How to specify a delegated request vs app only request?

[joshbinney]

I have an API that needs to make requests sometimes on behalf of the user, sometimes as itself. It seems using the following snippet only sets up delegated access?

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApi(builder.Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddInMemoryTokenCaches() .AddMicrosoftGraph();

So two questions. I have a graph service client injected into a service, how can I request things outside of the ".Me" space on behalf of the current user, and how can I make a request as the application (while still using DI, I've seen some hacky ways to do it).

[pschaeflein]

There is no difference in endpoint for appOnly. The difference is how the token is acquired.

The easiest way is to use Azure Identity to create a credential and pass that to the sdk.

[joshbinney]

So when we set things up in the DI container, which is it using? How do we know? Seems the magic to hide that from the developers is causing a lot of confusion as to what is actually happening functionaly.

…

On Sun, 21 Apr 2024, 1:11 pm Paul Schaeflein, ***@***.***> wrote: There is no difference in endpoint for appOnly. The difference is how the token is acquired. The easiest way is to use Azure Identity <https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#credential-classes> to create a credential and pass that to the sdk. — Reply to this email directly, view it on GitHub <#2449 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALRBPVRCDEMV7J2DAEB3TATY6MG5HAVCNFSM6AAAAABGQHOSVSVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TCNZWHEZTC> . You are receiving this because you authored the thread.Message ID: <microsoftgraph/msgraph-sdk-dotnet/repo-discussions/2449/comments/9176931@ github.com>

[joshbinney]

Hey just wondering if there was any updates on this?

Specifically after info on how the DI stuff behaves regarding delegated and app only access, and then code snippets on how to create or inject an app only client.

Thanks!

[andrueastman]

@joshbinney
Checkout https://github.com/AzureAD/microsoft-identity-web/wiki/calling-graph#specify-that-you-want-to-use-app-permissions

Ideally to use app only permissions, you should simply use the WithAppOnly method with the fluent Api method in use.