Effects of 'Delegated Type' permissions under 'API Permissions' on registered application?

Question

Hello,

I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent.
What is the point then of configuring the 'Delegated Type' permissions?

Thank You.

Answer 1

@CloudMe , When you register an application from the portal, by default the following (in the screenshot below) "Delegated Permission" gets added

This delegated permission allows the application to pull the details about the user who is currently logged into the app, as usually you login to the Graph Explorer and try to test the graph api to check your own profile details like the /me endpoint.

By default it can only connect to the Graph API Resource and perform only the read user's own profile details and no other Azure AD resource can be accessed.

Hope this helps.

Answer 2

As i noted in my question:
"I have noticed that even if i do not have any permission at all on the 'API Permissions' of a selected registered application, it can still connect to resources by using the users scope consent."

Even after Removing all default permissions and not adding any new ones, my registered app is still able to access resources granted by the user's consent.

I understand the "Application permissions" are there to enable the application access to resources on its own, without any user interaction. But what is the point of the "Delegated permissions" if the users consent is the one that counts?

Thanks.