In the Microsoft identity platform, a permission is represented as a string value.
They're also often referred to as permissions. In OAuth 2.0, these types of permission sets are called scopes. Developers should always abide by the principle of least privilege, asking for only the permissions they need for their applications to function. And they can be more confident that the app isn't behaving with malicious intent. Users and administrators can know what data the app can access. When a resource's functionality is chunked into small permission sets, third-party apps can be built to request only the permissions that they need to perform their function. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user's behalf. As an example, Microsoft Graph has defined permissions to do the following tasks, among others:īecause of these types of permission definitions, the resource has fine-grained control over its data and how API functionality is exposed. Any of these resources also can define a set of permissions that can be used to divide the functionality of that resource into smaller chunks. The same is true for any third-party resources that have integrated with the Microsoft identity platform.
Here are some examples of Microsoft web-hosted resources: Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or application ID URI. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. The Microsoft identity platform implements the OAuth 2.0 authorization protocol. This article covers the basic concepts of this authorization model, including scopes, permissions, and consent. It changes how an app must interact with the Microsoft identity platform. The implementation of the authorization model has been updated on the Microsoft identity platform. Applications that integrate with the Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed.