Deeply stuck at Delegated and Application Permissions

Question

I have been banging into the walls for quite a few days now. I have a setup where I have a CSP/CPV/MSP tenant(Lets call it Tenant A) that manages 3 tenants B,C and D via Partner centre. (GDAP setup done with all 3 Tenants with Global Admin rights provided to AdminAgents security group) I want to be able to automate the management of the resources of the 3 managed tenants.

I have registered an application with quite a few Graph API permissions and user_impersonation permission for Partner center API in a developer tenant (Lets call it Tenant X) along with a client secret for authentication. I consent using an admin user account from the CSP tenant (Tenant A) and a service principal for the registered application is created in the CSP tenant without any hassle(Auth code flow).

Next, I create a Service principal for the app in the Managed Tenant B using the CSP consent URL (here). This is a success as well but this only lets me provide the generated service principal with delegated permissions. I provide the following delegated permissions to my service principal in Tenant B.

"Directory.ReadWrite.All", // Read and write directory data (e.g., users, groups)
"AppRoleAssignment.ReadWrite.All", // Read and write app role assignments 

But, for my use case, I need to provide this service principal in the managed Tenant (Tenant B) with quite a few Application permissions as well. So my question is quite simple really, How do I use these delegated permissions that my app has to provide its service principal inside the managed Tenant tenant B with Application permissions (ex User.ReadWrite.All, Directory.ReadWrite.All etc). I don't want to consent using the Admin account from the managed Tenant as that really defeats the purpose of automation.

Also a general question, client credential flow is used for generating access token scoped to use Application Previlages that the app has. How should I generate the access token that is scoped to use delegated permissions of the app ( of course that does not require user interaction)?

Any help in this direction will be appreciated.

Answer 1

Note that: You will need to obtain admin consent for application permissions in each managed tenant (B, C, D) if you want to use those permissions in your automation. Unfortunately, there is no way to bypass this requirement while maintaining the security model of Microsoft Entra ID.

• Application Permissions permissions are used when the application is acting on its own without a user context. They require admin consent and can access all data in the tenant.
• Delegated Permissions are used when an application is acting on behalf of a user. They require user consent and are limited to the permissions that the signed-in user has.

Application permissions cannot be granted without admin consent from the tenant where the service principal is created. This means that you cannot use the delegated permissions to grant application permissions to your service principal in Tenant B without an admin's consent.

Even if you're automating the process, you would still need admin consent to allow the application to use those permissions across tenants. This is done via the adminconsent URL:

https://login.microsoftonline.com/TenantBTenantID/adminconsent?client_id=ClientID

Otherwise, Use a multi-tenant application and request permissions dynamically across all tenants you manage (Tenant B, C, D) via Partner Center.

Access Token for Delegated Permissions (Without User Interaction)

• Delegated permissions need user consent to allow the app to act on behalf of a user.
• For generating access tokens scoped to delegated permissions without user interaction, you typically would need to use the OAuth 2.0 On-Behalf-Of (OBO) flow.
• This flow allows your application to obtain an access token for a downstream API on behalf of the user who has already signed in. However, this still requires user interaction at least once to obtain the initial token.