--- title: "Handling Delegated vs. Application Scopes in Microsoft Integrations" img: https://s3.us-east-2.amazonaws.com/unified-article-images/handling_delegated_vs_application_scopes_in_microsoft_integrations-icon.png date: 2025-12-09T21:05:00.000Z tag: Guides description: "Microsoft Graph offers two fundamentally different permission models — Delegated and Application scopes. Understanding how these scopes behave is important..." url: "https://docs.unified.to/guides/handling_delegated_vs_application_scopes_in_microsoft_integrations" --- # Handling Delegated vs. Application Scopes in Microsoft Integrations ------ _December 9, 2025_ Microsoft Graph offers two fundamentally different permission models — **Delegated** and **Application** scopes. Understanding how these scopes behave is important when connecting Microsoft integrations through Unified. Some Microsoft APIs only support delegated permissions, while others require strictly application-level permissions. Mixing them in a single OAuth flow will cause failures. In Unified, you can create separate Microsoft connections so you can cleanly target the scopes required for the endpoints you plan to use. This guide explains the difference between the permission types, why certain Unified endpoints require one or the other, and how to configure your Unified connections correctly. ## **1. Delegated vs. Application Permissions** ### **Delegated Permissions** Delegated permissions are used when a **signed-in Microsoft user** is present in the OAuth flow. Use delegated permissions when: - The API needs to act **on behalf of a user** - You want to access data the user normally has permission to view - The Microsoft Graph endpoint explicitly supports delegated scopes ### **Application Permissions** Application permissions are used when **no user is logged in**, and the app accesses Microsoft Graph directly as itself. Use application permissions when: - A Microsoft endpoint **does not support delegated scopes** - The API involves system-level or tenant-wide data - The OAuth token must come from the **client_credentials** flow Examples of Unified endpoints that only support application scopes: - **`uc_call`** (MS Teams call records API) - Microsoft Graph requires `CallRecords.Read.All` as an **application permission**, not delegated. --- ## **2. Why You Cannot Mix Delegated and Application Scopes** Microsoft Graph enforces strict separation between permission types: - Delegated scopes must be requested during a **user login** OAuth flow - Application scopes must be requested using **client credentials** - A single OAuth authorization cannot request both delegated and application permissions If both are selected together: - Microsoft returns `AADSTS650053` or similar errors - The OAuth token cannot be issued - Your Unified connection will fail to authenticate Because of this, selecting both scope types for the same Unified connection will not work.