@ExchangeOnline444 , Thank you for reaching out. Regarding figuring out the OAuth flow best suited for your app, I would like to share some of my thoughts around this. To start with we always need to figure out who is the audience for whom we need the token and for who we need that token, whether a user needs it or an application. We decide on who needs the token (user/application) based on that fact that what kind of operations has to be performed. Suppose we have an application where the user logs in to check his/her own profile, in this case, its the user under whose context the token would be issued by AAD and the Audience would be graph. Similar thing goes for applications too.
Now the second part comes in to decide what type of permissions required. There are two types of permissions available in AAD as a broader category:
- Application Permissions: Only used when the token has to be requested in Application's context and the flow being used is Client_Credentials flow. These permissions mainly require Admin to consent, since applications cannot provide consents for themselves.
- Delegated Permissions: Used only when the token has to be requested in User's context and the flow can be any of the OAuth flows dealing with user's auth like Auth-Code Grant Flow. These can contain permissions that might need admin or user consent and it depends on the type of permission been added.
Once you got the Permissions category finalized, then comes the part of choosing the right permissions. Now this totally depends on the function of the application and if its calling any type of api lets say graph api, then what are the recommends permissions required for that Graph Api to function can be found in that Graph API's respective official documentation.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.