Skip to main content
Version: 2024

Microsoft Graph authentication

Introduction to Microsoft Graph authentication

This chapter describes the required steps to connect to Microsoft Graph webservices (Azure, Office 365, Microsoft 365). Detailed information about Microsoft Graph can be found here:

The different types of permissions for Microsoft Graph are explained here . To get access to the API without a user's credentials, Application permissions are used.

To access Microsoft Graph using Application permissions, first follow the instructions on this page to configure the app registration, which is required to retrieve an authorization token.

Process flow

Once you have set up your app registration in the Azure portal, you can create a process flow to authenticate and call the required services.

In this example we will be using the following process flow, which is triggered by the execution of a task, then uses an HTTP connector to authenticate and get an authorization token, calls a Graph web service using that token, and shows the response of that call. Only the two HTTP connector actions are described here.

Example process flow Example process flow

The process flow uses three process variables, token, header and response, all of type nvarchar(max).

HTTP connector: Authenticate

The authentication process action retrieves an authorization token required to access the web service.


The input parameters of the process action should be configured like this:

Input parameterAssignmentValue
URLConstant value{tenant}/oauth2/v2.0/token
HTTP methodConstant valuePOST
Content-TypeConstant valueapplication/x-www-form-urlencoded
ContentConstant valueclient_id={client id}&{client secret}&grant_type=client_credentials

The tenant, client id and client secret for the registered app can be found in the Overview and Certificates & secrets pages of the Azure portal.

Example HTTP connector input configuration Example HTTP connector input configuration


The content of the response is stored in the token parameter by mapping it to the Content output parameter.

Output parameterValue

To extract the authorization token from the response and create the authorization header, add the following code to the process procedure of the authentication action:

set @header = '[{ "Key": "Authorization", "Value": "Bearer ' 
+ json_value(@token, '$.access_token') + '" }]'

HTTP connector: call web service

The next process action calls the required web service, which in this example is a service to list all groups.


The input parameters of the process action should be configured like this:

Input parameterAssignmentValue
URLConstant value$select=displayName
HTTP methodConstant valueGET


The output parameter Content should be assigned to the response parameter.

Output parameterValue

After the call, the response parameter will have the following JSON content:

"@odata.context": "$metadata#groups(displayName)",
"@odata.nextLink": "$select=displayName",
"value": [
"displayName": "Business Development"
"displayName": "Marketing"
"displayName": "Service & Care"
"displayName": "Product Innovation"

Process the results

To process the results, use the SQL Server json_value and openjson functions, for example:

select json_value(a.value, '$.displayName') as displayName from openjson(@json, '$.value') a

| displayName |
| -------------------- |
| Business Development |
| Marketing |
| Service & Care |
| Product Innovation |

Was this page helpful?