AAD: About Permissions, AppRoles and OptionalClaims

Delegated Permissions and Application Permissions

Delegated permissions are only relevant when there is a user signing in with application. They are used when you want to call services in context of logged on user.
Application permissions are used when the application calls the API in context of itself, without impersonated user.

AppRoles attribute in manifest

The AppRoles attribute in the app manifest (i.e. on the Application object) is for defining what application roles your application exposes (i.e. offers for other apps to request/require access to).

Optional Claims

Optional claims will never give you anything in the "roles" (application permissions) or "scp" (delegated permissions) claims, since these are reserved claims. The only way to affect the "roles" claim is with AppRoleAssignments. The only way to affect "scp" claim (which, remember, is only relevant when there is a user signing in with your app) is with OAuth2PermissionGrants


comments powered by Disqus