Microsoft
Microsoft Graph
Microsoft
To access a user's Microsoft data, your application must enable users to authenticate their identity and give their consent for the app to perform actions on their behalf.
The Microsoft Graph supports two authentication providers:
Building apps for enterprise customers? Your app might not work if your enterprise customer turns on enterprise mobility security features like conditional device access.
To support all enterprise customers across all enterprise scenarios, you must use the Azure AD endpoint and use the Azure Management Portal to manage your apps.
The following table summarizes the major features that the Azure AD and Azure AD v2.0 endpoints support, and provides links to additional information. The relative importance of these features--and therefore, which authentication provider you choose to implement in your app--will primarily depend on:
| Azure AD endpoint | Azure AD v2.0 endpoint | |
|---|---|---|
| Grant types supported | Authorization code Implicit Client credentials Resource owner password credentials |
Authorization code Implicit Client credentials |
| App types supported | Web apps Web APIs Mobile and native apps Single Page App (SPA) Standalone Web APIs Daemons/Server Side apps Cloud Solution Provider apps |
Web apps Web APIs Mobile and native apps Single Page App (SPA) Daemons/Server Side Apps |
| Conditional access device policies | Supported | Not currently supported |
| OAuth 2.0 and OpenID Connect compliant | No | Yes |
| Permissions | Static: Specified during app registration | Dynamic: Request during app runtime; includes incremental consent |
| Account types | work or school |
work or school personal |
| App ID | Separate app ID for each platform | Single app ID for multiple platforms |
| Registration portal | Microsoft Azure Management | Microsoft Application Registration |
| Client libraries | Active Directory Authentication (ADAL) SDKs for most development platforms | |
| Other features | Group claims for Azure AD users Application Roles and Role Claims |
In addition, there are differences in permission scopes required by the two authentication providers, as well as differences in the claims returned in various tokens. For more information, see Well-known scopes and Token Claims in What's different about the v2.0 endpoint?.
Also, the Azure AD v2.0 endpoint is under active development, with additional features and supported scenarios to be added. For a current list of limitations and restrictions for the Azure AD v2.0 endpoint, see Should I use the v2.0 endpoint?.
When you decide which authentication provider meets your app's requirements, you need to register your app at that authentication provider's portal. Registering your app establishes your app's identity with the authentication provider, and enables your app to specify its identity when submitting authentication requests from the user.
To register your app with Azure AD, use the Azure portal.
To register your app with the Azure AD v2.0 endpoint, use the Microsoft Application Registration portal.
After you register your app with the appropriate authentication portal, and have the app registration information (app ID, app secret, if applicable, and redirect URI) that you need to establish your app's identity, you're ready to implement authentication in your app.
Again, this will vary depending on the type of app you're building, your development platform, the authentication flow you choose, and any specific authentication requirements for your app.
The following table lists the Connect samples by authentication provider and platform, and notes whether they connect to Microsoft Graph using REST or a Microsoft Graph client library.
| Platform | Azure AD endpoint | Azure AD v2.0 endpoint |
|---|---|---|
| Android | REST sample or SDK sample | SDK sample |
| ASP.NET | REST sample | SDK sample |
| iOS (Obj-C) | REST sample | SDK sample |
| iOS (Swift) | REST sample | SDK sample |
| Node.js | REST sample | REST sample |
| PHP | REST sample | REST sample |
| Python | REST sample | |
| Ruby | REST sample | REST sample |
| UWP | REST sample | REST sample or SDK sample |
| Xamarin | SDK sample |
To explore a wide range of projects that connect to Microsoft Graph over a broad assortment of technologies, visit the Microsoft Graph repo on GitHub.
The Get Started section contains detailed articles that show you how to create the apps listed in the table using the Azure AD v2.0 endpoint, and covers the authentication libraries used on each platform.
