Unified.to
All articles

Handling Delegated vs. Application Scopes in Microsoft Integrations

December 11, 2025

Microsoft Graph offers two fundamentally different permission models — Delegated and Application scopes. Understanding how these scopes behave is important when connecting Microsoft integrations through Unified.

Some Microsoft APIs only support delegated permissions, while others require strictly application-level permissions. Mixing them in a single OAuth flow will cause failures.

In Unified, you can create separate Microsoft connections so you can cleanly target the scopes required for the endpoints you plan to use.

This guide explains the difference between the permission types, why certain Unified endpoints require one or the other, and how to configure your Unified connections correctly.

1. Delegated vs. Application Permissions

Delegated Permissions

Delegated permissions are used when a signed-in Microsoft user is present in the OAuth flow.

Use delegated permissions when:

  • The API needs to act on behalf of a user
  • You want to access data the user normally has permission to view
  • The Microsoft Graph endpoint explicitly supports delegated scopes

Application Permissions

Application permissions are used when no user is logged in, and the app accesses Microsoft Graph directly as itself.

Use application permissions when:

  • A Microsoft endpoint does not support delegated scopes
  • The API involves system-level or tenant-wide data
  • The OAuth token must come from the client_credentials flow

Examples of Unified endpoints that only support application scopes:

  • uc_call (MS Teams call records API)
    • Microsoft Graph requires CallRecords.Read.All as an application permission, not delegated.

2. Why You Cannot Mix Delegated and Application Scopes

Microsoft Graph enforces strict separation between permission types:

  • Delegated scopes must be requested during a user login OAuth flow
  • Application scopes must be requested using client credentials
  • A single OAuth authorization cannot request both delegated and application permissions

If both are selected together:

  • Microsoft returns AADSTS650053 or similar errors
  • The OAuth token cannot be issued
  • Your Unified connection will fail to authenticate

Because of this, selecting both scope types for the same Unified connection will not work.

All articles