Create user access token & authorization header

This article explains how to authenticate to Microsoft Graph in delegated user context. Use this approach when an action must run on behalf of a signed-in user.

Important Avoid Resource Owner Password Credentials (ROPC) whenever possible. Microsoft does not recommend it for modern environments because it is incompatible with many MFA, Conditional Access, passwordless, and passkey-based sign-in scenarios.

When to use delegated authentication

Use delegated authentication when:

a signed-in user triggers the action
the API call must respect the user's permissions
the action should be auditable as that user
interactive consent or MFA may be required

Recommended options

Preferred approaches for delegated Graph access:

Device code flow for scripts and terminals
Interactive browser sign-in for desktop tools
Authorization code flow with PKCE for web apps and SPAs
MSAL instead of building raw OAuth requests manually

Example with MSAL.PS

Install-Module MSAL.PS -Scope CurrentUser

$TenantId = "<tenant-id>"
$ClientId = "<app-client-id>"
$Scopes   = @("User.Read", "Mail.Read")

$Token = Get-MsalToken -TenantId $TenantIdToken=Get−MsalToken−TenantIdTenantId -ClientId $ClientId -Scopes $ScopesClientId−ScopesScopes

$Header = @{
    Authorization = "Bearer $($Token.AccessToken)"
    "Content-Type" = "application/json"
}

Best practices

prefer MSAL over custom username/password token requests
request only the scopes you really need
do not store user passwords in scripts
expect MFA and Conditional Access challenges in enterprise tenants
use app-only access only when there is no real user context

Summary

For modern Microsoft Graph delegated access, use MSAL plus interactive or device-based sign-in methods. Avoid ROPC unless you have a specific legacy exception and fully understand the risk.