Choose a Microsoft Graph authentication provider based on scenario
Authentication providers implement the code required to acquire a token using the Microsoft Authentication Library (MSAL); handle a number of potential errors for cases like incremental consent, expired passwords, and conditional access; and then set the HTTP request authorization header. The following table lists the set of providers that match the scenarios for different application types.
| Scenario | Flow/Grant | Audience | Provider |
|---|---|---|---|
| Single Page App | |||
| Implicit | Delegated Consumer/Org | Implicit Provider | |
| Web App that calls web APIs | |||
| Authorization Code | Delegated Consumer/Org | Authorization Code Provider | |
| Client Credentials | App Only | Client Credentials Provider | |
| Web API that calls web APIs | |||
| On Behalf Of | Delegated Consumer/Org | On Behalf Of Provider | |
| Client Credentials | App Only | Client Credentials Provider | |
| Desktop app that calls web APIs | |||
| Interactive | Delegated Consumer/Org | Interactive Provider | |
| Integrated Windows | Delegated Org | Integrated Windows Provider | |
| Resource Owner | Delegated Org | Username / Password Provider | |
| Device Code | Delegated Org | Device Code Provider | |
| Daemon app | |||
| Client Credentials | App Only | Client Credentials Provider | |
| Mobile app that calls web APIs | |||
| Interactive | Delegated Consumer/Org | Interactive Provider |
Authorization code provider
The authorization code flow enables native and web apps to securely obtain tokens in the name of the user. To learn more, see Microsoft identity platform and OAuth 2.0 authorization code flow.
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithRedirectUri(redirectUri)
.WithClientSecret(clientSecret) // or .WithCertificate(certificate)
.Build();
AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication, scopes);
Client credentials provider
The client credential flow enables service applications to run without user interaction. Access is based on the identity of the application. For more information, see Microsoft identity platform and the OAuth 2.0 client credentials flow.
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.WithClientSecret(clientSecret)
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
On-behalf-of provider
The on-behalf-of flow is applicable when your application calls a service/web API which in turns calls the Microsoft Graph API. Learn more by reading Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithRedirectUri(redirectUri)
.WithClientSecret(clientSecret)
.Build();
OnBehalfOfProvider authProvider = new OnBehalfOfProvider(confidentialClientApplication, scopes);
Implicit provider
The implicit grant flow is used in browser-based applications. For more information, see Microsoft identity platform and Implicit grant flow.
Not applicable.
Device code provider
The device code flow enables sign in to devices by way of another device. For details, see Microsoft identity platform and the OAuth 2.0 device code flow.
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.Build();
Func<DeviceCodeResult, Task> deviceCodeReadyCallback = async dcr => await Console.Out.WriteLineAsync(dcr.Message);
DeviceCodeProvider authProvider = new DeviceCodeProvider(publicClientApplication, scopes, deviceCodeReadyCallback);
Integrated Windows provider
The integrated Windows flow provides a way for Windows computers to silently acquire an access token when they are domain joined. For details, see Integrated Windows authentication.
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
IntegratedWindowsAuthenticationProvider authProvider = new IntegratedWindowsAuthenticationProvider(publicClientApplication, scopes);
Interactive provider
The interactive flow is used by mobile applications (Xamarin and UWP) and desktops applications to call Microsoft Graph in the name of a user. For details, see Acquiring tokens interactively.
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.Build();
InteractiveAuthenticationProvider authProvider = new InteractiveAuthenticationProvider(publicClientApplication, scopes);
Username/password provider
The username/password provider allows an application to sign in a user by using their username and password. Use this flow only when you cannot use any of the other OAuth flows. For more information, see Microsoft identity platform and the OAuth 2.0 resource owner password credential
IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantID)
.Build();
UsernamePasswordProvider authProvider = new UsernamePasswordProvider(publicClientApplication, scopes);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
User me = await graphClient.Me.Request()
.WithUsernamePassword(email, password)
.GetAsync();
Next steps
- Authentication providers require an client ID. You'll want to register your application after you set up your authentication provider.
- Let us know if a required OAuth flow isn't currently supported by voting for or opening a Microsoft Graph feature request.