question

ExchangeOnline444-2641 avatar image
0 Votes"
ExchangeOnline444-2641 asked soumi-MSFT edited

Which authentication flow and permissions to use for desktop application

Hi Team,

We have an application which is an archiving system and the source for this is Exchange Online. Our application is installed on every end user's desktop and we have a background service which has to be running all the time to keep the application active. We provide user credentials(Azure AD user with global admin rights) to this service, which is used to establish a connection with Exchange server and access the user mailbox and archive emails.

Currently we are using basic authentication to authenticate the users in our application. Since basic authentication is going out of support, we are working on migration from basic authentication to OAuth.

So we decided on using Client Credentials grant type to acquire access token as this approach requires minimal or zero user interaction. We registered our application and added a client secret that's used to request a token.

Now we are trying to understand which permissions(application/delegate) would be suitable in this case. Is it possible to use delegate permissions as we would want to provide permissions to our service user? If not, could you please recommend us grant type/permissions to be used in such a scenario?

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered

@ExchangeOnline444-2641, Thank you for reaching out. Regarding figuring out the OAuth flow best suited for your app, I would like to share some of my thoughts around this. To start with we always need to figure out who is the audience for whom we need the token and for who we need that token, whether a user needs it or an application. We decide on who needs the token (user/application) based on that fact that what kind of operations has to be performed. Suppose we have an application where the user logs in to check his/her own profile, in this case, its the user under whose context the token would be issued by AAD and the Audience would be graph. Similar thing goes for applications too.

Now the second part comes in to decide what type of permissions required. There are two types of permissions available in AAD as a broader category:

  • Application Permissions: Only used when the token has to be requested in Application's context and the flow being used is Client_Credentials flow. These permissions mainly require Admin to consent, since applications cannot provide consents for themselves.

  • Delegated Permissions: Used only when the token has to be requested in User's context and the flow can be any of the OAuth flows dealing with user's auth like Auth-Code Grant Flow. These can contain permissions that might need admin or user consent and it depends on the type of permission been added.

Once you got the Permissions category finalized, then comes the part of choosing the right permissions. Now this totally depends on the function of the application and if its calling any type of api lets say graph api, then what are the recommends permissions required for that Graph Api to function can be found in that Graph API's respective official documentation.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ExchangeOnline444-2641 avatar image
0 Votes"
ExchangeOnline444-2641 answered soumi-MSFT edited

Thanks @soumi-MSFT, that was very well explained, but we still need more clarifications.


The operations that we perform in our application is that we use admin user to access, crawl and archive the mails using EWS API. Considering this, should it be fine to use client credentials approach?


Also if we are using client credentials approach, can we only allow global admin users to access the mailbox instead of allowing all the users in the directory to access the mailbox? If not, could you please recommend us grant type/permissions to be used in such a scenario?


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ExchangeOnline444-2641, In Client_Credentials flow, its always the application that goes ahead and requests for a token to access a resource and hence its a complete silent and non-interactive logon that happens. As you mentioned that you guys are using an admin account which in turn is user hence in this case, the user has to get a token from AAD to access a resource, so the OAuth flow to be used is the Auth-Grant Flow.

Hope I am able to get you an understanding. If you feel I am missing on something or failing to explain you, please do drop an email to azcommunity[at]microsoft[dot]com so that we can connect offline and discuss over this in more detail.

0 Votes 0 ·

Thanks @soumi-MSFT .


I have initiated a thread on the above discussion on Jun-17 and have not received any response. Kindly look into it at the earliest as our team has to roll out OAuth 2.0 feature for our application as basic auth is going out of support.


0 Votes 0 ·
soumi-MSFT avatar image soumi-MSFT ExchangeOnline444-2641 ·

@ExchangeOnline444-2641, I apologize for the delay in my response and somehow I missed the earlier email that you had sent. I have got the recent email sent by you and let me get back to you on that.


0 Votes 0 ·