How to use ConfidentialClientApplication to perform AppOnly requests to Graph (Group.ReadWrite.All)

Question

I've been playing with MSAL Microsoft.Identity.Client.ConfidentialClientApplication to perform app-only Microsoft Graph - Groups operations.

var RedirectUri = "urn:ietf:wg:oauth:2.0:oob";
var clientApplication = new ConfidentialClientApplication(ClientId, RedirectUri, new ClientCredential(ClientSecret), null);

I'm stuck at the next step:

authenticationResult = clientApplication.AcquireTokenSilentAsync(new string[]{"Group.ReadWrite.All"}).GetAwaiter().GetResult();

I get error failed_to_acquire_token_silently.

authenticationResult = clientApplication.AcquireTokenForClient(new string[]{"Group.ReadWrite.All"}, string.Empty).GetAwaiter().GetResult();

I get error invalid_scope.

Not sure which direction I should continue.

Notes:

• With PublicClientApplication the same code works fine
• The app has both AppOnly Group.ReadWrite.All and Delegate Group.ReadWrite.All permissions
• With PublicClienApplication there's an unwanted UI dialog...

var clientApplication = new PublicClientApplication(ClientId);
authenticationResult = clientApplication.AcquireTokenAsync(Scopes).GetAwaiter().GetResult();

Answer 1

Please try consenting to the Confident Client you created. You can do this by modifying the following URL with your settings:

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent

Make sure the information you put into that URL is the confidential client.

I hope this helps!