permissions should be used when an application needs to access resources or perform actions that don't require user context or are related to administration of the tenant. Delegated permissions should be used when an application needs to access resources or perform actions on behalf of a user, with that user's consent.

It's important to note that not all permissions can be granted as both application and delegated permissions. Some permissions are only available as one or the other, depending on the API being accessed. Additionally, the permissions that an application can request depend on the configuration of the API and the permissions that the requesting application is authorized to use.

 

So the application permission and delegated permission both use the ClientId and ClientSecret?

Yes, both application permissions and delegated permissions require a registered Azure AD application, which has a unique client ID and client secret (or a certificate, in the case of app-only authentication). The difference is in how the authentication and authorization process works.

For application permissions, the Azure AD app authenticates and authorizes itself to access a resource, such as a Microsoft Graph API, using its own client credentials. This means that the app is acting on its own behalf, rather than on behalf of a user.

For delegated permissions, the Azure AD app is granted permission to access a resource, such as a Microsoft Graph API, on behalf of a user. In this case, the user must grant consent for the app to access their resources, and the app uses an access token obtained through the OAuth 2.0 authorization code flow or another flow that involves user interaction to access the resource.

 

Could you give a sample about how to use delegated permission to get all users under the same TenantId in c#?

Here's an example of how to use delegated permissions to get a list of all users in the same tenant as the signed-in user:

// Set the delegated permission scope required to read user profiles.
string[] scopes = new[] { "User.Read" };

// Create a new instance of the Microsoft Graph client using the signed-in user's access token.
var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) =>
{
    // Get the current access token for the signed-in user.
    string accessToken = await GetAccessTokenForSignedInUserAsync(scopes);

    // Add the access token to the HTTP Authorization header.
    requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
}));

// Get a list of all users in the tenant.
var users = await graphClient.Users.Request().GetAsync();

foreach (var user in users)
{
    Console.WriteLine(user.DisplayName);
}

In this example, the DelegateAuthenticationProvider is used to get an access token for the signed-in user with the necessary User.Read delegated permission scope. The GraphServiceClient is then initialized with this access token, allowing it to make requests on behalf of the signed-in user.

The Users.Request().GetAsync() method call is used to retrieve a list of all users in the tenant. Finally, a foreach loop is used to iterate through the users and print out their display names.

Note that in order for delegated permissions to work, the signed-in user must have appropriate permissions to access the resources requested by the application. In this case, the signed-in user must have permission to read user profiles in order to retrieve a list of all users in the tenant.

 

标签:permission,access,application,vs,user,delegated,permissions
From: https://www.cnblogs.com/chucklu/p/17264006.html

相关文章

  • vscode中emmet语法让行内标签自动换行
    在VSCode中在使用emmet插件生成注入a*5或span*5,生成多个行内标签时,不会自动换行,对块标签则会自动换行,例如:div*5,如何解决行内元素自动换行呢?解决方法如下:1、打开“文件”......
  • VsCode SFTP插件
    ......
  • iPad vs Windows 8 平板【视屏】
    本星期的早些时候微软已经发布了Windows8开发者预览版。相信会有不少朋友会像我一样很想知道Windows8和 iOS相比结果会是如何?微软在Window8上已经做了些让人印象深......
  • 前端vscode常用插件
    运行html文件(openinbrowser)运行快捷键:Alt+Bpx转rem(px2rem)将括号变色,便于观察(BracketPairColorizer)改变对齐线颜色(Guides) ......
  • VS2019安装配置Qt插件(qt-vsaddin)
    1、介绍Windows的Qt开发,一般采用VisualStudio安装Qt插件的方法开发Qt程序,毕竟VS开发工具还是比QtCreator开发工具强大、好用的多。本教程采用VS2019安装配置Qt插......
  • vscode杂谈-背景配置
    这里我要开一个新的篇章,就是关于vscode的一些配置问题,因为最近的一些个人原因,不得不使用vscode完成一些项目。但我必须强调一点,我极度不推荐初学者使用vscode写代码,因为它......
  • Jupyter Notebook(或vscode插件) 一个cell有多个输出
    方法一在文件的开头加上如下代码,该方法仅对当前文件有效fromIPython.core.interativeshellimportInteractiveShellInteractiveShell.ast_node_interctivity="all"......
  • mac 安装svn解决vscode签出项目报Svn installation not found的问题。
    svn之前安装过,更新系统就丢了,再brew也没法访问了。在国内有几个镜像去访问,安装国内镜像:/bin/zsh-c"$(curl-fsSLhttps://gitee.com/cunkai/HomebrewCN/raw/master/Ho......
  • Lvs负载均衡dr模式
    防火墙生成外网网卡修改防火墙外网ip修改内网ip重启网卡查看ip启动防火墙设置开机自启开启路由转发功能修改ip添加网关配置lvs负载均衡ip重启网络服务查看ip配置内核参数......
  • 解决VSCode新建终端自动时执行`pyenv shell xxxx`
    问题今天发现VSCode新建一个内置终端时会自动运行pyenvshellxxx,实际上这并不是我自行配置的。解决方案打开VScode用户配置文件settings.json,新增一行内容:"p......