What's the difference between application and delegated OAuth permissions on Microsoft 365?

Background

OAuth apps are restricted in what they can do by the permissions they are granted.

During install, an app will ask for permissions such as Mail.Read, Calendar.Read or Files.ReadWrite. If the user consents, the app is then allowed to do actions within those permissions.

Application vs. delegated permissions

Microsoft 365 has two types of OAuth permissions: application permissions and delegated permissions. They often have similar or even identical names, but the difference is important because the scope of each permission type varies considerably.

Delegated permissions grant the app access as that user within the confines of the permissions requested.

For example, an app that has been granted the delegated permission Mail.Read can read the mail of the user who consented to the app.

Delegated access is still bound by the access that user has. For example, an app that has been granted the delegated permission Files.Read can only read the same files as the user who consented.

Application permissions grant tenant-wide access to the permission requested.

For example, an app that has been granted the application permissions Mail.Read and Files.Read.All can read all user mail and read all files. For obvious reasons, application permissions can only be granted by an admin.

For delegated permissions, admins can also consent on behalf of the organization, which means that users don’t need to go through a further consent screen when they want to use an app.

Learn more about Microsoft's OAuth permissions if you're not sure what one means. You can also find more information about application vs. delegated permissions on the Microsoft website.