Optional application permissions for Azure AD

Question

Right now I've only requested the permissions required for a user to successfully authenticate into the SaaS application. These are delegated permissions.

I'm now wondering how to handle permissions for a new daemon integration, which will request different data from Graph and require application permissions. So far I see these alternatives:

1. I create a new application, representing the integration, and if the customer wants to enable this feature they go through the admin consent flow and grant the required application permissions.
2. I encumber the main app with the 'optional permissions' and tell the customers that if they don't use this particular feature then they can revoke this and that permission.

Are there more alternatives? How are others handling this situation?

I foresee more daemons, requiring different permissions, in the future which makes alternative 1) seem quite unattractive. On the other hand, I can envision push back from AD admins everywhere if I go down route 2) and ask for all kinds of permissions that aren't applicable to that organizations feature set.

Answer 1

Best practices would dictate you have a separate app registration for each application/daemon. That being said, if you don't want to, you could do something between your two options, make a second app registration for all the daemons, and make a simple SPA just to log in to give consent to that app registration, which is separate from the saas app registration. I would definitely avoid option 2 on your list though, because then the saas application would technically be able to access all the same things your daemon permissions have which can be a big security risk.