Forum Discussion
Proper authentication type for Azure App
I want to build a simple app that anyone (who has a microsoft, live, or business account, so multi-tenant) can use to create a subscription so my app can pull their emails. I am unsure after reading the documentation which app permissions I should use (delegated or app).
With delegated access, I was able to run a sample flow locally, to get access and refresh tokens, which I could use to perform API calls against Graph to create a subscription for new messages, and to check the messages in a users inbox.
But I'm not sure if that should be the correct app type, because this app will run behind the scenes. Once someone contents to using my app, this service will run automatically. They will not have to continue logging into my app or be actively on my app to use it. The issue that I cant seem to solve is, app-type doesn't seem to be correct because even if someone from an organization uses my app, I don't want the admin to have to approve the app for everyone to use, so right away it seems like app type is not the correct set of permissions. So if it's delegated, what is the pattern to storing these access tokens for a back-end system to use?
2 Replies
Worth to take a look at this:
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
Hi helpwithazure,
To build an Azure app that accesses users' emails without active user interaction, it is better to use delegated permissions.
Here are the basic steps you can use:- User consent: Have a consent flow to obtain the necessary permissions from the user. This typically involves the user logging in and consenting to your app's access. This will generate an access token and a refresh token.
- Store the refresh tokens securely. You can use a secure key vault or a secure database.
- Implement token rotation policies. This means refreshing the access token before it expires, typically every 50 minutes. You can use the refresh token to obtain a new access token without user interaction.
- Handle cases where a user may revoke their consent or where consent expires. In such cases, prompt the user for consent again to obtain a new refresh token.
- Use the access token to make API calls to Microsoft Graph on behalf of the user. Include the access token in the Authorization header of your HTTP requests to authenticate your requests.
Here are some useful links:
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-overview
- https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
- https://learn.microsoft.com/en-us/entra/identity-platform/scenario-desktop-acquire-token-username-password
- https://learn.microsoft.com/en-us/azure/key-vault/
- https://learn.microsoft.com/en-us/rest/api/keyvault/keys/encrypt/encrypt
- https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual
- https://auth0.com/docs/secure/tokens/token-best-practices
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
- https://learn.microsoft.com/en-us/graph/
- https://learn.microsoft.com/en-us/graph/call-api
- https://learn.microsoft.com/en-us/graph/auth-v2-user
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
