Reputation: 13
MSgraph - Application Rights vs Delegated rights
I'm stuck and need advice. I have a MSGraph functionality that uses Excel as a calculation motor. My desktop app accesses an Excel-workbook on OneDrive, inputs some values and read out results. I've managed to do this with Delegated Rights "Files.ReadWrite" while impersonating a user, to avoid the application asking for permission each time to execute/access the workbook. But when moving the functionality to a .Net web application I got trouble. .Net wouldn't allow this functionality: "Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. Available only on .net desktop and .net core." So, I've moved the code to a REST service written in .core. Then I got this: StatusCode": 500, "Message": "One or more errors occurred. (AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance. I think I could solve all this if my application had the Application Rights "Files.ReadWrite.All"? Am I right? Our IT department think Application Rights are too dangerous. Is there any middleway, to have these Rights on the app, and limit the accessibility, which objects the app are allowed to access?
Upvotes: 1
Views: 1820
Answers (1)
Reputation: 9549
I think I could solve all this if my application had the Application Rights "Files.ReadWrite.All"? Am I right?
According to your prompt message: Non-interactive request to acquire a security token from the authority, via Username/Password Authentication. Available only on .net desktop and .net core.
Obviously you cannot use delegated permissions on .Net web applications, because it is a request without user interaction (that is, no user login), so you cannot use username/password-based authentication to obtain an access token. You need to grant application permissions to the application and then use the client credential flow to obtain an access token.
But can an app with Application Rights "Files.ReadWrite.All" read all files on all OneDrives in the organization? Is there any middleway, to have these Rights on the app, and limit the accessibility, which objects the app are allowed to access?
You can grant appropriate access permissions to the application according to the MS graph api you want to access. I think the Files.ReadWrite.All application permission can read all files on all OneDrive in the organization.
For delegated permissions and application permissions, the essential difference between them is whether there is a user login:
Application permissions allow an application in Azure Active Directory to act as it's own entity, rather than on behalf of a specific user.
Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user.
Therefore, I think you can use application permissions with confidence.
Upvotes: 1
Related Questions
- Azure API permissions for Graph API
- API Permissions - Microsoft Graph API
- Calling MS Graph with delegated privileges doesn't work while application privileges do
- Microsoft graph API: permission grant for application (app roles) (NOT delegate via Oauth2PermissionGrants)
- Azure service principal - API permissions vs. AD Role
- How will adding permissions to Microsoft Graph App effect existing users?
- Azure Active directory API permissions
- Why some Microsoft Graph scopes request admin consent on some tenant and only user-delegated permission on other?
- Proper apps permissions from azure AD to grant access on Microsoft Graph
- Microsoft Graph API - new delegated permission removing application permissions