Delegated Permissions — Solving Microsoft 365

Delegated permissions in Microsoft Entra ID are OAuth permission scopes where an application acts on behalf of a signed-in user. The access token reflects both the app's identity and the user's, and the app can only do what the user can do (further constrained by the granted scopes). Contrast with application permissions, where the app acts on its own with no user context. Delegated is the right model for user-facing apps (web apps, mobile apps, SPAs); application permissions are right for backend services. Many Graph permissions exist in both flavours — Mail.Read (delegated) reads the signed-in user's mail; Mail.Read (application) reads every mailbox in the tenant.