Permissions required to get Azure Application using same application's client id and secret

Question

Steps I have performed,

1. Create Azure Application

   • Created an Azure Application
   • Created a secret
   • Created a service principal Note: I have not added any extra permissions or consent.

2. Get Application Token using "Client Credential Flow" (ClientId and ClientSecret)

ObjectId used in below request is same application that I have created above.

3. GET https://graph.microsoft.com/v1.0/applications/{{objectId}}
   • I able to get "Azure Application".

But, as per the documentation GET Application, I need atleast "Application.Read.All" permission to get application.

Similarly, 4. GET https://graph.microsoft.com/v1.0/servicePrincipals/{{objectId}} - I able to get "Service Principal".

But, as per the documentation GET ServicePrincipal, I need atleast "Application.Read.All" permission to get application.

Question
Is this an expected behavior, that I am able to fetch my own Azure Application, without any additional permissions. Or it's some bug. As I am not able to find any documentation backing this up.

Answer 1

If you generate the access token using the application that you created and then search for the same application using objectId and the service principal associated with it using service principal objectId , then you won't require any kind of other permission i.e. Application.Read.All/Directory.Read.All as you are using the same application's access token to find the details of app. But When you are using that access token to search other application present in your Active directory then you will definitely require one of the permission which is mentioned in the Documentation as well as it doesn't have permission to access the directory or other app's.

Example:

Created an App registration named Test with not granting any other permissions except which was present in default :

Using Client Credentials flow tried to search the same application object ID and Service principal object id for which I generated the token:

But using the same access token if I try to find other App like below then it errors out :