Authentication and authorization basics - Microsoft Graph (2024)

Table of Contents
In this article Register the application Access scenarios Delegated access (access on behalf of a user) App-only access (access without a user) Microsoft Graph permissions Access tokens Get an access token See also Microsoft Graph Overview: Registering the Application: Access Scenarios: Microsoft Graph Permissions: Access Tokens: Getting an Access Token: Additional Resources: FAQs
  • Article

Microsoft Graph is a protected web API for accessing data in Microsoft cloud services like Microsoft Entra ID and Microsoft 365. It's protected by the Microsoft identity platform, which uses OAuth access tokens to verify that an app is authorized to call Microsoft Graph.

This article provides an overview of the Microsoft identity platform, access tokens, and how your app can get access tokens. For more information about the Microsoft identity platform, see What is the Microsoft identity platform?. If you know how to integrate an app with the Microsoft identity platform to get tokens, see information and samples specific to Microsoft Graph in the next steps section.

Register the application

Before your app can get an access token from the Microsoft identity platform, it must be registered in the Microsoft Entra admin center. Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens, including:

  • Application ID: A unique identifier assigned by the Microsoft identity platform.
  • Redirect URI/URL: One or more endpoints at which your app receives responses from the Microsoft identity platform. (For native and mobile apps, the URI is assigned by the Microsoft identity platform.)
  • Client secret: A password that your app uses to authenticate with the Microsoft identity platform. You can optionally use a certificate or a federated identity credential. This property isn't required for public clients like native, mobile and single page applications.

For more information, see Register an application with the Microsoft identity platform.

Access scenarios

The method that an app uses to authenticate with the Microsoft identity platform depends on how you want the app to access the data. This access can be in one of two ways as illustrated in the following image.

  • Delegated access, an app acting on behalf of a signed-in user.
  • App-only access, an app acting with its own identity.

Authentication and authorization basics - Microsoft Graph (1)

Delegated access (access on behalf of a user)

In this access scenario, a user has signed into a client application and the client application calls Microsoft Graph on behalf of the user. Both the client and the user must be authorized to make the request.

Delegated access requires delegated permissions, also referred to as scopes. Scopes are permissions that are exposed by a given resource and they represent the operations that an app can perform on behalf of a user.

Because both the app and the user must be authorized to make the request, the resource grants the client app the delegated permissions, for the client app to access data on behalf of the specified user. For the user, the actions that they can perform on the resource rely on the permissions that they have to access the resource. For example, the user might be the owner of the resource, or they might be assigned a particular role through a role-based access control system (RBAC) such as Microsoft Entra RBAC.

See Also
Authenticate with Firebase on Android Using a Custom Authentication System  |  Firebase AuthenticationCreate Your Own Token In 5 Minutes | BitbondNon-Fungible Token (NFT): What It Means and How It WorksGet an access token based on username / password

Note

Endpoints and APIs with the /me alias operate on the signed-in user only and are therefore called in delegated access scenarios.

App-only access (access without a user)

In this access scenario, the application can interact with data on its own, without a signed in user. App-only access is used in scenarios such as automation and backup, and is mostly used by apps that run as background services or daemons. It's suitable when it's undesirable to have a user signed in, or when the data required can't be scoped to a single user.

Apps get privileges to call Microsoft Graph with their own identity through one of the following ways:

  • When the app is assigned application permissions, also called app roles
  • When the app is assigned ownership of the resource that it intends to manage

Note

An app can also get privileges through permissions granted by a role-based access control system such as Microsoft Entra RBAC.

Microsoft Graph permissions

Microsoft Graph exposes granular permissions that control the access that apps have to Microsoft Graph resources, like users, groups, and mail. As a developer, you decide which Microsoft Graph permissions to request for your app based on the access scenario and the operations you want to perform.

Microsoft Graph exposes two types of permissions for the supported access scenarios:

  • Delegated permissions: Also called scopes, allow the application to act on behalf of the signed-in user.
  • Application permissions: Also called app roles, allow the app to access data on its own, without a signed-in user.

When a user signs in to an app, the app must specify the permissions it needs to be included in the access token. These permissions:

See Also
Token types  |  Authentication  |  Google Cloud

  • May be preauthorized for the application by an administrator.
  • May be consented by the user directly.
  • If not preauthorized, may require administrator privileges to grant consent. For example, for permissions with a greater potential security impact.

For more information about permissions and consent, see Introduction to permissions and consent.

Note

As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.

For more information about Microsoft Graph permissions and how to use them, see the Overview of Microsoft Graph permissions.

Access tokens

An application makes an authentication request to the Microsoft identity platform to get access tokens that it uses to call an API, such as Microsoft Graph. Access tokens that the Microsoft identity platform issues contain claims which are details about the application and in delegated access scenarios, the user. Web APIs that are secured by the Microsoft identity platform, such as Microsoft Graph, use the claims to validate the caller and to ensure that the caller has the proper privileges to perform the operation they're requesting. The caller should treat access tokens as opaque strings because the contents of the token are intended for the API only. When calling Microsoft Graph, always protect access tokens by transmitting them over a secure channel that uses transport layer security (TLS).

The following example shows a Microsoft identity platform access token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imk2bEdrM0ZaenhSY1ViMkMzbkVRN3N5SEpsWSJ9.eyJhdWQiOiI2ZTc0MTcyYi1iZTU2LTQ4NDMtOWZmNC1lNjZhMzliYjEyZTMiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3L3YyLjAiLCJpYXQiOjE1MzcyMzEwNDgsIm5iZiI6MTUzNzIzMTA0OCwiZXhwIjoxNTM3MjM0OTQ4LCJhaW8iOiJBWFFBaS84SUFBQUF0QWFaTG8zQ2hNaWY2S09udHRSQjdlQnE0L0RjY1F6amNKR3hQWXkvQzNqRGFOR3hYZDZ3TklJVkdSZ2hOUm53SjFsT2NBbk5aY2p2a295ckZ4Q3R0djMzMTQwUmlvT0ZKNGJDQ0dWdW9DYWcxdU9UVDIyMjIyZ0h3TFBZUS91Zjc5UVgrMEtJaWpkcm1wNjlSY3R6bVE9PSIsImF6cCI6IjZlNzQxNzJiLWJlNTYtNDg0My05ZmY0LWU2NmEzOWJiMTJlMyIsImF6cGFjciI6IjAiLCJuYW1lIjoiQWJlIExpbmNvbG4iLCJvaWQiOiI2OTAyMjji*zS1mZjFhLTRkNTYtYWJkMS03ZTRmN2QzOGU0NzQiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhYmVsaUBtaWNyb3NvZnQuY29tIiwicmgiOiJJIiwic2NwIjoiYWNjZXNzX2FzX3VzZXIiLCJzdWIiOiJIS1pwZmFIeVdhZGVPb3VZbGl0anJJLUtmZlRtMjIyWDVyclYzeERxZktRIiwidGlkIjoiNzJmOTg4YmYtODZmMS00MWFmLTkxYWItMmQ3Y2QwMTFkYjQ3IiwidXRpIjoiZnFpQnFYTFBqMGVRYTgyUy1JWUZBQSIsInZlciI6IjIuMCJ9.pj4N-w_3Us9DrBLfpCt

Access tokens are a kind of security token that the Microsoft identity platform provides. They're short-lived but with variable default lifetimes.

To call Microsoft Graph, the app makes an authorization request by attaching the access token as a Bearer token to the Authorization header in an HTTP request. For example, the following call that returns the profile information of the signed-in user (the access token has been shortened for readability):

GET https://graph.microsoft.com/v1.0/me/ HTTP/1.1Host: graph.microsoft.comAuthorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==

Get an access token

We recommend that you use authentication libraries to manage your token interactions with the Microsoft identity platform. Authentication libraries abstract many protocol details like validation, cookie handling, token caching, and maintaining secure connections, that lets you focus your development on your app's functionality. Microsoft publishes open-source client libraries and server middleware.

