Question posted in 
I have created a new Azure App, but I didn’t add any permissions related to Azure DevOps.
Then, I added this app to the Project Collection Administrators group in the Azure DevOps organization. I tried creating a project with the REST API, and it was successful.
I’m confused as to why it was able to successfully make a REST API call without adding any Azure DevOps permissions.
2
Answers
Firstly, an app in Entra ID can acquire an access token using the client credentials flow for any API in that same tenant without being assigned permissions to it.
This enables scenarios such as this where the API itself does the authorization.
And secondly, when you assigned the app in Azure DevOps, its id/objectId was stored there. The access token also contains this ID so Azure DevOps knows it is this app that has been assigned the role and is thus allowed to do the operation.
Initially, I registered one application in Microsoft Entra ID without adding any DevOps related permission like this:
Now, I added this application to Project Collection Administrators group in the Azure DevOps organization as below:
If the access token is generated using client credentials flow, access will be based on application context and it will inherit permissions associated with Project Collection Administrators group of DevOps organization.
Using above token, you can make calls to Azure DevOps API like this:
But if you are generating access token using delegated flows like authorization code flow that involves user interaction, adding Azure DevOps permissions of Delegated type in app registration is mandatory.