Azure

OAuth 2.0 / OIDC Flows: Complete Guide to Every Microsoft Entra ID Authentication Pattern

2026-05-24
NicheeLab Editorial Team

OAuth 2.0 and OIDC (OpenID Connect) are the two standard protocols that power authentication and authorization in Microsoft Entra ID. Every modern web app, mobile app, and backend service uses these flows to authenticate against Azure. This article walks through every flow used by Microsoft Entra ID, when to pick which one, and the implementation patterns you need to know.

OAuth 2.0 vs OIDC

ItemOAuth 2.0OIDC
RoleAuthorizationAuthentication
Token issuedAccess TokenID Token (+ Access Token)
PurposeGrant access to resourcesUser identity information
Token formatJWT or opaqueJWT (JSON Web Token)
Claimsscope・audsub・email・name・groups

Microsoft Entra ID supports both protocols, and access to Microsoft 365 / Azure services is implemented by combining OAuth 2.0 + OIDC. The standard pattern is to handle 'user login (OIDC)' and 'API access (OAuth 2.0)' together in a single end-to-end flow.

Authorization Code Flow + PKCE

The standard authentication flow for modern web and mobile apps.

Flow

  1. The app generates a Code Verifier (random string) and sends a SHA-256-hashed Code Challenge to the Authorize endpoint
  2. The user signs in to Microsoft Entra ID and consents
  3. Entra ID redirects an Authorization Code back to the app
  4. The app sends the Code + the original Code Verifier to the Token endpoint
  5. Entra ID validates the Code and PKCE Challenge, then returns an ID Token + Access Token + Refresh Token

PKCE (Proof Key for Code Exchange) prevents code interception attacks against clients that cannot safely store a Client Secret, such as SPAs and mobile apps. For new web apps, Authorization Code + PKCE is recommended across every client type.

Implicit Flow (Deprecated)

The Implicit Flow is deprecated and should not be used for new implementations.

Problems

  • Access Tokens linger in browser history
  • Refresh Tokens cannot be issued
  • Vulnerable to code interception attacks (CSRF Token Replay)

Alternative: SPAs should also use Authorization Code + PKCE, which is the current standard (natively supported by MSAL.js 2.x). Existing Implicit Flow apps should be migrated to Authorization Code + PKCE incrementally.

Client Credentials Flow

A flow that lets non-interactive backend services (daemons, cron jobs, worker processes) call Microsoft Graph or Azure APIs without user involvement.

How it works

  1. The Service Principal sends its Client ID + Client Secret (or Certificate, or Workload Identity Federation) to the Token endpoint
  2. Receives an Application Token (app-level permissions)
  3. Calls the API with the Application Token

Typical use cases

  • Scheduled backup apps
  • Batch jobs that enumerate all tenant users
  • DevOps pipelines manipulating Azure resources
  • Webhook receivers

Eliminate secrets entirely with Workload Identity Federation — the modern best practice. See Managed Identity vs Service Principal for details.

On-Behalf-Of (OBO) Flow

A flow that lets an app where the user is already authenticated (the frontend) call another API (a backend or Microsoft Graph) while preserving the user's permissions.

Scenario

User → Frontend Web App (Entra ID auth) → Frontend calls Backend API → Backend calls Microsoft Graph on behalf of the user.

Flow

  1. The Frontend obtains User Token A from the user via Authorization Code Flow
  2. The Frontend calls the Backend API with Token A
  3. The Backend sends Token A to the Token endpoint and requests 'Token B for Microsoft Graph carrying the same user permissions as Token A'
  4. Entra ID issues Token B
  5. The Backend calls Microsoft Graph with Token B

User permissions are inherited across multi-tier APIs, so the Backend never needs its own elevated Service Principal permissions.

Device Code Flow

A mechanism for authenticating users on devices that cannot present an interactive browser (IoT devices, CLI tools, smart TVs).

Flow

  1. The device obtains a code (for example, ABCD-EFGH)
  2. The device tells the user, 'Go to microsoft.com/devicelogin and enter ABCD-EFGH'
  3. The user opens a browser on another PC or phone, signs in to Entra ID, enters the code, and consents
  4. The device polls the Token endpoint
  5. Once user authentication completes, the device receives the Token

Typical use cases

  • az login (device-code option) in Azure CLI
  • The Azure Account extension in Visual Studio Code
  • Azure PowerShell
  • First-time setup of embedded devices

Delegated vs Application Permissions

ItemDelegatedApplication
BehaviorCall API using the user's permissionsCall API using the app's own permissions
TokenUser TokenApplication Token (Client Credentials)
ScopeLimited to what the user already hasHigh privileges across the entire tenant
ExampleUser.Read (own profile)User.Read.All (all users)
Admin ConsentPer-user consent allowedRequired (Global Administrator)
Use caseUser-facing appsBackend services

Design principle: user-facing apps should always use Delegated; backend services should combine Application + Workload Identity Federation.

Flow Selection Cheat Sheet

  1. Web app (frontend / backend)? → Authorization Code + PKCE
  2. SPA (React, Vue, Angular)? → Authorization Code + PKCE (Implicit is deprecated)
  3. Mobile app (iOS / Android)? → Authorization Code + PKCE
  4. Backend service (daemon, cron job)? → Client Credentials + Workload Identity Federation
  5. Multi-tier API inheriting user permissions? → On-Behalf-Of
  6. Headless CLI / IoT? → Device Code
  7. Azure resource-to-resource auth? → Managed Identity (no need to think about flows)

Microsoft Authentication Library (MSAL)

MSAL is Microsoft's client library that abstracts OAuth 2.0 / OIDC flows. It supports multiple languages:

  • MSAL.js: JavaScript / TypeScript (Web / Node.js)
  • MSAL.NET: C# / .NET
  • MSAL Python: Python
  • MSAL Java: Java
  • MSAL Go: Go
  • MSAL iOS / Android: Mobile

Using MSAL directly is the standard for new implementations; ADAL (Active Directory Authentication Library) is legacy and deprecated. MSAL handles Token caching, automatic Refresh Token renewal, Conditional Access integration, and more for you.

Security Best Practices

  1. Use Authorization Code + PKCE for every client type
  2. Ban Implicit Flow in new implementations
  3. Prefer Certificate / WIF over Client Secret
  4. Grant Application Permissions sparingly and review Admin Consent carefully
  5. Limit Token scopes (principle of least privilege)
  6. Store Refresh Tokens securely (HTTPOnly Cookie, Secure Storage)
  7. Use the MSAL library — avoid rolling your own
  8. Apply Conditional Access to Service Principals via Conditional Access for Workload Identities (Preview)
  9. Keep Token lifetimes short (use Continuous Access Evaluation for immediate revocation on anomalies)
  10. Monitor abnormal Token issuance with Microsoft Sentinel

Related Certifications

Frequently Asked Questions

What is the difference between OAuth 2.0 and OIDC?

OAuth 2.0 is an Authorization protocol that issues Access Tokens granting access to resources. OIDC (OpenID Connect) extends OAuth 2.0 with an Authentication layer, providing ID Tokens that carry user identity information. The ID Token is a JWT (JSON Web Token) and includes claims such as user ID, email, name, and group memberships. Microsoft Entra ID supports both, and access to Microsoft 365 / Azure services is implemented by combining OAuth 2.0 + OIDC. The standard pattern in apps is to handle 'user login (OIDC)' and 'API access (OAuth 2.0)' together in a single end-to-end flow.

What is the Authorization Code Flow + PKCE?

Authorization Code Flow + PKCE is the standard authentication flow for modern web and mobile apps. The flow: 1) the app generates a Code Verifier (random string) and sends a SHA-256-hashed Code Challenge to the Authorize endpoint, 2) the user signs in to Microsoft Entra ID and consents, 3) Entra ID redirects an Authorization Code back to the app, 4) the app sends the Code + original Code Verifier to the Token endpoint, 5) Entra ID validates the Code and PKCE Challenge and returns an ID Token + Access Token + Refresh Token. PKCE (Proof Key for Code Exchange) prevents code interception attacks against clients that cannot safely store a Client Secret, such as SPAs (Single Page Applications) and mobile apps. For new web apps, Authorization Code + PKCE is recommended across every client type.

Can I still use the Implicit Flow today?

The Implicit Flow is deprecated and should not be used for new implementations. Designed for SPAs (Single Page Applications), it returns the Access Token directly from the Authorize endpoint as a URL fragment (#access_token=...) without going through the Token endpoint. The problems: 1) Access Tokens linger in browser history, 2) Refresh Tokens cannot be issued, 3) it is vulnerable to code interception attacks (CSRF Token Replay). The alternative: SPAs should also use Authorization Code + PKCE, which is the current standard (natively supported by MSAL.js 2.x). Existing Implicit Flow apps should be migrated to Authorization Code + PKCE incrementally. Microsoft Identity Platform continues to support Implicit Flow, but new implementations are effectively prohibited.

What is the Client Credentials Flow?

