Why is Delegated Permission Required When Creating an Azure Application User?

 

🎭 A Simple Real-Life Example

Imagine you work in a big office, and you need access to a locked room. There are two ways you can enter:

1️⃣ You walk in with your boss (delegated permission) – Your boss has access, and you are allowed in only while they are with you.
2️⃣ You get your own key (application permission) – You can enter anytime, even when your boss is not there.

This is exactly how permissions work in Azure!

🔹 Understanding Delegated Permission in Azure

When you create an Azure Application User, it needs permission to access resources like Dynamics 365 or APIs.

  • 🔑 Delegated Permission → The app acts on behalf of a real user (requires an active user session).
  • 🗝️ Application Permission → The app has full access to the resource, even if no user is logged in.

🔎 Key Differences

FeatureDelegated PermissionApplication Permission
Acts as a user?✅ Yes❌ No
Requires login?✅ Yes❌ No
Follows user’s access?✅ Yes (limited access)❌ No (full access)
Security risk?🔒 Low⚠️ High (if misconfigured)

🔹 Why is Delegated Permission Needed?

User Context – The app follows the permissions of the logged-in user.
Security – The app cannot access data when no user is logged in.
Controlled Access – The app gets only the permissions the user has, avoiding unnecessary access.

🔹 Real-World Example: Customer Support System

Imagine a customer support agent logs into an app that connects with Dynamics 365:

1️⃣ The app uses the agent’s credentials (delegated permission) to fetch customer details.
2️⃣ The agent only sees data they are allowed to access based on their role in CRM.

👉 What if the app had full (application) permissions?
🚨 The app could access everything, even if the agent wasn’t logged in! This is a security risk.

🔹 Conclusion

Delegated permissions ensure security and controlled access by allowing the app to work only when a real user is logged in.

It’s like entering a restricted area only when your boss is with you, instead of having a master key to everything! 🔐😊


Comments

Post a Comment

Popular posts from this blog

🔍 Dataverse + Azure Integration: Choosing Between Synapse Link and Microsoft Fabric

  Managing large-scale data in Microsoft Dataverse ? You're likely choosing between Azure Synapse Link and the newer Microsoft Fabric Link . Both unlock powerful analytics and reporting options—but with different trade-offs in performance, setup, and long-term cost. Let’s break it down 👇 📊 Power BI and Dataverse: Great, But With Limits Power BI uses TDS (Tabular Data Stream) to connect directly to Dataverse tables. Real-time querying works well for smaller datasets (tens of thousands of records). However, complex queries and relationships may cause timeouts after 5 minutes , making it unreliable for enterprise-scale analytics. 🔗 Azure Synapse Link: Power + Complexity ✅ Strengths: Designed for large datasets , converting Dataverse tables to CSV format for efficient querying and reporting. Highly customizable with Synapse Studio , Azure Data Lake , and Data Factory for deeper ETL/ELT capabilities. ⚠️ Watchouts: Requires technical setup : Azur...
Read more

⚡ Example: Rate Limiting in Azure API Management

  Scenario: You have a public API and want to limit each user to 5 calls per minute to prevent abuse or accidental overload. 🛡️ What is Rate Limiting? Rate limiting controls how many requests a client can make to your API within a specific time window . It helps: Prevent API abuse Protect backend systems Fairly distribute API usage 💡 Using the rate-limit-by-key Policy Azure APIM uses a policy called rate-limit-by-key . It limits requests based on a unique identifier — usually the caller's subscription key or IP address. 🔧 Example Policy (XML) Here’s how you can add this to your inbound policy : < inbound > < base /> < rate-limit-by-key calls = "5" renewal-period = "60" counter-key = "@(context.Subscription?.Key)" /> </ inbound > Explanation: Attribute Meaning calls="5" Maximum 5 calls allowed renewal-period="60" Time window of 60 seconds (1 minute...
Read more

👤 Anonymous Role in Power Pages – What It Is and When to Use It

  When building public-facing websites with Power Pages , not every visitor will be a logged-in user. Some might just be browsing, some might want to ask a question, and others might be using your portal for the very first time. So how do we allow unregistered users to interact with our portal safely ? That’s where the Anonymous Users role comes in. 🚪 Who Are Anonymous Users? Anonymous users are visitors who haven’t logged in to your Power Pages portal. They: Have not signed in May not have an account Might be visiting for the first time And here’s the best part — Power Pages automatically assigns them the “Anonymous Users” web role. You don’t have to do anything special to give it. 🔐 What Can They Do? By default, anonymous users can see pages marked as "anonymous access allowed" , but they can't create or edit data unless you let them . To let anonymous users interact with your data (e.g., submit a form), you need to: Create table permissi...
Read more