This project is being archived and replaced with the Build .NET Core apps with the Microsoft Graph SDK training. As part of the archival process, we're closing all open issues and pull requests.
You can continue to use this sample "as-is", but it won't be maintained moving forward. We apologize for any inconvenience.
- Introduction
- Prerequisites
- Register the delegated permissions application
- Register the application permissions application
- Build and run the sample
- Questions and comments
- Contributing
- Additional resources
This sample application provides a repository of code snippets that use the Microsoft Graph to perform common tasks, such as sending email, managing groups, and other activities from within a Windows console application. It uses the Microsoft Graph .NET Client SDK to work with data returned by the Microsoft Graph.
The sample uses the Microsoft Authentication Library (MSAL) for authentication. The sample demonstrates both delegated and application permissions.
Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent. This application contains some groups-related operations that require administrative consent, and the associated permissions required to do them, are commented by default.
Application permissions are used by apps that run without a signed-in user present; you can use this type of permission for apps that run as background services or daemons and that therefore will neither have nor require user consent. Application permissions can only be consented to by a tenant administrator. It is important that you understand that you give this sample a lot of power by providing it admin consent. For example, if you run this sample in AppMode against your tenant, you will create a group, add and then remove members of the group, and then delete the group.
If you want to use both types of permissions, you'll need to create and configure two applications in the Azure Active Directory admin center, one for delegated permissions and another for application permissions. The sample is structured so that you can configure only one application if you're interested in only one type of permission. Use the UserMode class if you're interested only in delegated permissions and the AppMode class if you're interested only in application permissions.
See Delegated permissions, Application permissions, and effective permissions for more information about these permission types. Also see Get access without a user for more information on application permissions specifically.
This sample requires the following:
-
An Office 365 for business account. An Office 365 administrator account is required to run admin-level operations and to consent to application permissions. You can sign up for an Office 365 Developer subscription that includes the resources that you need to start building apps.
This sample contains examples that use both delegated permissions and application permissions, so you'll need register the app separately for each scenario.
-
Navigate to the Azure Active Directory admin center. Login using a personal account (aka: Microsoft Account) or Work or School Account.
-
Select Azure Active Directory in the left-hand navigation, then select App registrations (Preview) under Manage.
-
Select New registration. On the Register an application page, set the values as follows.
- Set Name to
Console Snippets Sample (Delegated perms). - Set Supported account types to Accounts in any organizational directory and personal Microsoft accounts.
- Leave Redirect URI empty. ** Choose Register.
- Set Name to
-
On the Console Snippets Sample (Delegate perms) page, copy the values of both the Application (client) ID and the Directory (tenant) ID. Save these two values, since you will need them later.
-
Select the Add a Redirect URI link. On the Redirect URIs page, locate the Suggested Redirect URIs for public clients (mobile, desktop) section. Select the URI that begins with
msaland the urn:ietf:wg:oauth:2.0:oob URI. -
Open the sample solution in Visual Studio and then open the Constants.cs file. Change the Tenant string to the Directory (tenant) ID value you copied earlier. Change the ClientIdForUserAuthn string to the Application (client) ID value.
-
Navigate to the Azure Active Directory admin center. Login using a Work or School Account.
-
Select Azure Active Directory in the left-hand navigation, then select App registrations (Preview) under Manage.
-
Select New registration. On the Register an application page, set the values as follows.
- Set Name to
Console Snippets Sample (Application perms). - Set Supported account types to Accounts in any organizational directory.
- Leave Redirect URI empty.
- Choose Register.
- Set Name to
-
On the Console Snippets Sample (Application perms) page, copy and save the values for the Application (client) ID and the Directory (tenant) ID. You will need them in step 7.
-
Select Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires and choose Add.
-
Copy the client secret value before leaving the page. You will need it in the next step.
-
Open the sample solution in Visual Studio and then open the Constants.cs file. Change the Tenant string to the Directory (tenant) ID value you copied earlier. Similarly, change the ClientIdForAppAuthn string to the Application (client) ID value and change the ClientSecret string to the client secret value.
-
Return to the Azure Active Directory management center. Select API permisions and then select Add a permission. On the panel that appears, choose Microsoft Graph and then choose Application permissions.
-
Use the Select permissions search box to search for the following permissions: Directory.Read.All, Group.ReadWrite.All, Mail.Read, Mail.ReadWrite, and User.Read.All. Select the check box for each permissions as it appears (note that the permissions will not remain visible in the list as you select each one). Select the Add permissions button at the bottom of the panel.
-
Choose the Grant admin consent for [tenant name] button. Select Yes for the confirmation that appears.
- Open the sample solution in Visual Studio.
- Press F5 to build and run the sample. This will restore the NuGet package dependencies and open the console application.
- Select User mode to run the application with delegated permissions only. Select App mode to run the application with application permissions only. Select both to run using both types of permissions.
- When you run User mode, you'll be prompted to sign in with an account on your Office 365 tenant and consent to the permissions that the application requests. If you want to run the groups-related operations in the UserMode class, you'll need to uncomment the GetDetailsForGroups method in the UserMode.cs file and the Group.Read.All scope in the AuthenticationHelper.cs file. After you make those changes only an admin will be able to sign in and consent. Otherwise, you can sign in and consent with a non-admin user.
- When you run App mode, the application will begin performing a number of common groups-related tasks that only an admin can do. Since you've already authorized the application to make these operations, you won't be prompted to sign in and consent.
We'd love to get your feedback about the Microsoft Graph API Console App. You can send your questions and suggestions in the Issues section of this repository.
Questions about Microsoft Graph development in general should be posted to Stack Overflow. Make sure that your questions or comments are tagged with [microsoftgraph].
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
- Get access without a user
- Delegated permissions, Application permissions, and effective permissions
- Microsoft Graph
Copyright (c) 2017 Microsoft. All rights reserved.