Use Microsoft Entra ID to access the Windows 365 APIs in Microsoft Graph

The Microsoft Graph API supports Windows 365 as a Beta workload with specific APIs and permission roles. The Microsoft Graph API uses Microsoft Entra ID for authentication and access control. Access to the Windows 365 APIs in Microsoft Graph requires:

  • An application ID with:
    • Permission to call Microsoft Entra ID and the Microsoft Graph APIs.
    • Permission scopes relevant to the specific application tasks.
  • User credentials with:
    • Permission to access the Microsoft Entra tenant associated with the application.
    • Role permissions required to support the application permission scopes.
  • The end user to grant permissions to the app to perform application tasks for their Azure tenant.

This article:

  • Shows how to register an application with access to Microsoft Graph API and relevant permission roles.
  • Describes the Windows 365 API permission roles.

Register apps to use the Microsoft Graph API

To register an app to use Microsoft Graph API:

  1. Sign in to the Microsoft Intune admin center using administrative credentials. As appropriate, you may use:
    • The tenant admin account.
    • A tenant user account with the Users can register applications setting enabled.
  2. Select All services > Azure Active Directory > Applications > App registrations.
  3. Either choose New registration to create a new application or choose an existing application.
  4. If you chose a new registration, in the Register an application pane, specify the following:
    • A name for the application.
    • The supported account type.
    • A redirect URI value (optional).
  5. Select Register.
  6. On the Application pane:
    • Note the Application (client) ID value.
    • Select API permissions.
  7. On the API permissions pane, select Add a permission > Microsoft APIs > Microsoft Graph > select the type of permissions your application requires.
  8. Choose the roles required for your app by selecting the checkbox next to the relevant names. For best results, choose the fewest roles needed to implement your application. For more information about Windows 365 and other Graph API permission scopes, see Microsoft Graph permissions reference.
  9. When finished, select Add permissions to save your changes.

You can also choose to grant permission for all tenant accounts to use the app without providing credentials. To do so, you can grant permissions and accept the confirmation prompt. When you run the application for the first time, you’re prompted to grant the app permission to perform the selected roles.

Next steps

Authorize access to web applications using OAuth 2.0 and Microsoft Entra ID.

Getting started with Microsoft Entra authentication.

Integrating applications with Microsoft Entra ID.

Understand OAuth 2.0.