What is the difference between "Consent to application" and "Add delegated permission grant"?

Question

I've been exploring Azure Active Directory audit logs sent to my SIEM, and noticed there are events of type Consent to Application as well as Add delegated permission grant. I'm not sure what the difference is - I thought granting consent to an app was all about granting it delegated permissions?

As a concrete example, here are two such events that were fired for the same user at the same time (rounded to a second), with the same correlationId - so presumably they happened as part of the same "flow". I removed some irrelevant fields and also tokenized GUIDs and such.

Here's the Consent to Application event:

{
    "Actor": [
        {"ID": "name@corp.com", "Type": 5},
        {"ID": "Actor_PUID" "Type": 3},
        {"ID": "User_guid_user", "Type": 2},
        {"ID": "guid_user", "Type": 2},
        {"ID": "User", "Type": 2}
    ],
    "ActorContextId": "guid_actor_context_id",
    "AzureActiveDirectoryEventType": 1,
    "CreationTime": "2020-04-28T11:51:30",
    "ExtendedProperties": [
        {"Name": "actorContextId", "Value": "guid_actor_context_id"},
        {"Name": "actorObjectId", "Value": "guid_user"},
        {"Name": "actorObjectClass", "Value": "User"},
        {"Name": "actorUPN", "Value": "name@corp.com"},
        {"Name": "actorPUID", "Value": "Actor_PUID"},
        {"Name": "targetContextId", "Value": "guid_actor_context_id"},
        {"Name": "targetObjectId", "Value": "guid_target_object"},
        {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"},
        {"Name": "targetSPN", "Value": "guid_target_spn"},
        {"Name": "targetName", "Value": "App Name"},
        {
            "Name": "targetIncludedUpdatedProperties",
            "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"
        }
    ],
    "Id": "guid_id",
    "ModifiedProperties": [
        {
            "Name": "ConsentAction.Permissions",
            "NewValue": "[] => [[Id: XXX, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: guid_user, ResourceId: guid_resource_id, ConsentType: Principal, Scope:  openid offline_access Calendars.ReadWrite]]; ",
            "OldValue": ""
        },
        {"Name": "TargetId.ServicePrincipalNames", "NewValue": "guid_target_spn", "OldValue": ""}
    ],
    "ObjectId": "guid_target_spn",
    "Operation": "Consent to application.",
    "RecordType": 8,
    "ResultStatus": "Success",
    "Target": [
        {"ID": "ServicePrincipal_guid_target_object", "Type": 2},
        {"ID": "guid_target_object", "Type": 2},
        {"ID": "ServicePrincipal", "Type": 2},
        {"ID": "App Name", "Type": 1},
        {"ID": "guid_target_spn", "Type": 2},
        {ID": "guid_target_spn", "Type": 4}
    ],
    "TargetContextId": "guid_actor_context_id",
}

This presumably means that the user with object ID guid_user (and an identical principal ID) grants App Name with service principal guid_target_spn permission to access resource guid_resource_id with the delegated permissions openid offline_access Calendars.ReadWrite.

Now, here's the Add delegated permission grant:

{
    "Actor": [
        {"ID": "user@corp.com", "Type": 5},
        {"ID": "user_puid", "Type": 3},
        {"ID": "User_user_guid", "Type": 2},
        {"ID": "user_guid", "Type": 2},
        {"ID": "User", "Type": 2}
    ],
    "ActorContextId": "guid_actor_context_id",
    "CreationTime": "2020-04-28T11:51:30",
    "ExtendedProperties": [
        {"Name": "actorContextId", "Value": "guid_actor_context_id"},
        {"Name": "actorObjectId", "Value": "user_guid"},
        {"Name": "actorObjectClass", "Value": "User"},
        {"Name": "actorUPN", "Value": "user@corp.com"},
        {"Name": "actorPUID", "Value": "user_puid"},
        {"Name": "targetContextId", "Value": "guid_actor_context_id"},
        {"Name": "targetObjectId", "Value": "guid_resource_id"},
        {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"},
        {
            "Name": "targetSPN",
            "Value": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService"
        },
        {"Name": "targetName", "Value": "Microsoft Graph"},
        {
            "Name": "targetIncludedUpdatedProperties",
            "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"
        },
        {
            "Name": "additionalTargets",
            "Value": "[{\"ObjectID\":\"guid_target_object\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"
        },
    ],
    "ModifiedProperties": [
        {"Name": "ServicePrincipal.ObjectID", "NewValue": "guid_target_object", "OldValue": ""},
        {"Name": "ServicePrincipal.DisplayName", "NewValue": "", "OldValue": ""},
        {"Name": "ServicePrincipal.AppId", "NewValue": "", "OldValue": ""},
        {"Name": "ServicePrincipal.Name", "NewValue": "", "OldValue": ""},
        {
            "Name": "TargetId.ServicePrincipalNames",
            "NewValue": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
            "OldValue": ""
        }
    ],
    "ObjectId": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
    "Operation": "Add delegated permission grant.",
    "OrganizationId": "guid_actor_context_id",
    "RecordType": 8,
    "ResultStatus": "Success",
    "SupportTicketId": "",
    "Target": [
        {"ID": "ServicePrincipal_guid_resource_id", "Type": 2},
        {"ID": "guid_resource_id", "Type": 2},
        {"ID": "ServicePrincipal", "Type": 2},
        {"ID": "Microsoft Graph", "Type": 1},
        {"ID": "00000003-0000-0000-c000-000000000000", "Type": 2},
        {
            "ID": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
            "Type": 4
        }
    ],
    "TargetContextId": "guid_actor_context_id",
    "UserId": "user@corp.com",
    "UserKey": "user_puid@corp.com",
}

I'm trying to make sense of all of this. Specifically -

1) What does the second event mean? How come it says it's about delegating a permission, but there's no mention of what that permission is? Clearly this is related to the same resource ID as the first call, but in what way? Does it grant Microsoft Graph access to the same resource (and if so, under which permissions)?

2) In the first call, what is guid_target_object? Does it represent the app ID? If so, why does it appear as ServicePrincipal_guid_target_object?

Answer 1

You could find the audit logs navigate to Enterprise applications -> Audit logs in the portal.

When you add delegated permission(e.g. Microsoft Graph -> delegated permission) and then click the button grant admin consent for xxx, these four audit logs will be sent:

The two calls that you mentioned happen at the same time. Add delegated permission grant's targets are Microsoft Graph and the application which add permission. Consent to application's target is just the application. They are two steps in a process.

Update:

From my test results, add a delegated permission just sends update application and update service principal. The two logs you mentioned are sent when clicking the button(grant admin consent for xxx), and they are sent at the same time. It is decided by Microsoft.

If you want to know the permissions, you could find them in update application -> Modified Properties.

The id is the resource id of the permission in Microsoft graph:

You can get the value of the permission with the Powershell:

(Get-AzureADServicePrincipal -ObjectId <object-id of the MS Graph in your tenant>).Oauth2Permissions | Where-Object {$_.Id -eq '570282fd-fa5c-430d-a7fd-fc8dc98a9dca'}