Create user access token & authorization header

This article explains how to authenticate to Microsoft Graph in delegated user context.

Important Avoid Resource Owner Password Credentials (ROPC) whenever possible. It is incompatible with many MFA, Conditional Access, passwordless, and passkey-based sign-in scenarios.

Recommended options

Preferred approaches for delegated Graph access:

Device code flow for scripts and terminals
Interactive browser sign-in for desktop tools
Authorization code flow with PKCE for web apps and SPAs
MSAL instead of building raw OAuth requests manually

Example with MSAL.PS

Install-Module MSAL.PS -Scope CurrentUser

$TenantId = "<tenant-id>"
$ClientId = "<app-client-id>"
$Scopes   = @("User.Read", "Mail.Read")

$Token = Get-MsalToken -TenantId $TenantId -ClientId $ClientId -Scopes $Scopes

$Header = @{
    Authorization = "Bearer $($Token.AccessToken)"
    "Content-Type" = "application/json"
}

Best practices

Prefer MSAL over custom username/password token requests
Request only the scopes you really need
Do not store user passwords in scripts
Expect MFA and Conditional Access challenges in enterprise tenants
Use app-only access only when there is no real user context

Summary

For modern Microsoft Graph delegated access, use MSAL plus interactive or device-based sign-in methods. Avoid ROPC unless you have a very specific legacy exception and fully understand the risk.