Accessing Graph API's through delegated permissions of service account without user interaction

Question

I'm looking for the best approach to allow an app to access the Graph API's through a service account.

The idea is to grant delegated permissions to the Graph API's for that app which would then be restricted further by the access of the service account that is used in the app. The catch is that no interaction should be required on the service account.

E.g.: I want a developer to create any type of app to access the Graph API but only manage resources that his service account is granted access to. I don't want him to be able to manage all AAD groups for example, but only the AAD groups where his service account has ownership of.

Any guidance to get me started with a demo? I've been searching for tutorials and articles but none of them seem to match my requirements.

Answer 1

At the moment I don't think you can do this. If you do client credential authentication (client id + secret/certificate), application permissions apply. Delegated permissions only apply when a user is involved. So the only way to currently limit the scope is to do the calls on behalf of a user.

Of course you can still automate it mostly. One way is to have the developer authenticate with their account once. Your app should then receive a refresh token for that user, which it can then use to get new access tokens as needed to make the calls as user at any time it wants.

Now of course the only issue with refresh tokens is that they can go stale or get revoked. The developer would have to authorize the app again. If it is business-critical that this kind of situation does not occur, then you must use app permissions (which are org-wide, all groups etc.).