Slidedeck presented during a webinar i held on 15th November 2023 about how to consume Microsoft Graph API using application level permissions. Webinar Recording https://youtu.be/yVK8WQz5qnU

1. Microsoft Graph API and
OutSystems
Application Permissions
Access Microsoft Cloud Services via Graph API in
OutSystems
Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder

2. Fundamentals
 Introduction to Microsoft Graph API
 Understanding OAuth 2.0
 Access and OpenId Connect Tokens
 Microsoft Identity Provider
 Grant Types
 Microsoft Graph API Scopes and Permissions
Agenda
Implementation
 Prerequisites
 Register an application with Microsoft Identity Provider
(Entra ID)
 Akquire a server-to-server access token via Oauth 2.0 Client
Credentials flow
 Consume Graph API endpoints with OutSystems
 Securing Client Secrets

3. Introduction to Microsoft Graph
API
Microsoft Graph API is a RESTful web API that enables you to
access Microsoft Cloud service resources.
It provides a unified programmability model that you can use to
access the data in Microsoft 365, Windows 10, and Enterprise
Mobility + Security.
With Microsoft Graph, you can integrate various Microsoft
services like Outlook, Microsoft Teams, OneDrive, and more into
your applications.
Outlook
People
Sharepoint
Teams
Microsoft Graph API
Your Application

4. Understanding OAuth 2.0 – Access and OpenId Connect Tokens
Access Token
An OAuth 2.0 Access Token is a credential used to access
protected resources on behalf of a resource owner.
Issued by the authorization server, it represents the grant of
access given to a client application.
This token does not contain information about the user's
identity; instead, it is used to access APIs securely.
OpenId Connect Token
An OpenID Connect Token is an identity token provided by
the OpenID Connect protocol, which is built on top of the
OAuth 2.0 framework.
This token contains claims about the authentication of an end
user and provides an additional layer of identity validation.
It's typically a JSON Web Token (JWT) that includes
information such as the user's identity, the authentication
method used, and the token's validity period.

5. Understanding OAuth 2.0
Microsoft Identity Provider
Microsoft Identity Platform is a set of identity and access
management tools, which facilitates secure sign-in and
authorization for applications.
It integrates advanced identity capabilities, such as single sign-on
(SSO), multi-factor authentication (MFA), and conditional
access policies, across a wide range of Microsoft and third-party
cloud applications.
The platform is built on top of industry-standard protocols like
OAuth 2.0 and OpenID Connect.
Microsofts Identity Platform Entra is the
Identity Provider that protects all resources
and APIs in your tenant, including Graph API.
Microsoft Entra

6. Understanding OAuth 2.0 – Grant Types
Client Credentials Flow
The OAuth 2.0 Client Credentials
flow is a way for applications to
access a service API using their own
credentials, rather than
impersonating a user.
This flow is typically used for server-
to-server interactions that must run
in the background, without
immediate interaction with a user.
It involves directly requesting an
access token from the identity
provider using the application's client
ID and secret.
Device Code Flow
The OAuth 2.0 Device Code flow is
designed for devices that either do
not have a browser or have limited
input capabilities.
In this flow, the device displays a
code and asks the user to enter this
code on a second device (like a
smartphone) which has a browser.
Once the user enters the code and
authenticates, the device can obtain
an access token
Authorization Code Flow
The OAuth 2.0 Authorization Code
flow is designed for applications to
access a service API on-behalf of a
user.
This flow requires the user to be
redirected to the identity provider to
authenticate, after which they are
redirected back to the application
with an authorization code. This code
is then exchanged for an access
token by the application backend
using a client secret.
Authorization Code Flow with Proof
Key Exchange (PKCE) is designed for
applications that cannot securely
store a client secret.

7. Microsoft Graph API
Scopes and Permissions
Microsoft Graph API scopes, or permissions, define the
level of access that an application has to Microsoft Graph
data. They can be categorized into two types:
 Application Permissions
 User Permissions (Delegated Permissions)
The choice between these permissions depends on the
type of application, the data it needs to access, and
whether it operates in the context of a signed-in user or
not.
Acting as Application
Acting as Application
On behalf of a User

8. Implementation

9. Prerequisites
 Access to your Azure Tenant using the Azure Portal
 Cloud Application Administrator role assigned to your user
account to register an application in your tenant.

10. Walkthrough

11. Best Practices
 Register an application per OutSystems application. Do not
create “super”-credentials.
 Do not store your client secret in plain text anywhere. Either
encrypt it or use an external credential store like AWS
Secrets Manager or HashiCorp Vault.
 Build a central OutSystems Access Token Retrieval Service.
 Do not use the hardcoded client credentials built in
support. Client Secrets should rotate over time, and you
would have to redeploy every time your client secret
changes.

12.  Master OAuth 2.0 Website
 Microsoft Developer Program
 Azure Portal
 Use the Microsoft Graph API documentation
 Microsoft Graph Permission Reference
 Microsoft Graph Explorer
 OAuth Token Exchange Forge component
 CryptoAPI Forge component
Additional Links

13. Stefan Weber
Senior Director Software Development
Telelink Business Services Germany GmbH
OutSystems MVP – AWS Community Builder
https://www.tbs.tech
https://www.linkedin.com/in/stefanweber1/
https://lcnc.blog