Microsoft Graph API authorization and authentication for app
Want to develop an application to access resources with Microsoft Graph API then please enroll in this course
What you’ll learn
Microsoft Graph API authorization and authentication for app
-
Learn how to authenticate and work with permissions to securely access data through Microsoft Graph
-
Learn how to add and register an application using the App registrations experience in the Azure portal
-
How to get access on behalf of a user
-
How to get access without a user
Requirements
-
The basics of Azure AD are essential and knowledge about REST APIs and protocols
Description
Authentication and authorization basics:
To call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. The access token contains information about your app and the permissions it has to access the resources and APIs available through Microsoft Graph.
Register your app with the Microsoft identity platform
Before your app can get a token from the Microsoft identity platform, it must be registered in the Azure portal. Registration integrates your app with the Microsoft identity platform and establishes the information that it uses to get tokens, including:
- Application ID: A unique identifier assigned by the Microsoft identity platform.
- Redirect URI/URL: One or more endpoints at which your app will receive responses from the Microsoft identity platform. (For native and mobile apps, the URI is assigned by the Microsoft identity platform.)
- Client secret: A password or a public/private key pair that your app uses to authenticate with the Microsoft identity platform. (Not needed for native or mobile apps.)
Microsoft Graph permissions
Microsoft Graph exposes granular permissions that control the access that apps have to resources, like users, groups, and mail. As a developer, you decide which Microsoft Graph permissions to request for your app.
Delegated and application permissions
Microsoft Graph has two types of permissions:
- Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph.
- Application permissions are used by apps that run without a signed-in user present. For example, apps that run as background services or daemons. Application permissions can only be consented to by an administrator.
Effective permissions
Effective permissions are the permissions that your app has when making requests to Microsoft Graph. Within organizations, the policy or membership in one or more roles determines the privileges of the signed-in user or an app. It’s important to understand the difference between the delegated and application permissions your app has and its effective permissions when making calls to Microsoft Graph.
Effective permissions in delegated versus application-only permission scenarios
- Your app can never have more privileges than the signed-in user. This permission nominally grants your app permission to read and update the profile of every user in an organization. However, because of effective permissions, the following restrictions apply to the privileges of the signed-in user:
- If the signed-in user is a global administrator, your app can update the profile of every user in the organization.
- If the signed-in user isn’t in an administrator role, your app can update only the profile of the signed-in user. It won’t update the profiles of other users in the organization because the signed-in user doesn’t have those privileges.
- For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization.
Who this course is for:
- Developers who want to use resources with the help of Microsoft Graph APIs and develop applications
Learn Linux Security – Working with Permissions
Get Course Now