Using Client Credentials for Microsoft Azure SpokesUsing Client Credentials for Microsoft Azure Spokes The OAuth 2.0 client credentials grant flow is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts. In some cases, apps may also need to use functionality that requires more elevated privileges in an organization than those carried by the signed-in user. The Client Credentials Grant flow comes into picture for these scenarios. Client Credential grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. Authentication and Authorization steps Register your app with Azure ADAssign appropriate API PermissionsAssign roles to application (optional: Just in case to perform duties that would otherwise require a user with delegated permission to accomplish)Set up respective Azure service as the OAuth providerGenerate an access token (optional) 1. Register your app To use the Microsoft identity platform endpoint, you must register your app using the Azure app registration portal.You can use either a Microsoft account or a work or school account to register an app. To configure an app to use the OAuth 2.0 authorization code grant flow, you'll need to save the following values when registering the app: Application (client) ID assigned by the app registration portal.Client (application) Secret, either a password or a public or private key pair (certificate). This is not required for native apps.Redirect URI (or reply URL) for your app to receive responses from Azure AD. For steps on how to configure an app in the Azure portal, see Register an application with the Microsoft identity platform. 2. Assign required API Permissions To access graph APIs, we must declare the required API permissions to our app. Follow the below steps to assign API permissions to our applications: Sign in to the Azure portal using either a work or school account or a personal Microsoft account.If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you want.In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations > Open your application.Select API Permissions from the left-hand navigation pane.Click the Add a permission button.Select Microsoft Graph > Application permissions.Select required permissions from the list of available permissions and then grant the admin consent by clicking the Grant admin consent button.NOTE: Kindly refer the spoke’s documentation to see respective delegated or application permissions required for each action. 3. Assign roles to application (optional) There are scenarios where a user with delegated permissions is required to perform some operations. In this case, just assigning the API permissions to our app is not enough. One such scenario is “Reset User Password” action. When updating the passwordProfile property, the following permission is required: “Directory.AccessAsUser.All”, which is only delegated permission. and that’s why the update of the password profile will fail regardless of what permissions are assigned to the app. Of course, one can create multiple child alias and use “Authorization Code” grant flow to perform such operations. But, the best solution for this is to add necessary and sufficient roles to our application so that our app can perform duties that would otherwise require a user with delegated permission to accomplish. This can be achieved by some PowerShell modules and it’s a one-time effort on the server-side only. There are two versions of the PowerShell module that you can use to connect to Office 365 and administer user accounts, groups, and licenses: Azure Active Directory PowerShell for GraphMicrosoft Azure Active Directory Module for Windows PowerShell NOTE: Here we will be using “Password Administrator” role since this is the minimum role for password management. You may require to provide higher privileged roles like “Helpdesk Administrator” to perform other necessary functions of user management. For more information about the roles provided by Azure, see Azure AD built-in roles. A. Azure Active Directory PowerShell for Graph § Install AAD PowerShell V2.0 module and Log in Install-Module AzureAD Connect-AzureAD § Getting the ObjectID of our Application $myAppName = "<your_app_name>"$myApp = Get-AzureADServicePrincipal -searchstring $myAppName$objectID = $myApp.ObjectId § Add the Role Member $myAADRole = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq ‘Password Administrator’}Add-AzureADDirectoryRoleMember -ObjectId $myAADRole.ObjectId -RefObjectId $objectID B. Microsoft Azure Active Directory Module for Windows PowerShell § Install MSOnline module and Log in Install-Module -Name MSOnline If you are using Mac OS with dotnet core, then need to import the module explicitely:Import-Module MSOnline Connect-MsolService § Getting the ObjectID of our Application $tenantID = “<Tenant ID>” $appID = “<Application ID>”$myApp = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantID$objectID = $myApp.ObjectId § Add the Role Member Add-MsolRoleMember -RoleName “Password Administrator” -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectID § If it’s by chance not the role you need, you can remove it too Remove-MsolRoleMember -RoleName “Password Administrator” -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectID 4. Set up respective Azure service as the OAuth provider The set up procedure for each Azure service can be followed from their respective spoke documentation. The only thing you need to keep in mind is to select Default Grant Type as Client Credentials in Application Registry and the Grant Type as Client Credentials in OAuth Entity Profiles. 5. Generate an access token (optional) The access token needs to be generated to perform API operations. Though, in the case of client credentials there is no need to manually generate the token. The token will be generated automatically once you execute any action. However, there might be scenarios where the access token for Azure is already present and the new token is not able to override the existing one. In this case, its recommended to first delete the existing token from the “Manage tokens” table. Even though if one feels need to manually generate the access token, they can generate the token by following below steps: Search for “Credentials” in the filter navigator.Select your credential.Click on Get OAuth Token. Since, Client Credentials doesn’t require user sign-in, this will fetch the token without any sign-in prompt and an access token will be available for performing API operations and actions.