Handling Delegated vs. Application Scopes in Microsoft Integrations

Microsoft Graph offers two distinct permission models—Delegated and Application scopes—which are crucial to understand for successful integration with Microsoft services through Unified. Delegated permissions are used when a user is signed in and the API needs to act on behalf of the user to access data they can normally view, whereas Application permissions are used when no user is logged in, allowing the app to access system-level or tenant-wide data directly. It's important to configure Microsoft connections correctly in Unified, as mixing these permission types in a single OAuth flow will lead to failures due to the strict separation enforced by Microsoft Graph, which mandates that delegated scopes be requested during a user login OAuth flow and application scopes via client credentials. This separation is illustrated by the requirement for endpoints like the uc_call API, which necessitates application-level permissions.