Microsoft Graph

Enhanced Advanced

Create application in Microsoft Entra

Register application

The Microsoft Azure administrator registers a new OAuth Application in Microsoft Entra. Application registration will have different requirements depending on the authentication type of the OAuth integration in Posit Connect:

Viewer Integration

The Azure administrator adds a redirect_uri for the OAuth application as seen in the screenshot below. Azure sends the user credentials to the redirect_uri at the end of the OAuth handshake, allowing Posit Connect to obtain a temporary access token and refresh token.

The OAuth application is configured with the following redirect URL (sometimes referred to as a callback URL): https://connect.example.org/__oauth__/integrations/callback. Replace connect.example.org with the address of the Connect server.

Service Account Integration

Service account integrations do not direct the user through a login flow, so a redirect_uri is not required.

Add API permissions

Within the API permissions section of the registered app in Microsoft Entra, the Azure administrator adds SharePoint Online permissions for the OAuth application. API permissions define the capabilities granted to the user when they request credentials from this OAuth application. These permissions are also referred to as scopes.

Add MS Graph API permissions.

Depending on which permissions are required, the Azure administrator provides additional scopes values to the Connect administrator. By default the Microsoft Graph integration includes the .default scope, which inherits all of the configured API permissions on the registered app and cannot be combined with other scopes. If you would like to define scopes individually then you must not include the .default scope or authorization will fail due to an overlap in permissions.

The offline_access scope must always be included so that a refresh token is returned along with the access token.

Choose only the permissions that are required by your application.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an OAuth integration through the Integrations tab on the Connect dashboard. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Create MS Graph integration in Connect.