Microsoft Graph Permissions - Get Access on Behalf of a User

This article provides guidance on how an app can access Microsoft Graph on behalf of a user, also called delegated access.

In this article, you complete the following steps in using the OAuth 2.0 authorization code grant flow.

1. Request authorization.
2. Request an access token.
3. Use the access token to call Microsoft Graph.
4. [Optional] Use the refresh token to renew an expired access token.

Prerequisites

Before proceeding with the steps in this article.

1. Understand the authentication and authorization concepts in the Microsoft identity platform.
2. Register the app with Microsoft Entra ID. Register an application with the Microsoft identity platform. Save the following values from the app registration.
   • The application ID (referred to as Object ID on the Microsoft Entra admin center).
   • A client secret (application password), a certificate, or a federated identity credential. This property isn't needed for public clients like native, mobile, and single-page applications.
   • A redirect URI for the app to receive token responses from Microsoft Entra ID.

Step 1. Request Authorization.

In the request URL, you call the /authorize endpoint and specify the required and recommended properties as query parameters.

In the following example, the app requests the User. Read and Mail. Read Microsoft Graph permissions, which allow the app to read the profile and mail of the signed-in user, respectively. The offline_access permission is a standard OIDC scope that's requested so that the app can get a refresh token. The app can use the refresh token to get a new access token when the current one expires.

• Base URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/authorize?client_id=<clientId>&response_type=code&redirect_uri=<redirectUri>&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
• Method: GET
• Replace Parameters ClientID as per the app you created.
• Replace {tenantID}: The {tenantID} value in the path of the request can be used to control who can sign into the application. In our case, we can get it from the Azure app.

The allowed values are.

• Common for both Microsoft accounts and work or school accounts
• organizations for work or school accounts only
• consumers for Microsoft accounts only
• tenant identifiers such as the tenant ID or domain name.

Step 2. After the app sends the authorization request, the user is asked to enter their credentials to authenticate with Microsoft.

The Microsoft identity platform v2.0 endpoint ensures that the user has consented to the permissions indicated in the scope query parameter. If there's any permission that the user or administrator hasn't consented to, they're asked to consent to the required permissions.

You will get the response below.

https://localhost/myapp/?code=<SomeCode>&state=12345&session_state=fe1540c3-a69a-469a-9fa3-8a2470936421#

Step 3. Request an access token.

The app uses the authorization code received in the previous step to request an access token by sending a POST request to the /token endpoint. Replace Parameters ClientID, ClientSecret, and AuthorizationCode as per the app you created.

• Base URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token?client_id=<ClientID>&scope=user.read%20mail.read&code=<CodeWeGotInLastStep>&redirect_uri=<redirectUri>&grant_type=authorization_code&client_secret=<ClientSecretGeneratedwithAppCreation>
• Method: POST
• Headers: Content-Type: application/x-www-form-URL-encoded.

Token Response

{
    "token_type": "Bearer",
    "scope": "Mail.Read User.Read",
    "expires_in": 3736,
    "ext_expires_in": 3736,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4..."
}

Step 4. Use the above access token to call Microsoft Graph

After you have an access token, the app uses it to call Microsoft Graph by attaching the access token as a Bearer token to the Authorization header in an HTTP request. The following request gets the profile of the signed-in user.

• Base URL: https://graph.microsoft.com/v1.0/me
• Method: GET

You will get a Response.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "businessPhones": [
        "425-555-0100"
    ],
    "displayName": "MOD Administrator",
    "givenName": "MOD",
    "jobTitle": null,
    "mail": "[email protected]",
    "mobilePhone": "425-555-0101",
    "officeLocation": null,
    "preferredLanguage": "en-US",
    "surname": "Administrator",
    "userPrincipalName": "[email protected]",
    "id": "10a08e2e-3ea2-4ce0-80cb-d5fdd4b05ea6"
}

Note. Access tokens are short-lived, and the app must refresh them after they expire to continue accessing resources. The app does so by submitting another POST request to the /token endpoint, this time.

Providing the refresh_token instead of the code in the request body.

Specifying refresh_token as the grant_type instead of authorization_code.

• Base URL: https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token?client_id=<ClientID>&scope=user.read%20mail.read&refresh_token=<RefreshToken>&grant_type=refresh_token&client_secret=<ClientSecret>
• Headers: Content-Type: application/x-www-form-urlencoded.

A successful token response looks similar to the following.

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1Q...",
    "token_type": "Bearer",
    "expires_in": 3599,
    "scope": "Mail.Read User.Read",
    "refresh_token": "AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMxZGUTdM0t4B4..."
}

Conclusion

Microsoft Graph permissions allow applications to securely access data and perform actions on behalf of a user within Microsoft’s cloud services. To enable access, applications use delegated permissions through the OAuth 2.0 authorization code flow, where a user explicitly consents to specific permissions. This approach provides controlled, secure access to Microsoft Graph, ensuring compliance with user roles and permissions.