Authenticate with Microsoft Entra ID apps

Some Nintex Forms endpoints such as those for the SharePoint Framework (SPFx) support Microsoft Entra ID authentication via Microsoft Entra ID apps, rather than a SharePoint digest value.

To generate access tokens using Microsoft Entra ID apps, you must register an app for a single tenant in the Microsoft Entra admin center. Then, use one of the available OAuth grant flows to request a token using the app's credentials.

Register a Microsoft Entra ID app

To register a Microsoft Entra ID app:

1. Follow the registration instructions in the Microsoft help documentation to register a single tenant app.
2. Make sure the app has the following delegated permissions:
   • Microsoft Graph: User.Read
   • Office 365 SharePoint Online: User.Read.All
   • Office 365 SharePoint Online: AllSites.Manage
3. Make sure the app has been trusted by the tenant administrator.

Request an access token using a Microsoft Entra ID app

Request a token using your Microsoft Entra ID app's client credentials and an OAuth 2.0 flow.

Note: There are several ways to request a token. You should select the method most appropriate for your tenant. For more information, see the Microsoft Entra ID help documentation.

The following example retrieves an access token using PowerShell and the client_credentials flow. This example is not suitable for organizations using multi-factor authentication (also known as MFA or 2FA) with Microsoft Entra ID.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Content-Type", "application/x-www-form-urlencoded")

$body = "client_id=<Entra ID app client ID>&grant_type=password&username=<user login email>&password=<user password>&scope=https%3A%2f%2f<tenant name>.sharepoint.com%2f.default&client_secret=<Entra ID app secret>"

$response = Invoke-RestMethod 'https://login.microsoftonline.com/<tenant ID>/oauth2/v2.0/token' -Method 'POST' -Headers $headers -Body $body
$response | ConvertTo-Json