APIs & Integrations
Microsoft (Client Credentials)
Overview
Pre-built tooling
Pre-built integrations
No pre-built integration yet (time to contribute: <48h)
Not seeing the integration you need? Build your own independently.
Access requirements
| Pre-Requisites | Status | Comment |
|---|---|---|
| Paid dev account | ✅ Not required | Free, self-signup for a Microsoft account and Azure account. |
| Paid test account | ✅ Not required | Free Microsoft account can be used for testing. |
| Partnership | ✅ Not required | |
| App review | ⚠️ Conditional | Required only if you want to publish your app to the Microsoft commercial marketplace or if your app needs admin consent for certain permissions. |
| Security audit | ✅ Not required |
Setup guide
No setup guide yet.
Need help getting started? Get help in the community.
Useful links
Contribute useful links by editing this page
Common Permissions
| Permission | Description |
|---|---|
| Application.ReadWrite.All | Full control of app registrations |
| User.Read.All | Read all user profiles (no user sign-in required) |
| Mail.Read | Read mail in all mailboxes (organization-wide) |
| Calendars.ReadWrite | Read and write calendars across the organization |
| Files.Read.All | Read all files the app has access to in the organization |
| Directory.Read.All | Read Azure AD data, including users, groups, and devices |
| Sites.Read.All | Read SharePoint and OneDrive content across the organization |
API gotchas
- Microsoft has a unified OAuth system for their various APIs. This provider should work for most of them (e.g. Microsoft EntraID, OneNote, Onedrive, Outlook, Sharepoint Online, Microsoft Teams etc.).
- You can find permissions required for each API call in their corresponding API methods section, i.e, to retrieve a list of notebook objects from Onenote, you can have a look at List Notebooks permissions.
- See particularly the
tenantIdparameter under Get a token. - This
tenantIdparameter must be provided as extra configuration to the frontend SDK. - Microsoft offers a tool that allows you to construct and perform Graph API queries and see their response for any apps on which you have an admin, developer, or tester role. For more information you can check Microsoft Graph Explorer.
- Please be aware that the Microsoft Graph API implements throttling to manage the volume of requests. For more information on handling throttling, refer to the Microsoft Graph Throttling Guidance.
- Microsoft Graph API has different versions (v1.0 and beta). The v1.0 endpoint is for production use, while the beta endpoint contains features that are still in preview.
- When requesting Application Permissions that require admin consent, an Microsoft Entra ID administrator must pre-authorize the permissions. Without admin consent, the app cannot obtain tokens for those scopes.
- For multitenant applications, each tenant administrator must grant consent to the app’s required permissions before access is granted in their tenant.
- The .default scope is a special scope that tells Azure AD to issue a token containing all the Application Permissions that have already been granted (consented) for your app on that resource. Using
.defaultensures your app receives permissions consistent with those configured and consented at the tenant or organization level. - The
.defaultscope can’t be combined with the scopes registered in the Azure portal. So either just use the.defaultscope or remove it to list out explicit parameters that are required. If you attempt to combine them you’ll receive the following error
- Since Microsoft (Client Credentials) does not involve a user, a Microsoft Entra ID administrator must grant consent to the required Application Permissions in advance. This can be done through the Azure Portal or by using the admin consent endpoint.
Contribute API gotchas by editing this page
Connect to Microsoft (Client Credentials)
Guide to connect to Microsoft (Client Credentials) API using Nango Connect.