Microsoft Graph API

introduction this guide explains how to authenticate the microsoft graph api connector in swimlane using one of the following authentication methods oauth 2 0 client credentials (application permissions) password grant (delegated permissions) refresh token grant (delegated permissions with mfa) you will create an azure app, assign permissions, collect the required identifiers, and configure the connector inside swimlane prerequisites azure access requirements you must have azure permissions to register applications in azure active directory assign api permissions (application + delegated) grant admin consent view tenant, subscription, and directory information create client secrets required credentials during setup, you will collect client id client secret tenant id token url scope (for delegated auth) username & password (for refresh token flow) refresh token authentication methods overview oauth 2 0 client credentials used for non mfa accounts and for most server to server automations you will need client id client secret tenant id token url (must include tenant id) scope(s) oauth 2 0 refresh token grant use this when the office 365 account has mfa enabled you need a long lived token flow based on user authentication you will need client id client secret refresh token redirect uri (added during azure app registration) azure setup take the following steps to register the application go to azure portal > azure active directory > app registrations click new registration enter an application name select accounts in this organizational directory only click register take the following steps to assign the api permissions open the api permissions tab click add a permission add the required permissions (recommended) user readwrite all calendars readwrite directory readwrite all directory accessasuser all securityevents read all securityevents readwrite all mail readwrite mail send sites readwrite all files readwrite all auditlog read all mail readbasic all securityanalyzedmessage readwrite all securityalert readwrite all user manageidentities all these permissions enable graph api actions across email, directory, sharepoint, files, and security click add permissions click grant admin consent for your organization delegated permissions (for password grant & refresh token) add delegated permissions instead of application permissions when using delegated auth after adding permissions click add permissions then click grant admin consent take the following steps to generate a client secret go to certificates & secrets click new client secret add description and expiration click add copy and save the value this saved value is client secret take the following steps to collect required identifiers from app registration > overview , copy client id tenant id take the following steps to collect username and password (delegated auth only) if using password grant oauth un → azure username oauth pwd → azure password i f mfa is enabled, use refresh token flow instead take the following steps to generate a refresh token for accounts with mfa enabled in the registration step, add a redirect uri (platform web) complete app registration assign delegated permissions use the python script provided by the swimlane team to generate a refresh token connector configuration in swimlane log into turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the + icon to create a new asset select microsoft graph api from the asset type list fill in the asset settings and asset input as shown a) configuration client credentials authenticates using oauth 2 0 client credentials field description required url microsoft graph api endpoint required client id client id from azure required client secret client secret from azure required tenant id tenant id required token url https //login microsoftonline com/ {tenant id}/oauth2/v2 0/token required scope permission scopes required verify ssl enable/disable ssl verification optional http proxy proxy details optional fields with marks are required b) configuration password grant (delegated authentication) authenticates on behalf of a user field description required url microsoft graph api endpoint required login url default https //login microsoftonline com/ optional tenant id tenant id required oauth un username required oauth pwd password required oauth cl id client id required oauth cl secret client secret required scope delegated scopes optional verify ssl ssl verification optional http proxy proxy optional fields with marks are required c) configuration refresh token grant (delegated + mfa) authenticates using a previously generated refresh token field description required url microsoft graph api endpoint required cl id client id required cl secret client secret required refresh token refresh token required scope permission scopes required verify ssl ssl verification required http proxy proxy required fields with marks are required 6\ click create troubleshooting 403 forbidden occurs when missing graph api permissions missing admin consent incorrect tenant or token url using application permissions where delegated is required fix re grant admin consent verify permissions ensure token url includes the correct tenant id you have successfully authenticated the microsoft graph api connector using one of the supported oauth flows