0

I want to develop a timer job (C#), which will run at background without any logged in user, through which i need to fetch user profile (profile image and job title) from Azure AD using a graph api. I want to achieve this using delegated permissions (User.ReadBasic.All) as i'm not allowed to use application level permissions for User.Read.All. So is there any way i can achieve this.

Mayuresh Jaiswal
  • 297
  • 3
  • 21

1 Answers1

0

Yes, but the user will have to sign in to your app at least once to initiate the process.

The way you can do this:

  1. User signs in to your app (this can be a separate Web app for example)
  2. You store the refresh token received in a secure manner (per user, each user has their own token)
  3. Your background process can take this refresh token, and exchange it for an access token + a new refresh token
  4. Store the new refresh token in the same secure storage
  5. Use the access token to do what you need to do

This process will work in the background for as long as the refresh tokens work. But they can and do expire. You will need to be prepared for this as to make it work again for that user, they will have to repeat step 1 again.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • very first thing is my timer job will run once a day (mid-night), also we don't have any page for user to login, my application is a MSFT Teams app which will sit under Teams application. So there is no way user can go and provide user consent. Also if we any how try to store the token it will expire till mid-night so "Token expire" error will occur. – Mayuresh Jaiswal Jan 30 '20 at 06:22
  • Delegated permissions require a user to sign in to be used. As for the expiration, that's why you need the refresh token, so you can get new tokens. It's either this or application permissions. – juunas Jan 30 '20 at 06:23
  • Can you please let me know if i can use Service principle concept to achieve this – Mayuresh Jaiswal Jan 30 '20 at 06:24
  • If by service principal concept you mean the app accessing the data on its own, that's application permissions. – juunas Jan 30 '20 at 06:24
  • so we can't use service principle with delegated permissions if app wants to access data on its own? – Mayuresh Jaiswal Jan 30 '20 at 06:25
  • Delegated permissions use a combination of user and app access, so require a user to sign in. – juunas Jan 30 '20 at 06:26
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/206893/discussion-between-mayuresh-jaiswal-and-juunas). – Mayuresh Jaiswal Jan 30 '20 at 06:27