Microsoft authentication with DELEGATED permissions
1 vote
Hello.
Our new group allows only delegated permissions on application registrations.
We need to migrate to the group's tenant.
Would it be doable for you to add authentication through Microsoft DELEGATED permissions ?
In the meantime, we will see how we handle that. Maybe we keep our tenant longer and go with guest from the group tenant and keep the app registration in our current tenant.
Also, if the group search in the Microsoft authentication screen could be made to "search only" or load a subset of all the available groups that would be great. During our test, application permissions were added temporarily for testing, and the groups never loaded because after some minutes, it was still not completed.
Thank you and best regards.
Marcel
3be21a2b-eaca-470b-8b42-5af9f7128bd6.png
cb7276ed-fc75-42fd-994f-bf788e716bde.png
All Comments (3)
Hello Marcel,
Thank you for the detailed context, this is very helpful.
Authentication via Microsoft delegated permissions is definitely possible. However, it is not strictly required from a technical standpoint. The choice between delegated and application permissions mainly depends on tenant governance and security policies, rather than on a platform limitation. From a functional and architectural perspective, application permissions remain a valid and commonly used approach for non-interactive scenarios and integrations where user context is not required, which is why we initially prioritized this model.
Could you clarify what policy or constraint enforces the exclusive use of delegated permissions in your group tenant? Would this require the use of a dedicated service account for authentication? While this could work, application-based authentication is typically the recommended approach for such scenarios in Microsoft documentation.
Regarding your second point about group loading in the Microsoft authentication screen, this is a known issue on our side and we already have a ticket opened for it. We are planning to introduce paging and optimizations in group enumeration to prevent performance issues when tenants contain a large number of groups. We apologize for any inconvenience this may cause.
Please don’t hesitate to share additional details, and we’ll be happy to continue the discussion.
Best regards,
François
François Dubois
Hello François.
Thank you for your feedback.
It is not a technical limitation, but a security baseline. Our group does not provide any app registration, because it would give access to all and everything, as there is no way to limit such apps to specific objects.
For this we would need a service account for which we should be able to provide username and password.
What I currently need from your side, are the following answers:
- would you consider implementing this feature ?
- If yes, what version and timeline would you estimate it to be released ?
Once we have these answers, we can define our follow-up actions.
Thank you for the answer about the group loading issue.
Do you have any estimation about its release date and version ?
Thank you very much.
Marcel
Hello Marcel,
Thank you for the additional information.
At this time, we do not have plans to implement this feature. This does not mean it will never be considered, but it is not part of our short- or mid-term roadmap. We will continue to monitor this thread to assess interest from other customers.
Regarding the group loading issue, I have discussed this with the development team, and we should be able to improve this behavior in the next major release, which is planned in March.
Best regards,
François Dubois