Which authentication flow and permissions to use for desktop application

ExchangeOnline444 21 Reputation points

Hi Team,

We have an application which is an archiving system and the source for this is Exchange Online. Our application is installed on every end user's desktop and we have a background service which has to be running all the time to keep the application active. We provide user credentials(Azure AD user with global admin rights) to this service, which is used to establish a connection with Exchange server and access the user mailbox and archive emails.

Currently we are using basic authentication to authenticate the users in our application. Since basic authentication is going out of support, we are working on migration from basic authentication to OAuth.

So we decided on using Client Credentials grant type to acquire access token as this approach requires minimal or zero user interaction. We registered our application and added a client secret that's used to request a token.

Now we are trying to understand which permissions(application/delegate) would be suitable in this case. Is it possible to use delegate permissions as we would want to provide permissions to our service user? If not, could you please recommend us grant type/permissions to be used in such a scenario?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,914 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. soumi-MSFT 11,651 Reputation points Microsoft Employee

    @ExchangeOnline444 , Thank you for reaching out. Regarding figuring out the OAuth flow best suited for your app, I would like to share some of my thoughts around this. To start with we always need to figure out who is the audience for whom we need the token and for who we need that token, whether a user needs it or an application. We decide on who needs the token (user/application) based on that fact that what kind of operations has to be performed. Suppose we have an application where the user logs in to check his/her own profile, in this case, its the user under whose context the token would be issued by AAD and the Audience would be graph. Similar thing goes for applications too.

    Now the second part comes in to decide what type of permissions required. There are two types of permissions available in AAD as a broader category:

    • Application Permissions: Only used when the token has to be requested in Application's context and the flow being used is Client_Credentials flow. These permissions mainly require Admin to consent, since applications cannot provide consents for themselves.
    • Delegated Permissions: Used only when the token has to be requested in User's context and the flow can be any of the OAuth flows dealing with user's auth like Auth-Code Grant Flow. These can contain permissions that might need admin or user consent and it depends on the type of permission been added.

    Once you got the Permissions category finalized, then comes the part of choosing the right permissions. Now this totally depends on the function of the application and if its calling any type of api lets say graph api, then what are the recommends permissions required for that Graph Api to function can be found in that Graph API's respective official documentation.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments No comments

  2. ExchangeOnline444 21 Reputation points

    Thanks @soumi-MSFT, that was very well explained, but we still need more clarifications.

    The operations that we perform in our application is that we use admin user to access, crawl and archive the mails using EWS API. Considering this, should it be fine to use client credentials approach?

    Also if we are using client credentials approach, can we only allow global admin users to access the mailbox instead of allowing all the users in the directory to access the mailbox? If not, could you please recommend us grant type/permissions to be used in such a scenario?