use of createMicrosoftGraphClient() in SSO-enabled personal tab app (is it secure? does it have limitations?)

Juan Carrilho 31 Reputation points
2022-08-26T16:49:50.84+00:00

I'm developing a personal tab app and my goal was to manage the current user's MS365 contacts, so I did some research and found out that the best way to achieve this was by enabling SSO

the first thing I tried out was a template of a SSO-enabled personal tab app available from the VSCode Teams Toolkit Extension, and I was very surprised I could easily achieve my goal by tweaking some code in this template that implements a createMicrosoftGraphClient api, and now my plan is to use this code in my own app

but the reason I was surprised is that in almost every tutorial I've seen it was stated that I would need to build a backend to make the SSO token exchange and the Graph calls (for security reasons), but I didn't have to using this template that apparently also doesn't implement any backend, so I have some questions:

  • is using createMicrosoftGraphClient() secure to make Graph calls from the client side?
  • does it have some limitation compared to if I had built a backend server, or does it works just like the same?
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,524 questions
{count} votes

Accepted answer
  1. Sayali-MSFT 2,266 Reputation points Microsoft Vendor
    2022-08-30T05:54:18.093+00:00

    There is nothing unsafe about making Graph calls from the client. If the requests are being used to merely render the UI, then it is fine. However, an app should not use the output of that API for any sort of authz logic because the end-user could easily tamper with result.

    For any authz assertions, calls to Graph must be made from a backend server.

    Thanks,

    Sayali


    If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Teams Developer Feedback link. Click here to escalate.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful