All Collections
Tines How To
How To Article
Authentication Guides
Microsoft Graph Authentication Guide
Microsoft Graph Authentication Guide

How to authenticate Microsoft Graph for use with Tines

Daniel Stoeski avatar
Written by Daniel Stoeski
Updated over a week ago

Microsoft Graph provides programmatic access to a wealth of data that can be used to better inform decision-making during threat detection and response. You can use information such as Outlook emails, organizational structure, advanced threat analytics, and more in your security automation program.

First, create an Microsoft Graph Credential in Tines

  1. Login to your Tines tenant

  2. Navigate to the team that will be using the API and click "Credential"

  3. Click "+ New Credential" and select "OAuth 2.0"

  4. Copy the "Callback URL"

Next, create an Azure application

  1. Login to your existing Azure account or sign up if you haven't already signed up

  2. Next, you'll need to register a new Azure application in app registrations.

  3. Under "Redirect URI (optional)", select "Web" and paste your "Callback URL" you copied earlier.


  4. Next, in your application, navigate to Certificates & secrets > Client secrets and click on the "New client secret" button to create a client secret. Copy the secret to use later.



  5. Next, navigate to API permissions and click on "Add a permission" to add the required permission (see Microsoft Graph permissions).



    Microsoft Graph exposes two types of permissions: Delegated and Application (see Overview of Microsoft Graph permissions)

    1. Delegated permissions (also called scopes) are permissions that allow an application to act on behalf of a signed-in user. However, the application will never be able to access anything the signed-in user couldn't access.

      1. If you select delegated permissions, you'll need to use the grant type "Authorization code" when configuring the OAuth 2.0 credential in Tines.

      2. Always include “offline_access” permissions. This scope will allow Tines to request fresh access tokens as necessary.

    2. Application permissions (also called app roles) are permissions without a signed-in user present. The application will be able to access any data that the permission is associated with.

      1. If you select application permissions, you'll need to use the grant type "Client credentials" when configuring the OAuth 2.0 credential in Tines.

  6. Next, you may need to click “Grant Consent” as an administrator for some or all permissions, i.e. application permissions and high-privilege delegated permissions (see Consent).


  7. Next, navigate to Overview and click "Endpoints".


  8. Copy the endpoints for "OAuth 2.0 authorization endpoint (v2)" and "OAuth 2.0 token endpoint (v2)".




Lastly, finish creating the Microsoft Graph credential in Tines

Authorization code grant type

  1. Input the values for the Microsoft Graph credential

    1. Name: Required

    2. Description: Optional

    3. Client ID: "Client ID" found in your application (see screenshot below)


    4. Client secret: "Client secret" created earlier

    5. Scope: <this should reflect your applications API permissions created earlier, with each scope separated by a space>

    6. OAuth Provider: Manual

    7. Grant type: Authorization code

    8. OAuth authorization request URL: https://login.microsoftonline.com/<Directory tenant ID>/oauth2/v2.0/authorize <the OAuth 2.0 authorization endpoint (v2) you copied earlier>

    9. PKCE challenge method: None

    10. OAuth token URL: https://login.microsoftonline.com/<Directory tenant ID>/oauth2/v2.0/token <the OAuth 2.0 token endpoint (v2) you copied earlier>

  2. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  3. When you click "Save", you will asked to pick an Microsoft account to authorize.

Client credentials grant type

  1. Input the values for the Microsoft Graph credential

    1. Name: Required

    2. Description: Optional

    3. Client ID: "Client ID" found in your application (see screenshot below)


    4. Client secret: "Client secret" created earlier

    5. Scope: https://graph.microsoft.com/.default

    6. OAuth Provider: Manual

    7. Grant type: Client credentials

    8. OAuth token URL: https://login.microsoftonline.com/<Directory tenant ID>/oauth2/v2.0/token <the OAuth 2.0 token endpoint (v2) you copied earlier>

  2. Optional

    1. Domains: Ensure this credential can only be used when making HTTP requests to specific domains

    2. Access: What other teams can also use the API

  3. Click "Save"

For more on creating credentials in Tines, click here.

You can find a selection of Microsoft Graph stories in the story library

Related Articles
Azure Authentication Guide
GitHub Authentication Guide
ServiceNow Authentication Guide
Did this answer your question?