Using Microsoft Graph for Custom App Integrations: Why Delegated Permissions Break Automation and How App‑Only Access Fixes It

You’ve automated a workflow with Microsoft 365, only to hit a wall with constant permission prompts, broken background jobs and security warnings you don’t fully trust. Why do custom app integrations feel so fragile when they touch the Graph? In this episode, we unpack the hidden security and reliability traps of delegated permissions—and walk you through the smarter, more scalable path almost nobody starts with: app‑only permissions in Microsoft Graph, backed by proper app registrations and service principals.We start with why delegated permissions are so tempting and so dangerous for automation. Using a user’s identity makes your first prototype easy: you log in once, consent to a few scopes, and the app instantly “just works” with whatever that person can access. But under the hood, every background job is now tied to a human session that expires, a password that changes and a license that might be removed when someone leaves. You’ll hear familiar failure modes—flows that die at 2 AM, bots that stop working after MFA changes, critical jobs silently failing after an admin account is cleaned up—and why this isn’t just annoying, but a structural security risk when those delegated accounts quietly accumulate broad privileges.Then we show how app‑only Graph access changes the game. Instead of piggybacking on a user, your integration becomes a first‑class application identity in Entra ID, with its own service principal and carefully scoped application permissions. That identity doesn’t sleep, change roles or get locked out; it does exactly what you allow in SharePoint, Exchange, Teams or Entra ID, and nothing more. We walk through the practical steps: registering the app, choosing the right Graph scopes, handling secrets or certificates, going through admin consent and testing calls so they behave consistently in dev, test and production without babysitting logins.Finally, we put it all together as a design pattern you can reuse. You’ll learn when to keep delegated access (interactive user scenarios), when to insist on app‑only (service jobs, compliance, integration hubs), and how to combine both in a hybrid model that keeps your security team happy and your automations stable. By the end of the episode, you’ll have a clear blueprint for moving fragile “it works on my account” scripts and flows to robust, auditable Graph integrations that survive password changes, staff turnover and stricter security policies.WHAT YOU’LL LEARNWhy delegated Graph permissions regularly break background jobs and increase risk.How app‑only Graph access with service principals creates stable, least‑privilege automations.The key setup steps: app registration, scopes, secrets/certs and admin consent.When to use delegated vs. app‑only—and how to migrate existing automations safely.THE CORE INSIGHTThe core insight of this episode is that most Graph integrations are fragile not because the API is bad, but because they lean on human identities for machine work. Once you shift critical automations to app‑only Graph permissions with well‑scoped service principals, “please log in again” stops being a 2 AM incident and starts being a solved problem.WHO THIS EPISODE IS FORPower Automate and Power Platform makers integrating deeply with Microsoft 365.Developers building custom apps and services on Microsoft Graph.M365 and Entra ID admins who want safer, more predictable automation patterns.ABOUT THE AUTHOR / HOSTMirko Peters is a Microsoft 365, security and automation consultant and host of the M365.FM podcast, helping organizations replace fragile, user‑tied automations with well‑designed Graph integrations. He works with teams to design app registrations, permission models and service principals so their Microsoft 365 workflows run securely and reliably—without depending on someone staying logged in.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.