Managing user permissions for application registrations
All applications that interact with a user’s device or content require some sort of access to be granted. When working with Azure AD, applications will request access to perform certain functions, such as reading a user’s calendar, looking up a contact in the global address list, or sending mail on the user’s behalf.
In the context of OAuth 2.0 and the Microsoft identity platform, these permission definitions are called scopes. When a user or application makes a request to access a particular type of data, the requested scope is appended to the request. For example, if an application sends the request string https://graph.microsoft.com/Calendars.ReadWrite, the application is asking for the ability to read and write calendar items for the user through Microsoft Graph.
Many applications simply request the permissions they need when they need them, prompting the user to approve them. Frequently, in this...
