10

Is there a way to impersonate a user in office 365 using the new Microsoft Graph API?

I am currently using EWS API to impersonate office 365 users to add calendar events.

Thivy Ruthra
  • 131
  • 2
  • 6

1 Answers1

10

The Microsoft Graph uses OAuth2.0, and so you can have your app operate as the signed-in user, if the user grants the app the ability (in your case) to read/write calendar events. (In OAuth2.0 this flow is known as the code flow). If you need your app to create events on behalf of many users, where the user is not actually signed in to your app - say your app is a daemon service of some sort - then you could use the OAuth2.0 app-only (client credential) flow. Acquiring delegated access token to call Microsoft Graph is documented here: https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

Hope this helps,

Dan Kershaw - MSFT
  • 5,833
  • 1
  • 14
  • 23
  • To clarify, the client credential flow does not result in delegated access on a per user level, but instead accesses the API as the app itself, correct? Would there be a way to instead have the app impersonate individual users and perform API requests as that user? – vinod Mar 24 '16 at 19:48
  • 4
    Correct on the first statement. On the second item - we don't really have an ActAs capability. This is a super powerful capability that needs to be carefully handled, and we don't have a timeline for this kind of functionality. Do you have any specific scenarios where you need this capability? Another option is to use the delegated flow, and get a refresh token (offline_access), and use that to impersonate the user even when they are not actively using your app. – Dan Kershaw - MSFT Mar 25 '16 at 23:10
  • 2
    Is there any parallel to or ability to use ApplicationImpersonation role in Exchange? With EWS being deprecated we need to move to Graph API to access room mailbox calendars, and some existing customers are using impersonation roles in Exchange in preference to setting mailbox permissions for every room mailbox. Impersonation is also advised in EWS to avoid subscription budget limits on a service account in push scenario (although I've yet to determine how to do push connections with Graph). – tjmoore Sep 14 '18 at 15:20
  • 1
    To clarify on the last part of my previous comment, when I'm talking about 'push' I mean streaming subscriptions in EWS. It looks like Outlook API has streaming subscription support however, but not Graph API. Same though with regards to budget/throttling. – tjmoore Sep 14 '18 at 16:37
  • 1
    @Dan Kershaw - MSFT Why is ActAs super powerful? I would rather give a daemon-app ActAs rights then the "modify-everything" power that is standard with application accounts. – ssimm Oct 21 '19 at 15:23
  • "_...any specific scenarios where you need this capability?_" What's the best way to send a chat message on Teams from a daemon app? You need an authenticated user account, to send the message on behalf of them. – kostasvs May 19 '21 at 09:16