![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 57.00000000000001%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAP%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Amandeep Patro , thank you for reaching out. When you try to get an access-token in an application's context on behalf of the user, you need to add the application permissions in your app registration. In this case, the application goes ahead and makes Graph API calls either on behalf of the user or to perform any task on its own, and in order to do this, the app needs to have proper application permissions defined in the app registration of that app in AAD.
You can refer to the screenshot above to understand where you can find the application permissions. Now inside application permission, which permission you need to select depends on the type of job the application has to perform. For eg, based on the screenshot, I have highlighted two application permissions, i.e Calendars.Read and Calendars.ReadWrite, with these permissions, the app is supposed to read the calendars and write a new entry in the calendars. In this way you need to identity what type of job your app has to perform and accordingly you can add the required application permission.
Note: All application permissions need Admin consent, hence once you have added the application in the App Registration, make sure you provide admin conset to those permission set as it's mandatory for application permissions to work.
Once you have the app registration set up with the proper application permissions, then you can use Postman to create a request for Client Credentials flow and request AAD to provide you with an access-token which can be used to call the required Graph APIs. Please refer to the screenshot.
Here you would find that I have used the v2.0 endpoint of AAD to request an access-token. In the scope parameter you would find I have mentioned "**https://graph.microsoft.com/.default**" if you supply the scope with /.default, it adds all the consented application permissions configured in your app registration in the issued access-token. If you want specific permissions to be present in your access-token, then you can mention the scope something like "**https://graph.microsoft.com/calendars.read**"
You can choose between both the ways whichever suits you the best.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 64%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 79%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENJ%3C/text%3E%3C/svg%3E)