| Aspect | Unit 6 – API Permissions | Unit 7 – App Roles |
|---|---|---|
| Primary purpose | Control what data or API operations an app can access. | Control what actions a user or app can perform inside an application. |
| Authorization model | OAuth 2.0 scopes. | Role-based access control (RBAC). |
| Who defines them | The resource API owner, such as Microsoft Graph or a custom API. | The application developer during app registration. |
| Where they are configured | App registration → API permissions. | App registration → App roles. |
| Appears in token as | scp claim (delegated permissions) or roles claim (application permissions). | roles claim. |
| Applies to | Accessing external or internal APIs and data. | Authorizing business logic within the application itself. |
| Works with user context | Yes, when using delegated permissions. | Yes, when roles are assigned to users or groups. |
| Works without a user | Yes, when using application permissions. | Yes, when roles are assigned to applications (service principals). |
| Consent model | Requires user consent or admin consent, depending on permission type. | No consent prompt. Roles are assigned by administrators. |
| Admin consent required | Required for application permissions and high-privilege delegated permissions. | Not applicable. Role assignment is administrative, not consent-based. |
| Principle of least privilege | Achieved by requesting only required scopes. | Achieved by assigning least-privileged roles to users/groups. |
| Typical examples | User.Read, Mail.Send, Calendars.ReadWrite. | Admin, Editor, Reviewer, Approver. |
| Licensing impact | Some permissions require admin consent but not extra licenses. | Avoids group overage and does not require Entra ID P1. |
| Common use case | “Can this app read user mail or call Microsoft Graph?”. | “Is this user allowed to approve, edit, or view content?”. |
| SC-300 exam focus | Understand delegated vs application permissions and consent behavior. | Understand role assignment, tokens, and authorization flow. |
How to Decide: Permissions or Roles?
Your application needs to call an API.
The question is what data can the app access.
You need consent (user or admin) to access resources.
You are integrating with Microsoft Graph or another protected API.
Your application needs to control features or actions internally.
The question is what the user can do inside the app.
You want clear, token-based authorization without group lookups.
You want to avoid group overage and simplify authorization logic.