Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| azure:az-500:alt:application_management [2023/02/02 23:43] – [Consent] mmuze | azure:az-500:alt:application_management [2023/02/03 23:58] (current) – [Consent] mmuze | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| * App Registration | * App Registration | ||
| - | The purpose of registering an app with Azure AD is to authorize a client/app to access some resource that AAD controls access to. For example, the MS Graph Powershell module (client) needs to be granted access to the MS Graph API (resource). The resource directs the client to Azure AD (the authorization server) where the user (resource owner) must authenticate themselves and consent to delegate the requested permissions (scope) to the client. | + | The purpose of registering an app with Azure AD is to authorize a client/app to access some resource that AAD controls access to (for which AAD is the authorization server). For example, the MS Graph Powershell module (client) needs to be granted access to the MS Graph API (resource). The resource directs the client to Azure AD (the authorization server) where the user (resource owner) must authenticate themselves and consent to delegate the requested permissions (scope) to the client. |
| Although the original use case for the OAuth2 flow was to support granting third-party apps access to resource, it is also used for first-party apps, as in the example with the MS Graph Powershell module access the MS Graph API. | Although the original use case for the OAuth2 flow was to support granting third-party apps access to resource, it is also used for first-party apps, as in the example with the MS Graph Powershell module access the MS Graph API. | ||
| Line 15: | Line 15: | ||
| * Delegated access, an app acting on behalf of a signed-in user. //delegated permissions// | * Delegated access, an app acting on behalf of a signed-in user. //delegated permissions// | ||
| * App-only access, an app acting with its own identity. This method of access is generally used by automation and daemons that run unattended and noninteractively. | * App-only access, an app acting with its own identity. This method of access is generally used by automation and daemons that run unattended and noninteractively. | ||
| + | * Application permissions allow an application in Azure Active Directory to act as its own entity, rather than on behalf of a specific user. Delegated permissions allow an application in Azure Active Directory to perform actions on behalf of a particular user. | ||
| ====== Consent ====== | ====== Consent ====== | ||
| * What is // | * What is // | ||
| Line 21: | Line 21: | ||
| * Either users can be allowed to consent to permissions granted to an app or the ability to consent can be reserved for admins only. | * Either users can be allowed to consent to permissions granted to an app or the ability to consent can be reserved for admins only. | ||
| * When the [[https:// | * When the [[https:// | ||
| + | * admin consent vs. user consent | ||
| * //Consent on behalf of your organization//, | * //Consent on behalf of your organization//, | ||