Edit

Share via

Build Java apps with Microsoft Graph and app-only authentication

This tutorial teaches you how to build a Java console app that uses the Microsoft Graph API to access data using app-only authentication. App-only authentication is a good choice for background services or applications that need to access data for all users in an organization.

Note

To learn how to use Microsoft Graph to access data on behalf of a user, see this user (delegated) authentication tutorial.

In this tutorial, you will:

Tip

As an alternative to following this tutorial, you can download or clone the GitHub repository and follow the instructions in the README to register an application and configure the project.

Prerequisites

Before you start this tutorial, you should have the Java SE Development Kit (JDK) and Gradle installed on your development machine.

You should also have a Microsoft work or school account with the Global administrator role. If you don't have a Microsoft 365 tenant, you might qualify for one through the Microsoft 365 Developer Program; for details, see the FAQ. Alternatively, you can sign up for a one-month free trial or purchase a Microsoft 365 plan.

Note

This tutorial was written with OpenJDK version 17.0.2 and Gradle 7.4.2. The steps in this guide might work with other versions, but that hasn't been tested.

Register application for app-only authentication

Register an application that supports app-only authentication using client credentials flow.

  1. Open a browser and navigate to the Microsoft Entra admin center and sign in using a Global administrator account.

  2. Select Microsoft Entra ID in the left-hand navigation, expand Identity, expand Applications, then select App registrations.

    A screenshot of the App registrations

  3. Select New registration. Enter a name for your application, for example, Graph App-Only Auth Tutorial.

  4. Set Supported account types to Accounts in this organizational directory only.

  5. Leave Redirect URI empty.

  6. Select Register. On the application's Overview page, copy the value of the Application (client) ID and Directory (tenant) ID and save them. You'll need these values in the next step.

    A screenshot of the application ID of the new app registration

  7. Select API permissions under Manage.

  8. Remove the default User.Read permission under Configured permissions by selecting the ellipses (...) in its row and selecting Remove permission.

  9. Select Add a permission, then Microsoft Graph.

  10. Select Application permissions.

  11. Select User.Read.All, then select Add permissions.

  12. Select Grant admin consent for..., then select Yes to provide admin consent for the selected permission.

    A screenshot of the Configured permissions table after granting admin consent

  13. Select Certificates and secrets under Manage, then select New client secret.

  14. Enter a description, choose a duration, and select Add.

  15. Copy the secret from the Value column, you'll need it in the next steps.

    Important

    This client secret is never shown again, so make sure you copy it now.

Note

Notice that, unlike the steps when registering for user authentication, in this section you did configure Microsoft Graph permissions on the app registration. App-only auth uses the client credentials flow, which requires that permissions be configured on the app registration. See The .default scope for details.

Create a Java console app

Create a basic Java console app.

  1. Open your command-line interface (CLI) in a directory where you want to create the project. Run the following command to create a new Gradle project.

    gradle init --dsl groovy --test-framework junit --type java-application --project-name graphapponlytutorial --package graphapponlytutorial

  2. Once the project is created, verify that it works by running the following command to run the app in your CLI.

    ./gradlew --console plain run

    If it works, the app should output Hello World..

Install dependencies

Before moving on, add dependencies that you use later.

  1. Open ./app/build.gradle. Update the dependencies section to add those dependencies.

    dependencies {
    // Use JUnit test framework.
    testImplementation 'junit:junit:4.13.2'

    // This dependency is used by the application.
    implementation 'com.google.guava:guava:33.4.6-jre'
    implementation 'com.azure:azure-identity:1.15.4'
    implementation 'com.microsoft.graph:microsoft-graph:6.33.0'
}

  2. Add the following to the end of ./app/build.gradle.

    run {
    standardInput = System.in
}

    The next time you build the project, Gradle will download those dependencies.

Load application settings

Add the details of your app registration to the project.

  1. Create a new directory named graphapponlytutorial in the ./app/src/main/resources directory.

  2. Create a new file in the ./app/src/main/resources/graphapponlytutorial directory named oAuth.properties, and add the following text in that file.

    app.clientId=YOUR_CLIENT_ID_HERE
app.clientSecret=YOUR_CLIENT_SECRET_HERE
app.tenantId=YOUR_TENANT_ID_HERE

  3. Update the values according to the following table.

    Setting Value
    app.clientId The client ID of your app registration
    app.tenantId The tenant ID of your organization
    app.clientSecret The client secret

    Important

    If you're using source control such as git, now would be a good time to exclude the oAuth.properties file from source control to avoid inadvertently leaking your app ID.

Design the app

Create a console-based menu.

  1. Open ./app/src/main/java/graphapponlytutorial/App.java and add the following import statements.

    package graphapponlytutorial;

import java.io.IOException;
import java.util.InputMismatchException;
import java.util.Properties;
import java.util.Scanner;

import com.microsoft.graph.models.User;

  2. Replace the existing main function with the following.

    public static void main(String[] args) {
    System.out.println("Java App-Only Graph Tutorial");
    System.out.println();

    final Properties oAuthProperties = new Properties();
    try {
        oAuthProperties.load(App.class.getResourceAsStream("oAuth.properties"));
    } catch (IOException e) {
        System.out.println("Unable to read OAuth configuration. Make sure you have a properly formatted oAuth.properties file. See README for details.");
        return;
    }

    initializeGraph(oAuthProperties);

    Scanner input = new Scanner(System.in);

    int choice = -1;

    while (choice != 0) {
        System.out.println("Please choose one of the following options:");
        System.out.println("0. Exit");
        System.out.println("1. Display access token");
        System.out.println("2. List users");
        System.out.println("3. Make a Graph call");

        try {
            choice = input.nextInt();
        } catch (InputMismatchException ex) {
            // Skip over non-integer input
        }

        input.nextLine();

        // Process user choice
        switch(choice) {
            case 0:
                // Exit the program
                System.out.println("Goodbye...");
                break;
            case 1:
                // Display access token
                displayAccessToken();
                break;
            case 2:
                // List users
                listUsers();
                break;
            case 3:
                // Run any Graph code
                makeGraphCall();
                break;
            default:
                System.out.println("Invalid choice");
        }
    }

    input.close();
}

  3. Add the following placeholder methods at the end of the file. You implement them in later steps.

    private static void initializeGraph(Properties properties) {
    // TODO
}

private static void displayAccessToken() {
    // TODO
}

private static void listUsers() {
    // TODO
}

private static void makeGraphCall() {
    // TODO
}

This implements a basic menu and reads the user's choice from the command line.

  1. Delete ./app/src/test/java/graphapponlytutorial/AppTest.java.

Next step

Add app-only authentication