Path A instruction confusion

[mezzofix]

Following https://microsoft.github.io/app-camp/aad/A01-begin-app/ but be honest in some places there’s not enough details or wording that makes it a bit confusing.

Exercise 3 Register your application with Azure AD
Step 3: Verify permission to call the Microsoft Graph API

• it is outlined that under API Permissions we should notice the “User.Read” permission
• the permission is of type “delegated”, so the application is accessing the API as the signed-in user

Step 4: Consent to the permission
The screen shot outlines also the “User.Read.All” permission of type “application”
None of the steps instruct to assign that permission, what am I missing?

• When inspecting the sign-in logs I can see successful user login events to the application
  
• However, I don’t see any events for service principals, but the steps involved creating a secret for the registered app and adjusting the .env file. What am I missing? Why don’t I see authentication attempts from the service principal? This relates to the above point regarding the permission of type “application”.
  EDIT: I've removed the User.Read.All permission, tested again, and it is still working. However, if I intentionally change the secret and restart npm I'm getting error Error returned in OBO: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app. So why can't I see the service principal sign in events (can only some two unrelated events from 1/11/2023, but got the tenant since today)?
  

Thanks !

[BobGerman]

YES thank you for flagging.
The screen shot is out of date. An early version of the labs used app permissions but that has changed and the screen shot didn't get fixed.