Use delegated access (User Credentials) whenever you want to let a signed-in user work with their own resources or resources they can access. Whether it's an admin setting up policies for their entire organization or a user deleting an email in their inbox, all scenarios involving user actions should use delegated access.
[API reference]
Follow these simple steps below to create Microsoft Entra ID application with delegated access:
Parameter |
Label |
Required |
Default value |
Options |
Description |
AuthUrl
|
Authorization URL |
YES
|
|
Name |
Value |
For Single Tenant |
https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/authorize |
For Multi Tenant |
https://login.microsoftonline.com/common/oauth2/v2.0/authorize |
|
|
TokenUrl
|
Token URL |
YES
|
|
Name |
Value |
For Single Tenant |
https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/token |
For Multi Tenant |
https://login.microsoftonline.com/common/oauth2/v2.0/token |
|
|
ClientId
|
Client ID |
YES
|
|
|
|
Scope
|
Scope |
YES
|
offline_access~Files.Read~Files.Read.All~Files.ReadWrite~Files.ReadWrite.All~openid~profile~Sites.Read.All~Sites.ReadWrite.All~User.Read~
|
Name |
Value |
User.Read.All |
User.Read.All |
Group.Read.All |
Group.Read.All |
offline_access |
offline_access |
Files.Read |
Files.Read |
Files.Read.All |
Files.Read.All |
Files.ReadWrite |
Files.ReadWrite |
Files.ReadWrite.All |
Files.ReadWrite.All |
openid |
openid |
profile |
profile |
Sites.Read.All |
Sites.Read.All |
Sites.ReadWrite.All |
Sites.ReadWrite.All |
User.Read |
User.Read |
|
Permissions you want to use.
|
ClientSecret |
Client Secret |
|
|
|
|
RefreshTokenFilePath |
Refresh Token File Path |
|
|
|
If you cant fit long refresh token in ConnectionString from your program then use this. Supply three properties in json format (i.e. save this in file { "access_token": "YOUR_ACCESS_TOKEN", "refresh_token": "YOUR_REFRESH_TOKEN", "expires_in": 3600 } )
|
ReturnUrl |
Return URL |
|
https://zappysys.com/oauth
|
Name |
Value |
https://zappysys.com/oauth |
https://zappysys.com/oauth |
|
|
GroupOrUserId |
Default Group or User Id (additional Scopes needed to list - If fails enter manually) |
|
|
Name |
Value |
My self (Not Valid for Application Credentials) |
|
For any group |
/groups/ENTER-GROUP-EMAIL-OR-ID |
For any user |
/users/ENTER-USER-EMAIL-OR-ID |
|
To list all users and groups from your organizations you need additional scopes. See connection UI - Choose User.Read.All and Group.Read.All Scopes and regenerate token. You can manually type value too if you know Group or User Id. Format is /users/{id} OR /groups/{id}
|
DriveId |
Default Drive Id (Select after clicking **Generate Token**) |
|
me
|
|
|
RetryMode |
RetryMode |
|
RetryWhenStatusCodeMatch
|
Name |
Value |
None |
None |
RetryAny |
RetryAny |
RetryWhenStatusCodeMatch |
RetryWhenStatusCodeMatch |
|
|
RetryStatusCodeList |
RetryStatusCodeList |
|
429|503|423
|
|
429 is API limit reached, 423 is File locked
|
RetryCountMax |
RetryCountMax |
|
5
|
|
|
RetryMultiplyWaitTime |
RetryMultiplyWaitTime |
|
True
|
|
|
ExtraAttributesForAuthRequest
|
Login Prompt Option |
|
|
Name |
Value |
None |
|
Force login prompt |
prompt=login |
Force permission select |
prompt=consent |
|
Choose this if you want to force login prompt or permission prompt.
|
SearchOptionForNonIndexedFields |
Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed) |
|
|
Name |
Value |
Search Only Indexed |
|
Search Both Indexed and Non-Indexed |
HonorNonIndexedQueriesWarningMayFailRandomly |
|
If you wish to do certain operations e.g. search / order by on non-indexed fields then you have to set this option to HonorNonIndexedQueriesWarningMayFailRandomly. By default filter / orderby on non-indexed fields not allowed.
|
ExtraHeaders |
Extra Headers (e.g. Header1:AAA||Header2:BBB) |
|
|
Name |
Value |
MyHeader1:AAA |
MyHeader1:AAA |
MyHeader1:AAA||MyHeader2:BBB |
MyHeader1:AAA||MyHeader2:BBB |
|
|
IsAppCred |
IsAppCred |
|
0
|
|
For internal use only
|