This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 86%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hello!
I'm trying to create an approval item using Microsoft Graph: Create approvalItem
For some reason, only the Delegated permission type is available.
The only request I’ve found that works in this case (able to obtain a token with delegated permissions assigned to the app registration) and runs without user interaction uses ROPC:
$headers = @{
"Content-Type" = "application/x-www-form-urlencoded"
}
$body = @{
grant_type = "password"
username = $username
password = $password
scope = $scope
client_id = $clientId
client_secret = $clientSecret
}
$response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Headers $headers -Body $body
$accessToken = $response.access_token
However, ROPC requires disabling MFA for the user and is not recommended by Microsoft.
Are there any working authentication alternatives to ROPC that support Delegated permissions and can be executed without user interaction?
No, not really. Flows used with delegate permissions are intended to be interactive, so for a fully automated solution you have to resort to workarounds such as using ROPC or "capturing" the refresh token of the initial interactive auth and reusing it. No good alternatives, at least until Microsoft introduces support for application permissions.
Hi Vasil Michev,
Thank you for the reply. That’s what I thought, but I was hoping there might be some workaround available.