Authentication and Authorization Basics - Microsoft Graph (2023)

  • Article
  • 6 minutes to read

To obtain an access token, your app must be registered with the Microsoft identity platform and given Microsoft Graph permissions by a user or administrator.

This article provides an overview of the Microsoft identity platform, access tokens, and how your app can obtain access tokens. For more information about the Microsoft identity platform, seeWhat is the Microsoft Identity Platform?. If you know how to integrate an application with the Microsoft identity platform to obtain tokens, see Microsoft Graph specific information and examples atnext stepssection.

Register your app with the Microsoft identity platform

Before your application can obtain a Microsoft identity platform token, it must be registered withblue portal. Registration integrates your app with the Microsoft identity platform and defines the information you use to obtain tokens, including:

  • Application ID– A unique identifier assigned by the Microsoft identity platform.
  • Redirect URI/URL– One or more endpoints where your application will receive responses from the Microsoft identity platform. (For mobile and native apps, the Microsoft identity platform assigns the URI.)
  • client secret– A password or public/private key pair that your application uses to authenticate with the Microsoft identity platform. (Not required for native or mobile apps.)

The properties configured during registration are used in the request. For example, in the following token request:Client IDit's theApplication ID,uri_redirectis one of the registered applicationsredirect url, yousecret_clientit's theclient secret.

(Video) Understanding authentication and authorization in Microsoft Graph Explorer

// Saltos de linha solo para legibilidade POST /common/oauth2/v2.0/token HTTP/1.1Host: https://login.microsoftonline.comContent-Type: application/x-www-form-urlencodedclient_id=6731de76-14a6- 49ae- 97bc-6eba6914391e& // NOTE: Only required for web apps

access scenarios

The method an app uses to authenticate with the Microsoft identity platform will depend on how you want the app to access data. This access can be done in two ways, as illustrated in the following image.

  • delegated access, an application that acts on behalf of a logged-in user.
  • App-only access, an application that acts with its own identity.

Authentication and Authorization Basics - Microsoft Graph (1)

Delegated access (access on behalf of a user)

In this access scenario, a user is signed in to a client application and the client application calls Microsoft Graph on behalf of the user.Both the client and the user must be authorized to make the request.

Delegated access requiresdelegate permissions, also known asscopes. Scopes are permissions exposed by a given resource and represent the operations an application can perform on behalf of a user.

Since both the application and the user must be authorized to make the request, the feature grants the client application the delegated permissions for the client application to access data on behalf of the specified user. For the user, the actions he can perform on the resource depend on the permissions he has to access the resource. For example, the user may be the owner of the resource, or may be assigned a specific role through a role-based access control (RBAC) system, such asAzure AD RBAC.

App-only access (userless access)

In this access scenario, the app can interact with the data on its own, without a signed-in user.just appAccess is used in scenarios such as automation and backup and is primarily used by applications running as background services or daemons. It's suitable when you don't want a user to log in or when the required data cannot be limited to a single user.

(Video) Module 2: Authentication Flow | Microsoft Graph Fundamentals for Beginners

Applications obtain privileges to call the Microsoft Graph under their own identity in one of the following ways:

  • When the app is assignedapp permissions, also callingapp features.
  • When the application takes ownership of the resource it intends to manage.


An app can also obtain permissions throughAzure AD built-in roles. These permissions do not limit the app to calling Microsoft Graph APIs.

Microsoft Graph Permissions

Microsoft Graph exposes granular permissions that control applications access to Microsoft Graph resources such as users, groups, and email. As a developer, you decide which Microsoft Graph permissions to request for your app based on your access scenario and the operations you want to perform.

Microsoft Graph exposes two types of permissions for admittedaccess scenarios:

(Video) How to authenticate as an application with Microsoft Graph API

  • delegated permissions
  • app permissions

Delegated permissions, also calledscopes, allow the application to act on behalf of the signed-in user. App permissions, also calledapp features, allows the app to access the data on its own, without a logged in user.

When a user logs in to your app, they or, in some cases, an administrator, are given the opportunity to consent to the delegated permissions. If they consent, your app will have access to the resources and APIs you've requested. For apps that access resources and APIs without a signed-in user, an admin can pre-consent to app permissions when the app is installed.


As a best practice, request the least privileged permissions your app needs to access data and function properly. Asking for permissions with more privileges than necessary is a bad security practice that can cause users to withhold consent and affect your app usage.

For more information about Microsoft Graph permissions and how to use them, see theMicrosoft Graph Permissions Overview.

(Video) Microsoft Graph API authorization and authentication for application development | Full Course

access tokens

An application makes an authentication request to obtain access tokens that it uses to call an API. Access tokens issued by the Microsoft identity platform contain information (claims). Web APIs secured by the Microsoft identity platform, such as Microsoft Graph, use claims to validate the caller and ensure that the caller has the appropriate permissions to perform the requested operation. The caller must treat access tokens as opaque strings because the content of the token is for the API only. When calling Microsoft Graph, always protect access tokens by transmitting them over a secure channel that uses Transport Layer Security (TLS).

The following example shows a Microsoft identity platform access token:


To invoke Microsoft Graph, the app makes an authorization request by appending the access token as aCarrierguide to theAuthorizationheader in an HTTP request. For example, the following call that returns the logged-in user's profile information (the access token has been shortened for readability):

GET HTTP/1.1Host:ção: Portador EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==

Access tokens are a type ofsecurity tokenprovided by the Microsoft identity platform. They are short-lived, but with variable predetermined lifetimes.

Get an access token

Like most developers, you will likely use authentication libraries to manage your token interactions with Microsoft's identity platform. Authentication libraries extract many protocol details, such as validation, cookie handling, token caching, and maintaining secure connections, from the developer and allow you to focus your development on your application's functionality. Microsoft publishes open source client libraries and server middleware.

For the Microsoft identity platform endpoint:

(Video) Authenticate and connect with Microsoft Graph - June 2019

  • Microsoft Authentication Library (MSAL) client libraries are available for several frameworks, including .NET, JavaScript, Android, and iOS. All platforms are in production-compatible preview, and for major changes, Microsoft guarantees an upgrade path.
  • Microsoft server middleware is available for .NET core and ASP.NET (OWIN OpenID Connect and OAuth) and for Node.js (Microsoft Passport.js identity platform).
  • Microsoft's identity platform is also compatible with many third-party authentication libraries.

For a complete list of supported Microsoft client libraries, Microsoft server middleware, and third-party libraries, seeMicrosoft identity platform documentation.

You don't need to use an authentication library to get an access token. For information on how to use Microsoft identity platform endpoints directly without the help of an authentication library, seeMicrosoft identity platform documentation libraries.

See too

  • Microsoft identity platform documentation.
  • Choose a Microsoft Graph Authentication Provider Based on Your Scenario.
  • Microsoft Graph Permissions Overview.
  • Use oTo startpage to find libraries, samples, training content, and other resources for your favorite platform.
  • see ourMicrosoft graphics samplesa GitHub.


What is the authentication method for Microsoft Graph API? ›

Authentication methods in Azure AD include password and phone (for example, SMS and voice calls), which are manageable in Microsoft Graph today, among many others such as FIDO2 security keys and the Microsoft Authenticator app.

How do you authenticate Microsoft Graph on behalf of user? ›

Authentication and authorization steps
  1. Register your app with Azure AD.
  2. Get authorization.
  3. Get an access token.
  4. Call Microsoft Graph with the access token.
  5. Use a refresh token to get a new access token.
Jan 26, 2023

What are the different authentication methods in Microsoft Graph PowerShell? ›

Microsoft Graph PowerShell supports two types of authentication: delegated and app-only access. There are a number of cmdlets that can be used to manage the different parameters required during authentication, for example, environment, application ID, and certificate.

What is the authentication for Azure AD Graph API? ›

Azure AD configuration

On every application, the User. Read permission is required in order to login the current user and retrieve its information. You can also add other permissions based on your application needs. Then, during the authentication process to MS Graph in the back, we need to provide a ClientSecret key.

How does REST API handle authentication and authorization? ›

There are various authentication methods for REST APIs, ranging from basic credentials and token encryption to complex, multilayered access control and permissions validation.
  1. Basic authentication. ...
  2. API keys. ...
  3. HMAC encryption. ...
  4. OAuth 2.0. ...
  5. OpenID Connect. ...
  6. Choosing a REST API authentication approach.
May 23, 2022

Which three methods can be used to authenticate to an API? ›

Here are the three most common methods:
  • HTTP Basic Authentication. The simplest way to handle authentication is through the use of HTTP, where the username and password are sent alongside every API call. ...
  • API Key Authentication. ...
  • OAuth Authentication. ...
  • No Authentication.
Jun 17, 2021

How do you authenticate and authorize? ›

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity.

How do I assign permissions to Microsoft Graph? ›

To grant admin consent for Microsoft Graph API permissions:
  1. Log in to the Azure Portal.
  2. In the left-pane menu, click Azure Active Directory.
  3. Select App registrations, then select the ZCSPM application which you want to onboard.
  4. In the left-pane menu, click API permissions.

What are those 4 commonly authentication methods *? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What are the 6 methods available for user authentication? ›

6 Common network authentication methods
  • Password-based authentication. Passwords are the most common network authentication method. ...
  • Two-factor authentication. ...
  • Multi-factor authentication. ...
  • CAPTCHAs. ...
  • Biometrics authentication. ...
  • Certificate-based authentication.
Dec 13, 2021

What is the difference between Basic Authentication and Windows authentication? ›

Difference between Basic Authentication and Windows authentication. Windows authentication authenticates the user by validating the credentials against the user account in a Windows domain. Basic authentication verifies the credentials that are provided in a form against the user account that is stored in a database.

What is the difference between authentication and authorization in Azure? ›

Authentication verifies who the user is. Authorization determines what resources a user can access. Authentication works through passwords, one-time pins, biometric information, and other information provided or entered by the user.

What are the two types of authentication Microsoft Azure Active Directory uses? ›

Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods: Something you know, typically a password. Something you have, such as a trusted device that's not easily duplicated, like a phone or hardware key.

How does authentication and authorization work in Azure? ›

Azure App Service provides built-in authentication and authorization capabilities (sometimes referred to as "Easy Auth"), so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also Azure Functions.

How do I pass basic auth in REST API? ›

Users of the REST API can authenticate by providing their user ID and password within an HTTP header.
  1. Concatenate the user name with a colon, and the password. ...
  2. Encode this user name and password string in base64 encoding.
  3. Include this encoded user name and password in an HTTP Authorization: Basic header.

What are the 6 constraints of rest? ›

The six architectural constraints of REST APIs
  • Client-server architecture. An API's job is to connect two pieces of software without limiting their own functionalities. ...
  • Statelessness. ...
  • Uniform Interface. ...
  • Layered system. ...
  • Cacheability. ...
  • Code on Demand.

What are the different types of authorization in API? ›

There are four types of Authorization – API keys, Basic Auth, HMAC, and OAuth.

Is API key authentication or authorization? ›

API keys provide project authorization

To decide which scheme is most appropriate, it's important to understand what API keys and authentication can provide. API keys aren't as secure as authentication tokens (see Security of API keys), but they identify the application or project that's calling an API.

Is API basic authentication? ›

With Basic Authentication, you pass your credentials (your Apigee account's email address and password) in each request to the Edge API. Basic Authentication is the least secure of the supported authentication mechanisms. Your credentials are not encrypted or hashed; they are Base64-encoded only.

What is the most common API authentication? ›

OAuth 2.0. OAuth 2.0 is a widely used standard for API authentication, since it provides a secure and convenient way for users to grant third-party applications access to their resources without sharing their passwords.

What are the three types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What is difference between authorization and authentication? ›

Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.

Is login authentication or authorization? ›

In terms of web apps, very crudely speaking, authentication is when you check login credentials to see if you recognize a user as logged in, and authorization is when you look up in your access control whether you allow the user to view, edit, delete or create content.

What are the 5 factor authentication? ›

The five main authentication factor categories are knowledge factors, possession factors, inherence factors, location factors, and behavior factors.

What is the most basic form of authentication? ›

Passwords are the most common form of authentication.

What permissions are required for Graph API? ›

If you're calling the Microsoft Graph Security API from a custom or your own application:
  • The Azure AD tenant admin must explicitly grant consent to your application. ...
  • If you're using user delegated authorization, the user must be a member of the Security Reader or Security Administrator Limited Admin role in Azure AD.
Jun 27, 2022

What is Microsoft Graph permissions? ›

Permission types. Microsoft Graph supports two access scenarios, delegated access and app-only access. In delegated access, the app calls Microsoft Graph on behalf of a signed-in user. In app-only access, the app calls Microsoft Graph with its own identity, without a signed in user.

What is the difference between delegated and application permissions Microsoft Graph? ›

Delegated permissions, also called scopes, allow the application to act on behalf of the signed-in user. Application permissions, also called app roles, allow the app to access data on its own, without a signed-in user.

Which authentication method is most secure? ›

The most common authentication method that goes 'beyond passwords' is to implement multi-factor authentication (MFA), which is also known as 2-step verification (2SV) or two-factor authentication (2FA).

What are the two most commonly used authentication factors? ›

Three Most Common Types Of MFA Factors

The most commonly used MFA factors fall into one of three categories: Knowledge, aka something you know, such as a password or security question. Possession, aka something you have, such as an SMS code or physical key.

What are basic authentication methods? ›

Basic Authentication is a method for an HTTP user agent (e.g., a web browser) to provide a username and password when making a request. When employing Basic Authentication, users include an encoded string in the Authorization header of each request they make.

What are the steps of user authentication? ›

A straightforward process, user authentication consists of three tasks:
  1. Identification. Users have to prove who they are.
  2. Authentication. Users have to prove they are who they say they are.
  3. Authorization. Users have to prove they're allowed to do what they are trying to do.

Why is OAuth better than basic authentication? ›

When you compare both methods of authentication, OAuth 2.0 provides better security than basic authentication because its initial requests for credentials are made under the SSL protocol and its access object is a transitory token.

Did Microsoft disable basic authentication? ›

In Office 365 Operated by 21Vianet, we'll begin disabling Basic authentication on March 31, 2023. All other cloud environments are subject to the October 1, 2022 date.

What replaced basic authentication? ›

If you're still on Basic Auth, the company recommends switching to Modern Authentication (OAuth 2), which uses token-based authorization. Its access tokens have a limited functioning lifespan and are restricted to the applications and resources for which they are given, so they cannot be reused.

Is Azure Active Directory used for authentication and authorization? ›

Azure Active Directory (Azure AD) is a centralized identity provider in the cloud. Delegating authentication and authorization to it enables scenarios such as: Conditional Access policies that require a user to be in a specific location. Multi-Factor Authentication which requires a user to have a specific device.

What is OAuth authentication and authorization? ›

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

What is the difference between basic auth and oauth2? ›

Unlike Basic Auth, where you have to share your password with people who need to access your user account, OAuth doesn't share password data. Instead, OAuth uses authorization tokens to verify an identity between consumers and service providers.

What are the 3 main identity types used in Azure AD? ›

- [Instructor] The exam may test your knowledge of the identity types available in Azure Active Directory. And for the exam, there are four different identity types that you'll want to be familiar with: the user, service principle, managed identity, and device.

How does Microsoft authentication work? ›

The first time you sign in on a device or app you enter your username and password as usual, then you get prompted to enter your second factor to verify your identity. Perhaps you're using the free Microsoft Authenticator app as your second factor.

What are the two authentication methods? ›

Three Main Types of MFA Authentication Methods

Things you know (knowledge), such as a password or PIN. Things you have (possession), such as a badge or smartphone. Things you are (inherence), such as a biometric like fingerprints or voice recognition.

How authentication and authorization is implemented? ›

A user requests access to an application. The application determines that the user is not authenticated yet and redirects the user to the identity server. The user authenticates with the identity server. The identity server sends on successful authentication an access token/ID token to the user.

What are the different types of authorization in Azure? ›

There are two main approaches to authorization: role-based and resource-based. Both can be configured with Azure AD.

What type of authentication does Microsoft use? ›

How each authentication method works
MethodPrimary authenticationSecondary authentication
Microsoft Authenticator appYesMFA and SSPR
FIDO2 security keyYesMFA
Certificate-based authentication (preview)YesNo
OATH hardware tokens (preview)NoMFA and SSPR
5 more rows
Sep 7, 2022

What authentication protocol does Microsoft use? ›

The Windows operating system implements a default set of authentication protocols, including Kerberos, NTLM, Transport Layer Security/Secure Sockets Layer (TLS/SSL), and Digest, as part of an extensible architecture.

How do I access Microsoft Graph API? ›

You can access Graph Explorer at:
Graph Explorer
  1. Select the HTTP method.
  2. Select the version of API that you want to use.
  3. Type the query in the request text box.
  4. Select Run Query.
Jan 26, 2023

What authentication app does Microsoft use? ›

The Microsoft Authenticator app helps you sign in to your accounts when you're using two-step verification.

What is authorization vs authentication? ›

Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system.

What is the difference between basic authentication and Windows authentication? ›

Difference between Basic Authentication and Windows authentication. Windows authentication authenticates the user by validating the credentials against the user account in a Windows domain. Basic authentication verifies the credentials that are provided in a form against the user account that is stored in a database.

What is difference between Windows authentication and authentication? ›

Forms authentication is where the user is required to login with credentials just for the web site. Windows authentication is for when the web site will accept the user's Windows credentials for login purposes.

What is Microsoft modern authentication? ›

Modern Authentication is a method of identity management that offers more secure user authentication and authorization. It's available for Office 365 hybrid deployments of Skype for Business server on-premises and Exchange server on-premises, and split-domain Skype for Business hybrids.

What is the most commonly used authentication protocol? ›

Single-Factor/Primary Authentication

Historically the most common form of authentication, Single-Factor Authentication, is also the least secure, as it only requires one factor to gain full system access. It could be a username and password, pin-number or another simple code.

What is the difference between REST API and Graph API? ›

Here is the important difference between GraphQL and REST API. GraphQL is an application layer server-side technology which is developed by Facebook for executing queries with existing data. REST is a software architectural style that defines a set of constraints for creating Web services.

What data can Microsoft Authenticator access? ›

These logs can contain personal data such as email addresses, server addresses, or IP addresses. They also can contain device data such as device name and operating system version. Any personal data collected is limited to information needed to help troubleshoot app issues.

Who uses Microsoft Authenticator? ›

Microsoft Authenticator can be used with Microsoft products or any sites or apps that utilize two-factor authentication that has a time-based, one-time passcode (TOTP or OTP).

Is Microsoft authentication secure? ›

Microsoft authenticator allows you to log in to all your accounts very easy and fast. It is a good 2FA security tool from Microsoft and has strong security levels for applications. Sasa S. Works great to secure your Microsoft account or accounts if you have multiple.


1. Authenticate and connect with Microsoft Graph
(Microsoft 365 Developer)
2. Oauth 2.0 Authorization Code Flow | Microsoft Graph
(Concepts Work)
3. Deep dive into Microsoft Graph - 3 Authentication & Authorization
4. Episode 021 - Microsoft Graph Authentication
5. Simplify authentication and authorization with the Microsoft identity platform | OD274
(Microsoft Ignite)
6. The basics of modern authentication - Microsoft identity platform
(Microsoft Security)
Top Articles
Latest Posts
Article information

Author: Carlyn Walter

Last Updated: 02/06/2023

Views: 5989

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.