Using a certificate to impersonate a user

David 41 Reputation points
2022-09-22T18:38:31.853+00:00

I have a web application that requires a signed-in AzureAD user. It has REST API's available that use JWT/Bearer Token authentication.

I want to write an integration with Flow that uses the API's.

I can get a token for a user by POST'ing to 'https://login.microsoftonline.com/158a3db1-MY_AAD_TENANT_ID-9879cd33a132/oauth2/token' with body:
grant_type=password&client_id=49cb6c22-MY_APP_REG-3803b2b5656f&username=workflow@mydomain.onmicrosoft.com&password=Pass@word1&resource=https://thewebapp.com

Obviously having a plain text password there is bad, and the user must have MFA disabled.
I would like to use a certificate (or secret?) to get an auth token for my 'workflow@mydomain.onmicrosoft.com' user for this application.

Is that even possible? How?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
40,352 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2022-09-23T00:47:27.133+00:00

    Hello @David and thanks for reaching out. Azure AD application do not impersonate users but can act on their behalf. To get a user access token securely it's recommended to user an interactive approach such as the authorization flow. This can also provide a refresh token which can be exchanged by a new access and refresh token set thus reducing the credential prompting.

    If you cannot authenticate interactively then the other option is to authenticate like an app using the client credentials flow. Keep in mind app permissions are high level permissions and must be carefully configured.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. David Broggy 5,986 Reputation points MVP
    2023-02-05T00:19:27.4833333+00:00

    If I may add an extra point to Alfredo's solution, there is another option named "Continuous Access Evaluation" which can auto generate new tokens IF your application supports this feature.

    Only a handful of Microsoft apps support it (sharepoint, exchange, teams) and if you're developing your own apps there's an api available.

    Reference:

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-continuous-access-evaluation

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.