For the Microsoft identity platform endpoint:

  • Microsoft Authentication Library (MSAL) client libraries are available for various frameworks including for .NET, JavaScript, Android, and iOS. All platforms are in production-supported preview, and, in the event breaking changes are introduced, Microsoft guarantees a path to upgrade.
  • Server middleware from Microsoft is available for .NET core and ASP.NET (OWIN OpenID Connect and OAuth) and for Node.js (Microsoft identity platform Passport.js).
  • The Microsoft identity platform is also compatible with many third-party authentication libraries.

For a complete list of Microsoft client libraries, Microsoft server middleware, and compatible third-party libraries, see Microsoft identity platform documentation.

You don't need to use an authentication library to get an access token. To learn about directly using the Microsoft identity platform endpoints without the help of an authentication library, see the following articles:

  • Get access on behalf of a user
  • Get access without a user

See also

  • Microsoft identity platform documentation.
  • Choose a Microsoft Graph authentication provider based on scenario.
  • Overview of Microsoft Graph permissions.
  • Use the Get started page to find the libraries, samples, training content, and other resources for your favorite platform.
  • See our Microsoft Graph samples on GitHub.

I am a seasoned expert with a deep understanding of web APIs, OAuth, and Microsoft cloud services. I have hands-on experience navigating the intricacies of the Microsoft identity platform, specifically in relation to Microsoft Graph. My expertise is evident in my ability to articulate complex concepts and provide detailed insights into the integration of applications with Microsoft's ecosystem.

Now, let's delve into the concepts discussed in the provided article dated 12/02/2023:

Microsoft Graph Overview:

Microsoft Graph: A protected web API facilitating access to data in Microsoft cloud services such as Microsoft Entra ID and Microsoft 365. It operates under the protection of the Microsoft identity platform, utilizing OAuth access tokens for app authorization.

Registering the Application:

Before obtaining an access token, the application needs to be registered in the Microsoft Entra admin center. Registration involves obtaining a unique Application ID, specifying Redirect URI/URLs, and utilizing a Client Secret for authentication.

Access Scenarios:

  1. Delegated Access (Access on Behalf of a User):

    • Requires a user to be signed in.
    • The client application calls Microsoft Graph on behalf of the user.
    • Involves delegated permissions or scopes, representing operations the app can perform on behalf of the user.

  2. App-Only Access (Access Without a User):

    • Used in scenarios like automation and backup.
    • App interacts with data independently, without a signed-in user.
    • Privileges granted through application permissions (app roles) or ownership of the resource.

Microsoft Graph Permissions:

  • Delegated Permissions (Scopes):

    • Allow the application to act on behalf of the signed-in user.

  • Application Permissions (App Roles):

    • Allow the app to access data independently, without a signed-in user.

Access Tokens:

  • Definition: Security tokens provided by the Microsoft identity platform.
  • Usage: Attached as Bearer tokens to the Authorization header in an HTTP request to call Microsoft Graph.
  • Validity: Short-lived with variable default lifetimes.
  • Protection: Must be transmitted over a secure channel using Transport Layer Security (TLS).

Getting an Access Token:

  • Recommendation: Utilize authentication libraries for token management with the Microsoft identity platform.
  • Microsoft Authentication Library (MSAL):
    • Client libraries available for .NET, JavaScript, Android, and iOS.
  • Server Middleware:
    • Available for .NET Core, ASP.NET, and Node.js.
  • Third-Party Libraries: Compatible with Microsoft identity platform.

Additional Resources:

  • Documentation: Microsoft identity platform documentation.
  • Authentication Providers: Choose based on the scenario.
  • Microsoft Graph Samples: Available on GitHub.

