App authentication with Microsoft Graph

To access a user's Microsoft data, your application must enable users to authenticate their identity and give their consent for the app to perform actions on their behalf.

The Microsoft Graph supports two authentication providers:

Building apps for enterprise customers? Your app might not work if your enterprise customer turns on enterprise mobility security features like conditional device access.

To support all enterprise customers across all enterprise scenarios, you must use the Azure AD endpoint and use the Azure Management Portal to manage your apps.

Microsoft Graph application stack, with authentication shown as a layer between your app and the various Microsoft Graph resources.

Deciding between the Azure AD and Azure AD v2.0 endpoints

The following table summarizes the major features that the Azure AD and Azure AD v2.0 endpoints support, and provides links to additional information. The relative importance of these features--and therefore, which authentication provider you choose to implement in your app--will primarily depend on:

  • The account type (enterprise or consumer) your apps needs to support
  • The type of app you want to build
  • The authentication flow required
Azure AD endpoint Azure AD v2.0 endpoint
Grant types supported

Authorization code

Implicit

Client credentials

Resource owner password credentials

Authorization code

Implicit

Client credentials

App types supported

Web apps

Web APIs

Mobile and native apps

Single Page App (SPA)

Standalone Web APIs

Daemons/Server Side Apps

more information

Web apps

Web APIs

Mobile and native apps

Single Page App (SPA)

Daemons/Server Side Apps

more information

Conditional access device policies Supported Not currently supported
OAuth 2.0 and OpenID Connect compliant No Yes
Permissions Static: Specified during app registration Dynamic: Request during app runtime; includes incremental consent
Account types

work or school

work or school

personal

App ID Separate app ID for each platform Single app ID for multiple platforms
Registration portal Microsoft Azure Management Microsoft Application Registration
Client libraries Active Directory Authentication (ADAL) SDKs for most development platforms

Microsoft Authentication Library (Preview)

Open source OAuth 2.0 libraries (list)

Other features

Group claims for Azure AD users

Application Roles and Role Claims

In addition, there are differences in permission scopes required by the two authentication providers, as well as differences in the claims returned in various tokens. For more information, see Well-known scopes and Token Claims in What's different about the v2.0 endpoint?.

Also, the Azure AD v2.0 endpoint is under active development, with additional features and supported scenarios to be added. For a current list of limitations and restrictions for the Azure AD v2.0 endpoint, see Should I use the v2.0 endpoint?.

Registering your app for authentication

When you decide which authentication provider meets your app's requirements, you need to register your app at that authentication provider's portal. Registering your app establishes your app's identity with the authentication provider, and enables your app to specify its identity when submitting authentication requests from the user.

Resources for implementing authentication in your Microsoft Graph app

After you register your app with the appropriate authentication portal, and have the app registration information (app ID, app secret, if applicable, and redirect URI) that you need to establish your app's identity, you're ready to implement authentication in your app.

Again, this will vary depending on the type of app you're building, your development platform, the authentication flow you choose, and any specific authentication requirements for your app.

Connect samples by authentication provider and platform

The following table lists the Connect samples by authentication provider and platform, and notes whether they connect to Microsoft Graph using REST or a Microsoft Graph client library.

Platform Azure AD endpoint Azure AD v2.0 endpoint
Android REST sample or SDK sample SDK sample
ASP.NET REST sample SDK sample
iOS (Obj-C) REST sample SDK sample
iOS (Swift) REST sample SDK sample
Node.js REST sample REST sample
PHP REST sample REST sample
Python REST sample
Ruby REST sample REST sample
UWP REST sample REST sample or SDK sample
Xamarin SDK sample

To explore a wide range of projects that connect to Microsoft Graph over a broad assortment of technologies, visit the Microsoft Graph repo on GitHub.

Get Started

The Get Started section contains detailed articles that show you how to create the apps listed in the table using the Azure AD v2.0 endpoint, and covers the authentication libraries used on each platform.

See also