# Retrieve access token from Microsoft Entra ID This guide describes how to retrieve and store an application access token with a shared secret from Microsoft Entra ID. Access tokens are required to build integrations with Microsoft APIs like Microsoft Graph. For more information about the configuration required on the Microsoft side, read about the [client credentials flow](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow) in the Microsoft Documentation. In Appfarm, this process requires setting up a [service](https://docs.appfarm.io/reference/services) that updates a [secret](https://docs.appfarm.io/reference/security/secrets). The service can be configured to update the secret at regular intervals using [schedules](https://docs.appfarm.io/reference/operations/schedules). {% hint style="info" %} **Example** An [example service](https://create.appfarm.io/showroom/services/CJKUWW/endpoints/j6sBbr/) based on Microsoft Sharepoint integration is available in our [Showroom](https://docs.appfarm.io/getting-started/appfarm-showroom). {% endhint %} ### Step 1 Sign in to the Microsoft Azure [portal](https://portal.azure.com/) using an account with administrator permission. ### Step 2 Register an application. * Go to **Microsoft Entra ID**. * Click **Add** -> **App registration**. * In the **Name** field, enter a display name, for example `appfarm`. * Click **Register**. ### Step 3 Generate and record credentials. * Go to **Certificates & secrets**. * Click **New client secret**. * Enter the required details and click **Add**. * Note down the generated client secret **Value**. This value is required later in this process. * Go to **Overview**. * Note down the **Application (client) ID** and **Directory (tenant) ID** values. ### Step 4 You can now start configuring the integration in Appfarm Create. First, add the credentials gathered in step 3 as [secrets](https://docs.appfarm.io/reference/security/secrets). * In [Appfarm Create](https://create.appfarm.io), go to **Secrets**. * Click **Create Secret**. * In the **Name** field, enter a name for the client secret credential, for example `Microsoft Client Secret`. * In the **Value** field, enter the client secret you noted down in Step 3. * Click **Create**. * Repeat this process, adding the application (client) ID and directory (tenant) ID values as secrets. ### Step 5 Create another secret to store the access token that will be used to authenticate individual requests to the Microsoft API. * Click **Create Secret**. * In the **Name** field, enter a name for the access token, for example `Microsoft Access Token`. * Click **Create**. The value of this access token secret will be updated using a service. ### Step 6 Create a [service](https://docs.appfarm.io/reference/services). You can also choose to use an existing service. * Go to **Services**. * Click **New Service**. * Enter a name for the service, for example `Microsoft Entra ID`. * Click **Create Service**. The service is then created along with a default endpoint. ### Step 7 Create a service variable. The service variable will be used to temporarily store a new access token before it is updated in the secret. * Go to **Data** using the top navigation. * Go to **Service Variables**. * Click **Add Runtime Property**. * In the **Name** field, enter a name for the service variable, for example `Access Token`. ### Step 8 Create an action to retrieve an access token and update the secret. * Go to **Actions** using the top navigation. * Click **Add Action.** * Enter a name for the action, for example `Get access token`. * Add a [Web request action node](https://docs.appfarm.io/library/action-nodes/web-request). The web request will request a new access token and store it in the service variable. * Configure the web request with the following properties:
PropertyValue
URL
MethodPOST
Body TypeURL-encoded
Body Content

  • Click Add Form Data and add the following key-value pairs.

    • Key: grant_type, Value: client_credentials
    • Key: client_id, Value: Use the function editor to return the secret storing the application (client) ID created in step 4.
    • Key: client_secret, Value: Use the function editor to return the secret storing the client secret created in step 4.
    • Key: scope, Value: See the Microsoft documentation. For Microsoft Graph integration, you might set https://graph.microsoft.com/.default.
Response TypeJSON (default)
Result Mapping
  • Click Add Result Mapping.
  • For the Data Source property, select Service Variables.
  • Under Property Mapping, for the service variable created in step 7, enter access_token.
* Add an [If action node](https://docs.appfarm.io/library/action-nodes/if). * Configure the condition to check if the service variable created in [step 7](#step-7) has a value.

Example condition configuration

* Add an [Update secret action node](https://docs.appfarm.io/library/action-nodes/update-secret) inside the If action node you just added. * For the **Secret** property, select the access token secret created in [step 5](#step-5). * For the **Value** property, select the service variable created in [step 7](#step-7).

Example update secret configuration

### Step 9 Configure the[ service endpoint](https://docs.appfarm.io/reference/services/service-endpoints). * Go to **Endpoints** using the top navigation. * Click the default endpoint. * In the **Name** field, enter a new name for the endpoint, for example `Get access token`. When you set a name, the **Readable ID** field will be automatically populated. * In the **Process Action** field, select the action created in step 8.

Example service endpoint configuration

You can now trigger this endpoint to refresh the access token. We recommend [creating a schedule](https://docs.appfarm.io/appcademy/appfarm-fundamentals/services-fundamentals/scheduling-a-service) to call the endpoint and refresh the token automatically at a given interval. The secret can then be used as the bearer token value for authentication when you make API calls using the [web request action node](https://docs.appfarm.io/library/action-nodes/web-request).