What are Delegated Permissions in Microsoft 365?

Delegated Permissions in Microsoft 365 allow applications to act on behalf of a signed-in user when accessing Microsoft Graph API or other services. These permissions ensure that apps can perform specific actions only within the scope of the user's permissions.

Key Characteristics of Delegated Permissions

1. User-Consent Based
   • Requires user sign-in and consents to allow the app to access their data.
2. Limited to User Privileges
   • The app can only perform actions that the signed-in user has permission for.
3. Commonly Used in Interactive Apps
   • Web and mobile apps often use delegated permissions when they need user-specific access.

How Delegated Permissions Work

• User Logs In → The app requests access to specific resources.
• User Grants Consent → Permissions are granted based on the scope defined.
• App Acts on Behalf of User → The app performs actions with the user's authorization.

Example PowerShell command to list all delegated permissions assigned to an application:

Get-MgServicePrincipal -Filter "appId eq 'your-app-id'" | Select -ExpandProperty
Oauth2PermissionScopes

Common Use Cases

• Email Access: An app reads a user’s mailbox to sync emails.
• Calendar Management: Scheduling bots access user calendars to book meetings.
• OneDrive File Access: Apps retrieve and upload files to a user's OneDrive.

Best Practices for Using Delegated Permissions

1. Use Least Privilege: Request only the necessary permissions to limit security risks.
2. Monitor API Permissions: Regularly audit app permissions in Microsoft Entra Admin Center.
3. Secure Access with Conditional Policies: Enforce MFA or IP-based access for apps using delegated permissions.

Delegated Permissions help securely integrate third-party apps with Microsoft 365 while ensuring users remain in control of their data.