Confused about Microsoft "signed in user" and IIS app pool identify

Question

I have a ASP.NET MVC hosted on premise that uses Windows Authentication. It also utilizes a service account for its app pool identity that has heightened privileges for various tasks such as database accesses. In this app, I would like to utilizes Microsoft Graph for various tasks, such as getting information about AD and organization hierarchy (who are the members of an AD group, who are the direct reports, creating calendar events, etc). I've been looking through various documentation but still confused about authorization and authentication in Graph.

1. In web applications that utilizes app pool identity and windows authentication, what exactly is the "signed in user" to Microsoft Graph? Is it the actual user that sign in to the MVC app, or is it the identity in App Pool?
2. This web app needs to have heightened privileges above any regular logged in users, such as creating tasks or calendar events for multiple users without those users' specific consent. Do I elevate that identity so it has all heightened privileges or do I use Application permissions?

Answer 1

the GraphApi uses a jwt bearer access token you get by calling the azure oauth server. It does not use windows authentication. the "signed in user" is the use defined in the acc css token.

if your website use azure ad oauth, you could have an access token that represented the user. In you case you will probably create an application id, and secret used by the server application to get an access token. you will assign a service account to this azure ad application when you grant it graph api access. this account will be the "signed in user"

https://learn.microsoft.com/en-us/graph/auth-v2-service