Share via

What APIs permissions must be enabled for Authorization code Flow authentication

Divanshu Johar 40 Reputation points
2025-11-13T10:24:56.35+00:00

Hi @Rukmini

We have an application 'Infosys Bot Migrator' that migrates RPA bots to Power Automate bots.

We have Dataverse app for authentication and storing the Power Automate Desktop flows into Azure.

Current APIs that are enabled as:

Dynamics CRM (1)

user_impersonation | Type: Delegated | Description: Access Common Data Service as organiz... | Admin consent required: No

**Microsoft Graph (2) **Group.Read.All | Type: Application| Description: Read all groups | Admin consent required: Yes

User.Read | Type: Delegated | Description: Sign in and read user profile | Admin consent required: No

PowerApps Services (3)

As discussed on previous ticket (https://dori-uw-1.kuma-moon.com/en-us/answers/questions/5610074/what-apis-permissions-must-be-enabled-for-client-c?comment=answer-12331131&page=1#comment-2332873), If Device code and Authorization code flow both are different ways, then please share the APIs that needs to be enabled and what permissions we need to proceed with Authorization code flow.

Please also confirm that Authorization code flow is safest and recommended approach to do. Though, Device code flow is also a way but recently this year, phishing attempt happened as we researched. And also, client was not accepting Device code authentication flow for our use case.

By considering all these factors, please let us know should we proceed with Authorization code or suggest with some other alternate.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Rukmini 11,470 Reputation points Microsoft External Staff Moderator
    2025-11-13T10:34:52.3833333+00:00

    Hello Divanshu Johar The Authorization Code flow uses the same same API permissions as the Device Code flow:

    • Microsoft Graph: User.Read, Group.Read.All (Delegated, admin consent)
    • Dynamics CRM: user_impersonation (Delegated)
    • PowerApps Services: user_impersonation (Delegated)

    For production and enterprise scenarios, Authorization Code flow is the recommended and more secure alternative; it supports MFA, Conditional Access, and refresh tokens and is favored over Device Code flow.

    If the resolution was helpful, kindly take a moment to accept the answer and upvote it 👍 it as a token of appreciation.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.