Background services, daemons and scripts interacting with Microsoft Graph are commonly configured to acquire Application level permissions using a Service Principal.

Application permissions operate without a signed-in user and are not bound by role assignments.

Delegated permissions are acquired as the signed-in user and are commonly used by an application to perform actions on behalf of the user.

Service Principals themselves can acquire delegated permissions when they are assigned roles. This means that they can be bound to an access role that they have been assigned in Azure AD.

In the scenario below a background service needs to modify group memberships.

Option 1 (with Application Permissions) provides the broad ability to edit the membership of any group within the entire directory.

Option 2 (with Delegated Permissions) restricts access to just the groups owned by the Service Principal, a far more desirable configuration.

image-center

Microsoft Graph - Client Credentials grant with Invoke-RestMethod