MS Graph Daemon App - Obtaining Bearer Token

Question

I’m creating a daemon app, e.g. a 'non-user interactive' app, authentication will be performed on behalf of end-users using a ‘service account’. So the no sign in prompt required.

The 'service account' has the relevant Delegated Permissions and Admin Approval is consented for the app, the app permissions are set as 'Application Permissions'.

Company policy forbids the Client Credential flow, so no access to the 'client_secret'. If I try using the ROPC flow with the service account username/password the POST request returns the 'Invalid Grant' error.

I’m confused as to what flow I’d use/can use to obtain a bearer token, that will enable the app to call MS Graph API?

The question is similar to this, though I cannot use Client Flow: Can a MS Graph background/daemon app impersonate a user account without user interaction

Answer 1

To impersonate a user (i.e. delegated access, using delegated permissions) and access Microsoft Graph on behalf of the user, the user must have signed in to the application at some point (or to an upstream application).

The alternative is for the service to authenticate as itself (i.e. using the Client Credentials flow) and access Microsoft Graph directly.

The Microsoft Identity platform does not support impersonation of arbitrary users who have not actually signed in to the app.

In general, using the Resource Owner Password Credential (ROPC) flow to impersonate a user account using that account's username and password is strongly discouraged.