Glossary
Application Permissions
OAuth permissions where an app acts on its own without a user context, with access to the entire tenant scope.
Application permissions in Microsoft Entra ID are OAuth permission scopes where an application acts on its own, without a signed-in user. The app uses its own credentials (client secret, certificate, or federated identity) to obtain tokens. Permissions are evaluated against the app's identity alone, typically granting tenant-wide access — Mail.Read (application) reads every mailbox in the tenant, User.Read.All reads every user. Used for backend services, scheduled jobs, system integrations without user interaction. Require admin consent to grant. Contrast with delegated permissions which act on behalf of a signed-in user with that user's scope.