M365 Community @ YouTube: Demystifying permissions and app consent when accessing Microsoft Graph - Githubissues

LLMA-dot / Get-Clue

Collection of various links and other useful things that I am currently learning. Maybe helpful to others.

0 stars 0 forks source link

M365 Community @ YouTube: Demystifying permissions and app consent when accessing Microsoft Graph #12

Closed LLMA-dot closed 1 year ago

LLMA-dot commented 1 year ago

Demystifying permissions and app consent when accessing MS Graph

YouTube Link: https://www.youtube.com/watch?v=qRZQCdM9VtQ

Whenever data is accessed by an app or a service - there are two ways how it is accessed

Direct Access (Service Principal - Application Permissions (app roles) )
- Is the app authorized?
Access on behalf of the user (Delegated Permissions)
- Is the user authorized to do this?
- Is the app authorized to do this on behalf of the user?

Requesting permissions for MS Graph

During sign-in an app can request access

Dynamically requested permissions
- Format: .../authorize?client_id={App-id}&scope=openid User.Read
- If granted, granted IN ADDITION to previously geanted permissions
- Only works for requesting delegated permissions
Statically confiugured permissions
- Format: .../authorize?client_id={App-id}&scope=.default
- If granted, revokes previously granted permissions
- Works for requesting application permissions and delegated permissions

Most Graph permissions allow access to lots of data

Application permissions are almost always "tenant-wide"
- E. g. All files in the organization
Delegated permissions are restricted to what the user can access
- E. g. all files i nthe org that the signed-in user can access
Some permissions do limit the resources
- E. g. User.Read (the signed-in users profile), Mail.Read (the signed in users mailbox)