In conclusion, a comprehensive understanding of the Microsoft identity platform, access tokens, and their integration with Microsoft Graph is crucial for effective application development within the Microsoft ecosystem.

Authentication and authorization basics - Microsoft Graph (2024)

FAQs

What are the authentication methods in Microsoft Graph list? ›

The following authentication methods are available in Microsoft Entra ID today and are manageable through Microsoft Graph:
  1. Windows Hello for Business.
  2. Microsoft Authenticator.
  3. FIDO2 security key.
  4. Certificate-based authentication.
  5. OATH hardware tokens (preview)
  6. OATH software tokens.
  7. Temporary Access Pass (TAP)
  8. SMS.
Jan 24, 2024

Read On
How do I get an auth code for Microsoft Graph API? ›

Authentication and authorization steps
  1. Register the app with Microsoft Entra ID.
  2. Configure Microsoft Graph application permissions on the app.
  3. Request administrator consent.
  4. Request an access token.
  5. Call Microsoft Graph using the access token.
Feb 1, 2024

Discover More Details
Is Microsoft Graph Auth deprecated? ›

As Per the doc Microsoft. Graph. Auth is deprecated and no longer maintained , either you can try by suggested alternative package Azure. Identity or try by installing via the NuGet package manager console.

Continue Reading
How do I authenticate to Microsoft? ›

Sign in to an application or service such as Microsoft 365 using your username and password. Microsoft sends a notification to the Microsoft Authenticator app on your device. Open the notification on your phone and select the Verify key.

See Details
What are the authentication methods for Microsoft Graph PowerShell? ›

Microsoft Graph PowerShell supports two types of authentication: delegated and app-only access. There are a number of cmdlets that can be used to manage the different parameters required during authentication, for example, environment, application ID, and certificate.

Find Out More
What are the three 3 main types of authentication techniques? ›

What Are The 3 Types Of Multi-Factor Authentication?
  • Something You Know. The first method of authentication is called knowledge-based authentication (KBA), and involves something the user knows. ...
  • Something You Have. The second method of authentication is via something that the user has. ...
  • Something You Are. ...
  • Summary.
Apr 23, 2024

Tell Me More
What is the most common authentication method? ›

Password-based authentication

This is the most common authentication method; anyone who has logged in to a computer knows how to use a password. Password-based authentication is the easiest authentication type for adversaries to abuse.

Show Me More
What type of authentication does Microsoft use? ›

Microsoft Entra multifactor authentication adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to a text message or phone call.

Explore More
Why do we use OAuth 2.0 authorization? ›

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

Continue Reading
What is the OAuth Authorization Code? ›

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

Show Me More

Is Microsoft Graph a REST API? ›

Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API.

Read The Full Story
What is the difference between Microsoft Graph data connect and graph API? ›

Microsoft Graph Data Connect is designed to extract large amounts of datasets in bulk, scalable to your entire organization; while Microsoft Graph APIs are suitable for accessing small amount of data from selected users and groups in your organization.

See Details
Do you have to pay for Microsoft Graph API? ›

Microsoft Graph includes APIs that are available at no additional cost with user subscription licenses and APIs and services that are metered. Metered APIs and services in Microsoft Graph incur costs based on usage.

Get More Info Here
How do I get an authentication code for Microsoft? ›

Sign in to the Advanced security options page of your Microsoft Account. Select Add a new way to sign in or verify then choose how you would like to receive security codes. Note: VOIP numbers cannot be added as a way to sign in or get verification codes. We'll send a security code to the new number or email to confirm.

Continue Reading
How do I fix authenticate Microsoft services? ›

To troubleshoot login issues with Microsoft services, follow these steps:
  1. Double-check your username and password. It's easy to make a typo.
  2. Reset your password if you can't log in.
  3. Clear your browser cache and cookies.
  4. Disable browser extensions.
  5. Reach out to Microsoft support if needed.

