I’ve often noticed that some app registrations include a mix of delegated and application permissions for the Graph API. This setup is sometimes configured by IT admins or recommended when implementing third-party solutions that require specific permissions.
From both a security and clarity perspective, I prefer to separate these permissions. I believe it’s better to have one app registration for user-consented delegated permissions and a separate app registration for application permissions for the Graph API.
Have you also encountered this in the wild? Do you always try to separate these permissions for each app registration?
From a management point of view, I would like to see one application registration per application. That way, I can manage all aspects of an app in one place… and delete it in one place when I no longer see the app fit for my organization. With multiple application registrations, an admin might miss one aspect of the application for deletation that (years down the line) could be abused in an (supply chain) attack.
From a security point of view, I’m also on the fence on this, because an app might have a toxic combination in permissions, but not showing up in reports as the report mechanism might not count all app registrations for the app, but at the meantime, the app could use the combination of all permissions, as it only uses a different applicationID for different types of permissions…