Authentication

User Credentials

Description

Use delegated access (User Credentials) whenever you want to let a signed-in user work with their own resources or resources they can access. Whether it's an admin setting up policies for their entire organization or a user deleting an email in their inbox, all scenarios involving user actions should use delegated access. [API reference]

Instructions

Follow these simple steps below to create Microsoft Entra ID application with delegated access:

WARNING: To automate your company's processes, make sure you use a system/generic account (e.g. automation@my-company.com). When you use a personal account which is tied to a specific employee profile and that employee leaves the company, the token may become invalid and any automated processes using that token will start to fail.

Navigate to the Azure Portal and log in using your credentials.
Access Microsoft Entra ID.
Register a new application by going to App registrations and clicking on New registration button:
INFO: Find more information on how to register an application in Graph API reference.
When configuration window opens, configure these fields:
- Supported account type
  - Use Accounts in this organizational directory only, if you need access to data in your organization only.
- Redirect URI:
  - Set the type to Public client/native (mobile & desktop).
  - Use https://zappysys.com/oauth as the URL.
After registering the app, copy the Application (client) ID for later:
Then copy OAuth authorization endpoint (v2) & OAuth token endpoint (v2) URLs to use later in the configuration:
Now go to SSIS package or ODBC data source and use the copied values in User Credentials authentication configuration:
- In the Authorization URL field paste the OAuth authorization endpoint (v2) URL value you copied in the previous step.
- In the Token URL field paste the OAuth token endpoint (v2) URL value you copied in the previous step.
- In the Client ID field paste the Application (client) ID value you copied in the previous step.
- In the Scope field use the default value or select individual scopes, e.g.:
  - email
  - offline_access
  - openid
  - profile
  - User.Read
  - Files.Read.All
  - Files.ReadWrite.All
Press Generate Token button to generate Access and Refresh Tokens.
Optional step. Choose Default Site Id from the drop down menu.
Click Test Connection to confirm the connection is working.
Done! Now you are ready to use the API Connector!

Parameters

Parameter Required Default value Options

Name: AuthUrl

Label: Authorization URL

YES

Name	Value
For Single Tenant	https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/authorize
For Multi Tenant	https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Name: TokenUrl

Label: Token URL

YES

Name	Value
For Single Tenant	https://login.microsoftonline.com/{ENTER-TENANT-ID-HERE}/oauth2/v2.0/token
For Multi Tenant	https://login.microsoftonline.com/common/oauth2/v2.0/token

Name: ClientId

Label: Client ID

YES

Name: Scope

Label: Scope

Permissions you want to use.

YES

offline_access~Files.Read~Files.Read.All~Files.ReadWrite~Files.ReadWrite.All~openid~profile~Sites.Read.All~Sites.ReadWrite.All~User.Read~

Name	Value
User.Read.All	User.Read.All
Group.Read.All	Group.Read.All
offline_access	offline_access
Files.Read	Files.Read
Files.Read.All	Files.Read.All
Files.ReadWrite	Files.ReadWrite
Files.ReadWrite.All	Files.ReadWrite.All
openid	openid
profile	profile
Sites.Read.All	Sites.Read.All
Sites.ReadWrite.All	Sites.ReadWrite.All
User.Read	User.Read

Name: ClientSecret

Label: Client Secret

Name: RefreshTokenFilePath

Label: Refresh Token File Path

If you cant fit long refresh token in ConnectionString from your program then use this. Supply three properties in json format (i.e. save this in file { "access_token": "YOUR_ACCESS_TOKEN", "refresh_token": "YOUR_REFRESH_TOKEN", "expires_in": 3600 } )

Name: ReturnUrl

Label: Return URL

https://zappysys.com/oauth

Name	Value
https://zappysys.com/oauth	https://zappysys.com/oauth

Name: GroupOrUserId

Label: Default Group or User Id (additional Scopes needed to list - If fails enter manually)

To list all users and groups from your organizations you need additional scopes. See connection UI - Choose User.Read.All and Group.Read.All Scopes and regenerate token. You can manually type value too if you know Group or User Id. Format is /users/{id} OR /groups/{id}

Name	Value
My self (Not Valid for Application Credentials)
For any group	/groups/ENTER-GROUP-EMAIL-OR-ID
For any user	/users/ENTER-USER-EMAIL-OR-ID

Name: DriveId

Label: Default Drive Id (Select after clicking **Generate Token**)

me

Name: RetryMode

Label: RetryMode

RetryWhenStatusCodeMatch

Name	Value
None	None
RetryAny	RetryAny
RetryWhenStatusCodeMatch	RetryWhenStatusCodeMatch

Name: RetryStatusCodeList

Label: RetryStatusCodeList

429 is API limit reached, 423 is File locked

429|503|423

Name: RetryCountMax

Label: RetryCountMax

5

Name: RetryMultiplyWaitTime

Label: RetryMultiplyWaitTime

True

Name: ExtraAttributesForAuthRequest

Label: Login Prompt Option

Choose this if you want to force login prompt or permission prompt.

Name	Value
None
Force login prompt	prompt=login
Force permission select	prompt=consent

Name: SearchOptionForNonIndexedFields

Label: Search Option For Non-Indexed Fields (Default=Blank - Search Only Indexed)

If you wish to do certain operations e.g. search / order by on non-indexed fields then you have to set this option to HonorNonIndexedQueriesWarningMayFailRandomly. By default filter / orderby on non-indexed fields not allowed.

Name	Value
Search Only Indexed
Search Both Indexed and Non-Indexed	HonorNonIndexedQueriesWarningMayFailRandomly

Name: ExtraHeaders

Label: Extra Headers (e.g. Header1:AAA||Header2:BBB)

Name	Value
MyHeader1:AAA	MyHeader1:AAA
MyHeader1:AAA\|\|MyHeader2:BBB	MyHeader1:AAA\|\|MyHeader2:BBB

Name: IsAppCred

Label: IsAppCred

For internal use only

0