0
votes

I am trying to consume Microsoft Graph API to provision/de-provision users and groups to/from Azure Active Directory. I have registered my app in Microsoft App Registration Portal (https://apps.dev.microsoft.com). I am planning to develop a Web application using Java and REST. I am confused about the "GrantType" to use for authentication and to get the accessToken.

I have gone through the documentation provided by Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols). I am thinking of using either ClientCredentials GrantType or AuthorizationCode GrantType, but looks like they require "User Intervention" for giving "Admin Consent".

My question is which grant type to use to get the AccessToken directly without any user intervention.

Could any one please guide me this. Thanks so much in advance...

2

2 Answers

2
votes

The Client Credential Flow can be used to get an access token without user intervention.

This is the 'daemon' application scenario and we have a sample for this here

https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2

Note that this flow requires that your application has an Application Secret, and that you set up Application Permissions (versus Delegated Permissions) to the APIs you want to access.

Generally, an Admin is still needed to authenticate and consent the first time the application is used, but afterward, the application should be able to act on its own.

1
votes

Extending Shawn Tabrizi's answer, you can also use a certificate with client credentials instead of a client secret if you want.

There is also the Resource Owner Password Grant flow, which requires the client secret also, but also requires a username and password. There are many reasons not to use this flow (MFA can't be enabled etc.). But it is an option.

In general, go with client credentials and assign app permissions for the app. And as Shawn said, an admin will have to consent still, doing that without user intervention would require you to have high access to their AAD (to create OAuth2PermissionGrants and AppRoleAssignments manually). But to get that access you need consent :)