![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 0%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
For calling Microsoft Graph from a daemon (no user interaction) with tenant ID, client ID, and a certificate, the recommended and simplest approach is to use the OAuth 2.0 client credentials flow and let an authentication library (MSAL) handle the token acquisition instead of manually building client_assertion.
Key points from the platform behavior:
- For app-only access, use application permissions on Microsoft Graph (for SharePoint data, typically
Sites.Read.AllorSites.FullControl.Allon Graph, granted with admin consent). - The app obtains an access token from Microsoft Entra ID using the client credentials grant.
- The access token is then sent as a Bearer token in the
Authorizationheader when calling Microsoft Graph.
1. Token acquisition pattern (client credentials)
The Microsoft identity platform supports the client credentials flow with either a shared secret or a certificate. With a certificate, the token request looks like this:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Body parameters (certificate-based):
-
tenant: Directory tenant ID or domain. -
client_id: Application (client) ID. -
scope: Resource identifier +/.default, for Microsoft Graph:https://graph.microsoft.com/.default. -
client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-bearer. -
client_assertion: A JWT signed with the certificate registered as a credential for the app. -
grant_type:client_credentials.
This is described in the client credentials documentation and is the correct pattern for a daemon or background process.
2. Avoiding manual JWT construction
Instead of hand-building client_assertion in jDeveloper, use an authentication library that:
- Creates and signs the client assertion JWT with the certificate.
- Sends the correct POST request to
/oauth2/v2.0/token. - Caches and refreshes tokens.
The Microsoft Authentication Library (MSAL) is designed for this purpose and is available for multiple platforms. The guidance explicitly recommends using authentication libraries to manage token interactions because they abstract protocol details such as validation, token caching, and secure connections.
If jDeveloper cannot directly use MSAL, a common pattern is:
- Implement a small service (for example, in .NET or Java with MSAL) that exposes an internal endpoint to obtain tokens or to proxy Graph calls.
- jDeveloper calls this internal service instead of implementing the OAuth protocol itself.
3. Using the access token with Microsoft Graph
Once an access token is obtained, call Microsoft Graph by including it in the Authorization header:
GET https://graph.microsoft.com/v1.0/sites/{site-id}/ HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer {access_token}
The access token is a JWT containing claims about the app (and user if delegated). For app-only scenarios, the claims represent the application permissions granted. Microsoft Graph validates these claims and authorizes the operation.
4. Summary of practical options
- Preferred: Use MSAL in a component that jDeveloper can call (directly or via a small service) to avoid manual JWT creation.
- If manual implementation is required, follow the documented client credentials flow with certificate-based
client_assertionandscopeset tohttps://graph.microsoft.com/.default.
References: