This is the final post on our series of Azure Application objects and securing APIs secured with Azure AD.

As we have seen throughout this series, the central point for authentication and permissions is the Azure AD Application Object.

Microsoft has already provisioned and application object named SharePoint Online Client Extensibility in every Azure AD and which is used by the SharePoint Framework in the OAuth flow to provide solutions with valid access tokens.

Developers building a SharePoint Framework solution that requires access to specific resources secured with Azure AD list these resources along with the required permission scopes in the solution manifest. When deploying the solution package to the app catalog, SharePoint creates permission requests and prompts the administrator to manage the requested permissions. For each requested permission, a global or SharePoint administrator can decide whether they want to grant or deny the specific permission.

All permissions are granted to the whole tenant and not to a specific application that has requested them. When the administrator grants a specific permission, it is added to the SharePoint Online Client Extensibility Azure AD application.