The Client Credentials Flow lets non-interactive backend services (daemons, cron jobs, worker processes) call Microsoft Graph or Azure APIs without any user involvement. The Service Principal sends its Client ID + Client Secret (or Certificate, or Workload Identity Federation) to the Token endpoint and receives an Access Token. It issues an Application Token (app-level permissions), not a User Token, and requires Application-type API Permissions (for example, User.Read.All on Microsoft Graph). Typical use cases: 1) scheduled backup apps, 2) batch jobs that enumerate all tenant users, 3) DevOps pipelines manipulating Azure resources, 4) webhook receivers. The modern best practice is to remove secrets entirely by using Workload Identity Federation.

What is the On-Behalf-Of Flow?

The On-Behalf-Of (OBO) Flow lets an app where the user is already authenticated (the frontend) call another API (a backend or Microsoft Graph) while preserving the user's permissions. Canonical scenario: user → Frontend Web App (Entra ID auth) → Frontend calls Backend API → Backend calls Microsoft Graph on behalf of the user. The flow: 1) the Frontend obtains User Token A via Authorization Code Flow, 2) the Frontend calls the Backend API with Token A, 3) the Backend sends Token A to the Token endpoint and requests 'Token B for Microsoft Graph carrying the same user permissions as Token A', 4) Entra ID issues Token B, 5) the Backend calls Microsoft Graph with Token B. User permissions are inherited across multi-tier APIs, so the Backend never needs its own elevated Service Principal permissions.

When should I use the Device Code Flow?

The Device Code Flow authenticates users on devices that cannot present an interactive browser (IoT devices, CLI tools, smart TVs). The flow: 1) the device obtains a code (for example, ABCD-EFGH), 2) the device tells the user, 'Go to https://microsoft.com/devicelogin and enter ABCD-EFGH', 3) the user opens a browser on another PC or phone, signs in to Entra ID, enters the code, and consents, 4) the device polls the Token endpoint, 5) once user authentication completes, the device receives the Token. Typical use cases: az login (device-code option) in Azure CLI, the Azure Account extension in Visual Studio Code, Azure PowerShell, and first-time setup of embedded devices. It is an important flow widely used by CLI tools and headless environments.

What is the difference between Delegated and Application API Permissions?

Delegated Permissions: the API is called using the signed-in user's permissions, based on a User Token, scoped to whatever the user already has. Application Permissions: the API is called with the app's own permissions, based on an Application Token (Client Credentials Flow), and can carry high privileges across the entire tenant. Example: User.Read (Delegated) on Microsoft Graph only returns the signed-in user's own profile, whereas User.Read.All (Application) can read every user in the tenant. Application Permissions require Admin Consent (granted by a Global Administrator) and should be granted carefully. Design principle: user-facing apps should always use Delegated, while backend services should combine Application + Workload Identity Federation — the modern best practice.

Which certifications cover this topic?

SC-300 (Identity and Access Administrator Associate) is the headline cert for this area — Domain 3 (Manage access to applications, 25-30%) tests OAuth 2.0 / OIDC flows in depth. AZ-204 (Developer Associate, retiring 2026-07) covers MSAL-based implementation in Domain 3 (Security, 20-25%). AI-103 (GA 2026-06) covers authentication patterns for Azure OpenAI / AI Search, SC-100 (Cybersecurity Architect Expert) covers zero-trust authentication architecture, and MS-102 (Microsoft 365 Administrator Expert) covers it in Domain 2. For Azure / Microsoft 365 application developers and identity administrators, understanding OAuth 2.0 / OIDC is an essential skill.

Related Articles and Deep Dives

SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】

Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。

Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】

Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。

AZ-104 vs AZ-204 完全比較|Microsoft Azure Administrator vs Developer Associate の違いと選び方【2026 年版】

Microsoft Azure の 2 大 Associate 認定 AZ-104 (Administrator) と AZ-204 (Developer) を完全比較。対象ロール・出題範囲・難易度・学習時間・受験料・キャリアパスを表形式で整理。AZ-204 2026 年 7 月リタイア後の判断材料、両方取る価値、次の認定への進路まで日本語で網羅。

Microsoft Entra ID パスワードレス認証完全ガイド|Authenticator・FIDO2・Windows Hello・TAP・CBA【2026 年版】

Microsoft Entra ID のパスワードレス認証 5 方式 (Microsoft Authenticator・FIDO2・Windows Hello for Business・Temporary Access Pass・Certificate-based) を完全解説。Number Matching・段階的導入ロードマップ・特権ロール向け FIDO2・関連認定試験 (SC-300 / SC-100 / MS-102) を日本語で網羅。

The technical information in this article is based on the Microsoft Identity Platform Documentation and the MSAL Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship arrangement with Microsoft. Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies. OAuth 2.0 is an IETF specification; OIDC is an OpenID Foundation specification. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.