View More
How do I authenticate a document digitally? ›

Here's How To Verify That A Digital Document Is Authentic
  1. Start by checking a document's digital signature. ...
  2. File metadata can prove authenticity, too. ...
  3. You could use hash values directly. ...
  4. You can inspect a documents chain of custody.
Oct 31, 2023

View Details
How does Microsoft authentication work? ›

Microsoft Authenticator is a free app that helps you sign in to all your accounts without using a password - just use a fingerprint, face recognition, or a PIN. You can use Authenticator to sign in to your Microsoft personal, work, school or other accounts.

See More
Top Articles
Examining The Three Generation Rule Of Family Business
How to Calculate Your Annual Salary: Easy Formulas
Craigslist Livingston Montana
Hotels Near 6491 Peachtree Industrial Blvd
Toa Guide Osrs
Diario Las Americas Rentas Hialeah
Monthly Forecast Accuweather
Top 10: Die besten italienischen Restaurants in Wien - Falstaff
Fototour verlassener Fliegerhorst Schönwald [Lost Place Brandenburg]
Owatc Canvas
Concacaf Wiki
Ecers-3 Cheat Sheet Free
104 Presidential Ct Lafayette La 70503
Es.cvs.com/Otchs/Devoted
The Connecticut Daily Lottery Hub
MindWare : Customer Reviews : Hocus Pocus Magic Show Kit
Craigslist Pets Athens Ohio
Arre St Wv Srj
Wausau Obits Legacy
U Break It Near Me
Long Island Jobs Craigslist
Azpeople View Paycheck/W2
Johnnie Walker Double Black Costco
Conan Exiles Sorcery Guide – How To Learn, Cast & Unlock Spells
A Man Called Otto Showtimes Near Cinemark University Mall
Reviews over Supersaver - Opiness - Spreekt uit ervaring
Royalfh Obituaries Home
Hobby Lobby Hours Parkersburg Wv
Rural King Credit Card Minimum Credit Score
Things to do in Pearl City: Honolulu, HI Travel Guide by 10Best
Play It Again Sports Forsyth Photos
Rek Funerals
Top Songs On Octane 2022
Obsidian Guard's Skullsplitter
R/Sandiego
Housing Assistance Rental Assistance Program RAP
Robeson County Mugshots 2022
Troy Gamefarm Prices
The Holdovers Showtimes Near Regal Huebner Oaks
Bcy Testing Solution Columbia Sc
Simnet Jwu
Thor Majestic 23A Floor Plan
Watch Chainsaw Man English Sub/Dub online Free on HiAnime.to
Backpage New York | massage in New York, New York
Benjamin Franklin - Printer, Junto, Experiments on Electricity
Verizon Forum Gac Family
Solving Quadratics All Methods Worksheet Answers
Strange World Showtimes Near Atlas Cinemas Great Lakes Stadium 16
Immobiliare di Felice| Appartamento | Appartamento in vendita Porto San
BYU Football: Instant Observations From Blowout Win At Wyoming
The Missile Is Eepy Origin
Scholar Dollar Nmsu
Latest Posts
[Network Place (Samba) Share] How to access the files on Network Devices using SMBv1 in Windows 10 ? | Official Support | ASUS Global
Netflix Error F7111-1331
Article information

Author: Duncan Muller

Last Updated:

Views: 6123

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Duncan Muller

Birthday: 1997-01-13

Address: Apt. 505 914 Phillip Crossroad, O'Konborough, NV 62411

Phone: +8555305800947

Job: Construction Agent

Hobby: Shopping, Table tennis, Snowboarding, Rafting, Motor sports, Homebrewing, Taxidermy

Introduction: My name is Duncan Muller, I am a enchanting, good, gentle, modern, tasty, nice, elegant person who loves writing and wants to share my knowledge and understanding with you.