I built a SaaS application that needs to retrieve all our customer's Users & Groups from Microsoft Graph daily.
The setup part can be interactive but the Microsoft Graph is not (as it is a background task on the server-side).
I have a hard time understanding which flow I should use. When I look at the list of Authentication flows (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows), I see naturally the Client credentials flow recommended for daemons apps. However, the drawback seems the setup complexity. The administrator needs to manually register an app, generate the secret, etc. which I would like to avoid.
On the other hand, I see the other flows (Authorization code, etc.) where there is a very streamlined authentication process. It seems that I can store on the backend side the refresh token and use it from the backend in a daemonize way. It seems to be the best of both worlds. Is this pattern correct? Is it reliable?
Note: My SaaS has a UI and users can log in to it during the setup part.
The administrators won't need to install your app manually and generate the secret. It's you who generates the secret for your server side and you will use your client ID and the secret to access Graph in offline mode. For that you'll need your clients' administrators' consent which you can get by redirecting them to admin consent page which will present the list of permissions required by your application to access the Graph data.
All of this is described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow