![]() ![]() ![]() If an app signs in by using OpenID Connect, it must request the openid scope. If you request the OpenID Connect scopes and a token, you'll get a token to call the UserInfo endpoint. The address and phone OpenID Connect scopes aren't supported. The Microsoft identity platform implementation of OpenID Connect has a few well-defined scopes that are also hosted on Microsoft Graph: openid, email, profile, and offline_access. For more information on the direct access scenario, see Access scenarios in the Microsoft identity platform.įor a step by step guide on how to expose scopes in a web API, see Configure an application to expose a web API. These types of permissions should only be used by daemon services and other non-interactive applications that run in the background. Instead, the client application is granted permissions directly. If the application requests application permissions and an administrator grants these permissions this grant isn't done on behalf of any specific user. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. Īlthough a consumer user might grant an application access to this kind of data, organizational users can't grant access to the same set of sensitive company data. For example, scope=User.Read is equivalent to. In requests to the authorization, token or consent endpoints for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. Read all groups in an organization's directory by using.Write data to an organization's directory by using.Read all user's full profiles by using.The following section gives examples of these kinds of permissions: If your app requires admin-restricted permissions, an organization's administrator must consent to those scopes on behalf of the organization's users. For example, many higher-privilege Microsoft Graph permissions require admin approval. Permissions in the Microsoft identity platform can be set to admin restricted. In requests to the authorization server, for the Microsoft Identity platform, if the resource identifier is omitted in the scope parameter, the resource is assumed to be Microsoft Graph. For example, the permission string is used to request permission to read users calendars in Microsoft Graph. Identity platform supports several well-defined OpenID Connect scopes and resource-based permissions (each permission is indicated by appending the permission value to the resource's identifier or application ID URI). An app requests the permissions it needs by specifying the permission in the scope query parameter. In the Microsoft identity platform, a permission is represented as a string value. They're also often referred to as permissions. In OAuth 2.0, these types of permission sets are called scopes. Developers should always abide by the principle of least privilege, asking for only the permissions they need for their applications to function. And they can be more confident that the app isn't behaving with malicious intent. Users and administrators can know what data the app can access. When a resource's functionality is chunked into small permission sets, third-party apps can be built to request only the permissions that they need to perform their function. A third-party app can request these permissions from users and administrators, who must approve the request before the app can access data or act on a user's behalf. As an example, Microsoft Graph has defined permissions to do the following tasks, among others:īecause of these types of permission definitions, the resource has fine-grained control over its data and how API functionality is exposed. Any of these resources can also define a set of permissions that can be used to divide the functionality of that resource into smaller chunks. The same is true for any third-party resources that have integrated with the Microsoft identity platform. The following list shows some examples of Microsoft web-hosted resources: In this article, you'll learn about scopes and permissions in the identity platform. Any web-hosted resource that integrates with the Microsoft identity platform has a resource identifier, or application ID URI. OAuth 2.0 is a method through which a third-party app can access web-hosted resources on behalf of a user. The Microsoft identity platform implements the OAuth 2.0 authorization protocol. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |