Reputation: 115
Msgraph Api Permissions and public call
What is delegated in Msgraph api. Does it mean we can't use it by creating app on Azure Active Directory. https://learn.microsoft.com/en-us/graph/api/application-post-calls?view=graph-rest-1.0&tabs=http#permissions I want to use online meeting and call apis without my customers to register teams or microsoft
Upvotes: 0
Views: 56
Answers (2)
Reputation: 10804
There are two primary mechanisms that an application can use to access the Graph. The one is an "Application" approach, where it needs to be given access rights by an administrator, and can then access certain services / endpoints. There's often an "app secret" that is used in conjunction with the application "Id". This is kind of similar in the past to how we would have created a specific 'service' account + password. ROPC is even more similar, and actually -does- require a username + password, but it's not generally recommended.
The other is "delegated", which means that the application can access certain resources that are specific to that user (like their own mailbox for example). In this case, the user themselves might be required to 'approve' the application's right to access the graph on his/her behalf.
Note that BOTH of these options involve the use of an Azure AD Application, but which permission option you can use depends on the specific operation in the Graph that you're interested in calling. As an example, let's say you wanted to access the list of members in a Teams team. This is explained here, where the "permissions" section indicates that either Application or Delegated permissions can be used to do this. In contrast, here is another operation that can ONLY be done with Delegated permissions, and not by a standalone application without a user granting access.
Upvotes: 1
Reputation: 58733
Delegated permissions are used to call APIs on behalf of a signed-in user. If an API only supports them, a user will have to sign in to your application so that you can call the API on their behalf. Refresh tokens allow you to do this for a long time without requiring the user to interact with the app, but those can and do expire. Another choice might be to use the ROPC flow, but that requires you to use a username and password to get tokens, and that user cannot have MFA enabled for example (one of many cases where ROPC does not work).
Upvotes: 1
Related Questions
- Graph API permission for non-admin
- MSI Permissions for Graph API
- Azure API permissions for Graph API
- MS Graph Api missing permissions
- API Permissions - Microsoft Graph API
- Microsoft graph api access
- Azure API Authentication and MSGraph
- Azure Active directory API permissions
- Microsoft Graph and access without a user
- Microsoft Graph API Permissions for non-admins?