Business Requirement: We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage). According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&[email protected]&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password. I don't know why it cannot get token response with my corporate(work) mail/account **@sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user [email protected] which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message. If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards, Ward
MFA will definitely prevent you from using this authentication flow. The Resource Owner Password Credentials flow and its use are discouraged. There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that. But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token. If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token. If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.