[Feature Request] It should be possible to use GraphServiceClient to call graph APIs requiring app only permissions
See original GitHub issueIs your feature request related to a problem? Please describe. When developers want to call graph to call an app only method, the current GraphServiceClient cannot be used as it uses GetTokenForUserAsync. See https://github.com/AzureAD/microsoft-identity-web/blob/f609eeef9e69cee9c997bb73fb98d7c180d845af/src/Microsoft.Identity.Web.MicrosoftGraph/TokenAcquisitionCredentialProvider.cs#L39
number of customers hitting this issue so far: 2
Describe the solution you’d like Have a way to call app only methods (corresponding to App-only scopes)
Describe alternatives you’ve considered
- enable a second GraphServiceClient to be injected (with a different type ?). Maybe a class named
AppOnlyGraphServiceClient
which would have only one property which would be the GraphServiceClient, or which would inherit from GraphServiceClient. - have an extension method on GraphServiceClient which would specify that the developer wants to have an app-only and then use it GetTokenForUserAsync. See https://github.com/AzureAD/microsoft-identity-web/blob/f609eeef9e69cee9c997bb73fb98d7c180d845af/src/Microsoft.Identity.Web.MicrosoftGraph/TokenAcquisitionCredentialProvider.cs#L39
Additional context See the ASP.NET Core Graph web hooks sample where the GraphServiceClient can only be used for delegated scopes:
Issue Analytics
- State:
- Created 3 years ago
- Comments:23 (7 by maintainers)
Top Results From Across the Web
Get access without a user - Microsoft Graph
Microsoft Graph exposes application permissions for apps that call Microsoft Graph under their own identity. These permissions always require ...
Read more >MS Graph and switching an application from delegated ...
I currently have the permissions for this application set to delegated permissions and use access token cached on the backend to use these ......
Read more >The Ultimate Beginner's Guide to Microsoft Graph
This blog post is a well-structured beginner's guide, including a lot of hands-on knowledge, in my way of explaining things.
Read more >Microsoft graph calling api samples. js (MSAL Node). Select ...
Microsoft graph calling api samples. js (MSAL Node). Select Delegated permissions, and then select User. Microsoft Graph contains APIs ...
Read more >How to restrict App Only permissions to one site
All AppOnly to let my app access SharePoint resources through the Microsoft Graph API. How do I restrict this permission to apply to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Included in 1.2.0 release.
cc: @darrelmiller @baywet @pschaeflein @1iveowl
I don’t think relying on this additional method should be the main option.
If a customer has a business service that does a bunch of calls to Microsoft graph with that approach they need to update all my service calls and muddy the business service with the concern of the auth.
Relying on service dependency injection would allow them to configure things at the moment they configure ms id web and then swap/pass graph service clients to depending services based on the scenario.
Additionally the addGraph methods should accept a Func<ITokenaquisition,GraphServiceClient> so people can fully configure the graph service client as they see fit without placing a burden on ms id web to expose additional methods.
Sorry for the badly formatted comment, I’m on my phone