Episode Details
Back to Episodes
Using Microsoft Graph for Custom App Integrations: Why Delegated Permissions Break Automation and How App‑Only Access Fixes It
Season 1
Published 8 months, 1 week ago
Description
You’ve automated a workflow with Microsoft 365, only to hit a wall with constant permission prompts, broken background jobs and security warnings you don’t fully trust. Why do custom app integrations feel so fragile when they touch the Graph? In this episode, we unpack the hidden security and reliability traps of delegated permissions—and walk you through the smarter, more scalable path almost nobody starts with: app‑only permissions in Microsoft Graph, backed by proper app registrations and service principals.
We start with why delegated permissions are so tempting and so dangerous for automation. Using a user’s identity makes your first prototype easy: you log in once, consent to a few scopes, and the app instantly “just works” with whatever that person can access. But under the hood, every background job is now tied to a human session that expires, a password that changes and a license that might be removed when someone leaves. You’ll hear familiar failure modes—flows that die at 2 AM, bots that stop working after MFA changes, critical jobs silently failing after an admin account is cleaned up—and why this isn’t just annoying, but a structural security risk when those delegated accounts quietly accumulate broad privileges.
Then we show how app‑only Graph access changes the game. Instead of piggybacking on a user, your integration becomes a first‑class application identity in Entra ID, with its own service principal and carefully scoped application permissions. That identity doesn’t sleep, change roles or get locked out; it does exactly what you allow in SharePoint, Exchange, Teams or Entra ID, and nothing more. We walk through the practical steps: registering the app, choosing the right Graph scopes, handling secrets or certificates, going through admin consent and testing calls so they behave consistently in dev, test and production without babysitting logins.
Finally, we put it all together as a design pattern you can reuse. You’ll learn when to keep delegated access (interactive user scenarios), when to insist on app‑only (service jobs, compliance, integration hubs), and how to combine both in a hybrid model that keeps your security team happy and your automations stable. By the end of the episode, you’ll have a clear blueprint for moving fragile “it works on my account” scripts and flows to robust, auditable Graph integrations that survive password changes, staff turnover and stricter security policies.
WHAT YOU’LL LEARN
The core insight of this episode is that most Graph integrat
We start with why delegated permissions are so tempting and so dangerous for automation. Using a user’s identity makes your first prototype easy: you log in once, consent to a few scopes, and the app instantly “just works” with whatever that person can access. But under the hood, every background job is now tied to a human session that expires, a password that changes and a license that might be removed when someone leaves. You’ll hear familiar failure modes—flows that die at 2 AM, bots that stop working after MFA changes, critical jobs silently failing after an admin account is cleaned up—and why this isn’t just annoying, but a structural security risk when those delegated accounts quietly accumulate broad privileges.
Then we show how app‑only Graph access changes the game. Instead of piggybacking on a user, your integration becomes a first‑class application identity in Entra ID, with its own service principal and carefully scoped application permissions. That identity doesn’t sleep, change roles or get locked out; it does exactly what you allow in SharePoint, Exchange, Teams or Entra ID, and nothing more. We walk through the practical steps: registering the app, choosing the right Graph scopes, handling secrets or certificates, going through admin consent and testing calls so they behave consistently in dev, test and production without babysitting logins.
Finally, we put it all together as a design pattern you can reuse. You’ll learn when to keep delegated access (interactive user scenarios), when to insist on app‑only (service jobs, compliance, integration hubs), and how to combine both in a hybrid model that keeps your security team happy and your automations stable. By the end of the episode, you’ll have a clear blueprint for moving fragile “it works on my account” scripts and flows to robust, auditable Graph integrations that survive password changes, staff turnover and stricter security policies.
WHAT YOU’LL LEARN
- Why delegated Graph permissions regularly break background jobs and increase risk.
- How app‑only Graph access with service principals creates stable, least‑privilege automations.
- The key setup steps: app registration, scopes, secrets/certs and admin consent.
- When to use delegated vs. app‑only—and how to migrate existing automations safely.
The core insight of this episode is that most Graph integrat