Push icon
  • Product
  • Use cases
    SaaS discovery
    SaaS discovery
    Detect SaaS apps that employees are using in your company.
    Risky third-party integrations
    Risky third-party integrations
    Nudge employees to remove unused third-party integrations.
    Malicious mail rule detection
    Malicious mail rule detection
    A strong indicator of compromise. Detect and respond automatically.
    Automated MFA deployment
    Automated MFA deployment
    Use ChatOps to automatically nudge employees to enroll.
  • Pricing
  • Blog
  • About

Application vs. delegated OAuth permissions on Microsoft 365

OAuth apps are restricted in what they can do by the permissions they are granted. An app will ask for permissions on install - like Mail.Read, Calendar.Read, Files.ReadWrite - and, if the user consents, the app is then allowed to do actions within those permissions.

Microsoft 365 has two types of OAuth permissions: application permissions and delegated permissions. They often have similar or even identical names, but the difference is very important.

Delegated permissions grant the app access as that user within the confines of the permissions requested. For example, an app that has been granted the delegated permission Mail.Read can read the mail of the user who consented to the app. Delegated access is still bound by the access that user has. For example, an app that has been granted the delegated permission Files.Read can only read the same files as the user who consented.

Application permissions grant tenant-wide access to the permission requested. For example, an app that has been granted the application permissions Mail.Read and Files.Read.All can read all user mail and read all files. For obvious reasons, application permissions can only be granted by an admin.

For delegated permissions, admins can also consent on behalf of the organisation, meaning users don’t need to go through a further consent screen when they want to use an app.

Microsoft maintains a full reference of OAuth permissions so check it out if you’re not sure what one means. More information on application and delegated permissions can be found on the Microsoft website.

push logo
Product
  • Overview
  • Pricing
Use cases
  • SaaS discovery
  • Risky third-party integrations
  • Malicious mail rule detection
  • Automated MFA deployment
Push
  • Team
  • Investors
  • Contact
  • Careers
Assurance
  • Privacy policy
  • Cookie policy
  • Terms
  • Sub-processors
© Push 2022. All rights reserved.
cyber essentials logo
You're offline. Waiting to reconnect.