With client credential flow, access token getting generated without delegate access from any app within same tenant
I am setting a background process which will communicate with API secured by Azure AD. Without giving delegate access to API, Client App is able to generate access token
Using client credential flow, Is it possible to generate access token for web api without giving delegate permission. I am able to generate it but according to it should not happen. Any app created in my tenant is able to generate the token for web api without delegate permission.
I have followed below sample on github. https://github.com/Azure-Samples/active-directory-dotnet-daemon
It should not be able to generate access token, if no delegate access is provided.
This is normal. If you are using client credential flow, even if your client app not have the application permission and delegated permission, it will be able to generate the access token. But you could not use this token to call the api, because the token does not have the permissions in its claim. You could decode the token in https://jwt.io/ , then you can see the permissions as below.
Update:
If you want to check the delegated permissions, you need to use ropc flow. Check the scope in the response, they are the delegated permissions.
