I don’t know if you’ve ever played with Azure Active Directory Application permissions to consume SharePoint Online but you should know that the major advantage they offer compared to Add-Ins is that you can grant Azure Applications access to SharePoint in a transparent way for end users since you don’t need to install anything in SharePoint.
That’s particularly useful for web jobs and background processes in general that do not need user interactions. However, from a permission perspective, it doesn’t change anything. The Azure permissions suffer from the same limitations as the ones of the Add-In Policy as they :
- Cannot consume Search
- Cannot write in the user profile store
- Cannot write in the managed metadata
So, this is aligned with the Add-In Policy although it is rather confusing when looking at the Azure Management Portal:
that clearly states read/write on both User Profiles and Managed Metadata. Microsoft excluded Search from this list which is right but they should also remove the write piece on those services or implement it because it’s rather confusing and might also lead to wrong decisions when designing new applications.