Also, since there is no user information in the token, the app must specify the user within the API call when using this "App-Only" token.The first step to configure your application to use "App-Only" tokens is to define what permissions your application needs.
Instead of using a client ID and client secret, the app must use an X.509 certificate with a public/private key pair.
Usage of simple symmetric keys are not allowed, and while the application could get an access token using a symmetric key, the API will return an access denied error with such an access token.
Your application can ignore the code and get the ID token from the received form data (see GET https://login.windows.net/common/oauth2/authorize?
state=e82ea723-7112-472c-94d4-6e66c0ca52b6&response_type=code id_token&scope=openid&nonce=c328d2df-43d1-4e4d-a884-7cfb492beadc&client_id=0308CDD9-874D-4F87-85E0-A0DA7E05F999&redirect_uri=https://localhost:44304/Home/&resource=https://windows.net/&prompt=admin_consent&response_mode=form_post HTTP/1.1In the example below I used Azure Active Directory Client library (ADAL) to acquire an "app-only" access token via client credential flow.
During the consent, when the authorize endpoint is hit and a code is delivered in the redirect to the application, an ID token can be requested together with the code.
This ID token contains the tenant Id as " This request will provide your application with the consent flow and redirect back with the code and ID token in a post request.permissions to other applications Delegated Permissions: 1 Delegated Permissions: O Windows Azure Active Directory Office 365 Exchange Online Add application Application Permissions: 1 Application Permissions: 3 " width="1081" height="266" border="0" /Now that application permissions are defined within the application registration, the application can ask for consent to be available in another Office 365 organization.Application Permissions must be consented by a tenant administrator (global administrator) of an Office 365 organization.You can read more about this flow in the AAD Authentication Protocol documentation here.We're happy to announce that Office 365 now supports this flow to gain access to the Office 365 Calendar, Contacts and Mail APIs.Essentially before the application can access data for a user, it has to get an access token/refresh token for each user, and to get those the user has to sign-on to the application at least once.There are however a category of applications where this is not desirable or possible.The applications public certificates need to be managed through the manifest.Unrelated to OAuth2, there are three HTTP request headers you should always include when making requests to the Office365 APIs.These applications usually run in the background as a daemon app or service and need access without the user having to sign-on.OAuth2 provides a different flow for these types of applications, called the client credential grant flow.