OAuth 2.0 that Microsoft Graph API provided, provides user-interaction authentication flow and user-less authentication flow.
If an app uses user-less authentication flow to access the resource as RPA or other autorun functions, an app should have minimum permission for they need. The permission is not the whole of there lifecycle. Permission is requested only time when the app access the target resource. And permission is limited access to only target resources.
In this case, short-time access and one-time use is best. Microsoft Graph API provides client_credential grant flow and password grant flow as user-less authentication flow, the impersonated user uses the Application ID as account and the Client secret as the password in these flows.
The Application ID and the Client secret are kept at attributes of the Azure Active Directory application.

・Set the Client secret

Create an Azure Active Directory application, if needs please read the article ‘Create Azure Active Directory application‘. And select [Certificates & secrets] on the target Azure Active Directory application of Azure portal, and press [New Client secret] button.

Put description into [Description] section and stay [Expires] section as [in 1 year] radio button, then press [Add] button.

Copy the Client secret and keep anywhere the correct place such as the Microsoft OneDrive Vault.


The Postman is easy way to test Microsoft Graph API.

Put ‘https://login.microsoftonline.com/__YOUR TENNANT ID copy from Directory (tennant) ID of Azure Portal__/oauth2/token’ into the address box next to the method select list (the select list is selected as [POST] in the capture below). And put post body items key and value pair as below.

key : client_id and value : copy from Application (client) ID of Azure portal.

key : client _secretand and value : copy from where kept place at when client secret issued.

key : grant_type and value : put ‘client_credentials’.

Then press [send] button.

This access_token has minimum permission, its scope is ‘User.Read’ which is delegated to this Azure Active Directory application as impersonated user. And its expire is one hour.


No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *