Proper authentication type for Azure App

Hi helpwithazure,

To build an Azure app that accesses users' emails without active user interaction, it is better to use delegated permissions.

Here are the basic steps you can use:

1. User consent: Have a consent flow to obtain the necessary permissions from the user. This typically involves the user logging in and consenting to your app's access. This will generate an access token and a refresh token.
2. Store the refresh tokens securely. You can use a secure key vault or a secure database.
3. Implement token rotation policies. This means refreshing the access token before it expires, typically every 50 minutes. You can use the refresh token to obtain a new access token without user interaction.
4. Handle cases where a user may revoke their consent or where consent expires. In such cases, prompt the user for consent again to obtain a new refresh token.
5. Use the access token to make API calls to Microsoft Graph on behalf of the user. Include the access token in the Authorization header of your HTTP requests to authenticate your requests.

Here are some useful links:

• https://learn.microsoft.com/en-us/entra/identity-platform/v2-overview
• https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
• https://learn.microsoft.com/en-us/entra/identity-platform/scenario-desktop-acquire-token-username-password
• https://learn.microsoft.com/en-us/azure/key-vault/
• https://learn.microsoft.com/en-us/rest/api/keyvault/keys/encrypt/encrypt
• https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual
• https://auth0.com/docs/secure/tokens/token-best-practices
• https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
• https://learn.microsoft.com/en-us/graph/
• https://learn.microsoft.com/en-us/graph/call-api
• https://learn.microsoft.com/en-us/graph/auth-v2-user