How do I access the GRAPH API to get all users WITHOUT having to login ?

Question

What I want is simple but I have not found a clear answer.

I have a simple console app and all I want to do is get all the users in my Azure AD using the new GRAPH API. All the examples I have require the program login (OAuth?). I don't want that. I want to give the code the user/pw and simply start calling the methods.

Answer 1

Whenever you have a user physically sitting at the device, your best bet, by far, is to invoke the full sign-in flow. Not only does keep an admin's credentials from being exposed, but it also allows the user to change password if needed, invoke multi-factor authentication, etc.

However, there are some scenarios where you want an entirely unsupervised service running on a completely secure and trusted machine. (Known as a "confidential client" in OAuth 2.0.) This can be achieved with the OAuth 2.0 Client Credentials Grant flow, which uses only the application's credentials to authenticate. This is illustrated in Service to Service Calls Using Client Credentials.

Using ADAL, this flow is invoked by using either AuthenticationContext.AcquireToken(String, ClientCredential) (where your credential is an password credential--a string), or AuthenticationContext.AcquireToken(String, ClientAssertionCertificate) (where your credential is a certificate that you use to sign an assertion). There is a .NET (C#) sample for each of these on the Azure AD samples for daemon applications:

• Calling web APIs in a daemon or long-running process
• Authenticating to Azure AD in daemon apps with certificates

Using PowerShell and certificate authentication, it would look something like this:

$appId          = "<app client ID>"
$resource       = "https://graph.windows.net" # (or other resource URI)
$tenantId       = "<domain name or ID>"
$certThumbprint = "<certificate thumbprint>"

# Get locally-installed cert by thumbprint
$x509cert = Get-ChildItem "Cert:\LocalMachine\My" | ? { $_.Thumbprint -eq $certThumbprint } | Select-Object -First 1

# Get access token using ClientAssertionCertificate
$authority = "https://login.microsoftonline.com/$tenantId"
$creds = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientAssertionCertificate $appId, $x509cert
$authContext = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext $authority
$authResult = $authContext.AcquireToken($resource, $creds)

# Make Graph API request to list all users
$header = @{
    "Authorization" = "Bearer $($authResult.AccessToken)"
    "Content-Type" = "application/json"
}
$result = Invoke-RestMethod -Method Get -Headers $header -Uri "https://graph.windows.net/$tenantId/users?api-version=1.6"
($result.Content | ConvertFrom-Json).value

You will need to ensure your application is registered in Azure AD, and has the minimum required application permissions for what you're trying to do (and not more than that, to limit your exposure if the app's credentials were to be compromised). For example, if your application only needs to read directory data (e.g. to find a user by email address), you would set the permissions like this: