Is there way to authenticate to Graph API using Username and Password without Application Registration in Azure AD

Question

I'm creating an app that needs to authenticate to multiple Office 365 applications in differing tenants using the Graph API. If I follow Microsoft's guidance I can do this, but I have to register the app in each new Azure AD which adds quite a lot of overhead for the user. I'd like to be able to avoid this step and use a username and password only in the authentication provider. This is the link to the Microsoft page which gives example code: https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS#usernamepassword-provider

Thanks

Nathan

Answer 1

Is there way to authenticate to Graph API using Username and Password without Application Registration in Azure AD?

To access the data in Microsoft Graph, your application will need to acquire an OAuth 2.0 access token. To achieve access token you must need application Id.No way to bypass it.

Unfortunately, You have to register an App for accessing Microsoft Graph API resources. Because Graph API requires ApplicationId, Application Secret to authenticate request. In that case you have no other options. Its a application architecture.

As you may know, to use Graph API you need to use any of the authentication grant flow provided by Microsoft. If you seen the documentation you would know that each of the application at least need to have application Id which Graph API uses to trace the request is for.

For more details you can have a look official docs

Answer 2

You need your application registration to get the ClientID and TenantID and the permissions to use the Graph API, but you could use without the token with user and password.

With this (max) combination of Libraries (You could not use the 3 first):

Azure.Core 1.24.0
Azure.Identity 1.6.0
Microsoft.Bcl.AsyncInterfaces 6.0.0
Microsoft.Graph 3.35.0
Microsoft.Graph.Auth 1.0.0 Preview 7
Microsoft.Graph.Core 1.25.1
Microsoft.Identity.Client 4.39.0
Microsoft.Identity.Client.Extensions.Msal 2.19.3

Just because Microsoft.Graph.Auth is deprecated (No more updates)

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System.Security;

In the function you are goint to work you could use: GraphServiceClient graphClient = await CreateGraphClient();

To set your password (with or without the static):

public static SecureString Password
        {
            get
            {
                var password = "xxxxxxxxx";
                if (password.StartsWith("Error."))
                    throw new InvalidProgramException(password);
                SecureString secPass = new SecureString();
                password.ToCharArray().ToList().ForEach(secPass.AppendChar);
                secPass.MakeReadOnly();
                return secPass;
            }
        }

internal static string UserName { get; } = "Usuario";

And you could define (with or without the static) the function as:

internal static async Task<GraphServiceClient> CreateGraphClient()
        {
            var pass = Password;
            IPublicClientApplication publicClientApplication = PublicClientApplicationBuilder
                                   .Create(ClientID)
                                   .WithTenantId(TenantID)
                                   .Build();
            UsernamePasswordProvider authProvider = new UsernamePasswordProvider(publicClientApplication);
            GraphServiceClient graphClient = new GraphServiceClient(authProvider);
            try
            {
                User usr = await graphClient.Me.Request().WithUsernamePassword(UserName, pass).GetAsync();
            }
            catch {
                throw;
            }
            return graphClient;
        }