First things first: You need to register your app in Azure. You could let a user log in to your tenant. But this is cumbersome for scripts running from the command line. Running it automated, via cron or such, would be hard if possible, at all. So, register your app.
When you’re done you should have the following information:
The process of registering an app is documented quite wel. For instance, this site. But it always comes down to registering your application and creating secrets for it. I’ll walk you through both and give you my considerations.
Below a screenshot of the Azure app registrations in the Azure Active Directory for my development tenant. As you can see there is just one registration for “TestBot”.
A new Azure app registration can be made by clicking on “New registration”. You wil be prompted for some information:
To be quite honest: I’m not sure if it matters a whole lot what you fill in here. I always give a descriptive name, choose for “single tenant” acces and leave the redirect URI blank. The application is going to connect with the app-id and app-secret. Users do not login interactively.
After you click “register” you do get some information:
Please take note of the “Application (client) ID” and “Directory (tenant) ID”. You will need those later.
Keep your registrations as specific as possible. Don’t create a registration which will be used by several apps. Be task specific. That way you can revoke an apps access by removing the registration.
Creating a secret
For an app you’ll need a client secret (or certificate). To make a secret click on “Add a certificate or secret” , click on “New client secret”, fill in name for the secret and choose how long you want the secret to be valid. That’s it, nothing more to it.
Copy the hex string which is given under “Value”. This is the passphrase, you can’t look this up later.
You could also use a certificate. I’ve not tested that. You’re on your own.
You can use the app-id and the app-secret to authenticate you app with MS Azure. But this is only half the work: you’ll have to authorize the app to do “something” with the Graph API.
Authorizations are managed in de “API permissions” section:
Here you see that the default MS Graph permission is “User.read”. Click on “Add a permission” to add a permission. After clicking on “Microsoft Graph” click on “Application permissions” since we are going to use an app to connect to MS Graph.
For now I add “Group.Read.All”, since I’m going to read the groups in the tenant. I can always add persmissions when needed. Please note that admin consent is required for this. This means a tenant administrator has to consent with this persmission.
You can click on “Grant admin consent for …” to consent. Duh 😀
Permissions is a bit of a bitch. It’s not always clear up front what permission you need to do a certain task. Don’t walk into the pitfall of granting too many permissions. As always, it’s better to give as little as possible. Limit the damage your app can do when going south. Read the documentation for a certain function before granting rights.
Finally, you’ll need 2 endpoints. You can check them for your tenant by clicking on “Endpoints” on the “Overview” page.
You need the “OAuth 2.0 token endpoint (v1)” for authenticating your app and the “Microsoft Graph API endpoint” to make the actual API calls.