OAuth2 Flows link
Entra Token CLI supports four OAuth2 authentication flows. Each flow is designed for specific scenarios and security requirements.
Flow Overview link
| Flow | Use Case | User Interaction | Token Type |
|---|
| Client Credentials | Service-to-service | None | Application |
| Authorization Code | Web apps | Required | User + Application |
| Device Code | Limited-input devices | Required (on another device) | User |
| Interactive Browser | Desktop apps | Required | User |
Client Credentials Flow link
When to Use link
- Automated services and daemons
- CI/CD pipelines
- Background jobs without user context
- Service-to-service authentication
How It Works link
- Application authenticates with client ID + secret (or certificate)
- Entra ID validates credentials
- Returns application-only access token
Requirements link
- App registration with Application permissions (not Delegated)
- Admin consent granted
- Client secret or certificate
1
| entratool get-token -p service-principal -f ClientCredentials
|
Full guide →
Authorization Code Flow link
When to Use link
- Web applications with user sign-in
- Apps requiring user context
- Multi-user scenarios
- Secure applications with confidential client
How It Works link
- User is redirected to Entra ID sign-in page
- User authenticates and consents to permissions
- Entra ID returns authorization code
- Application exchanges code for access token
Requirements link
- Redirect URI configured in app registration
- Delegated permissions
- User account credentials
1
| entratool get-token -p webapp -f AuthorizationCode
|
Full guide →
Device Code Flow link
When to Use link
- Headless devices (IoT, servers)
- Limited-input devices (smart TVs, printers)
- SSH sessions
- Scenarios without browser access
How It Works link
- Application requests device code
- User visits URL on another device and enters code
- Application polls Entra ID for token
- Token issued after user completes authentication
Requirements link
- Device code flow enabled in app registration
- User account credentials
- Access to another device with browser
1
| entratool get-token -p iot-device -f DeviceCode
|
Output:
Device Code Authentication
To sign in, use a web browser to open https://microsoft.com/devicelogin
and enter the code: ABCD-1234
Code: ABCD-1234
URL: https://microsoft.com/devicelogin
Full guide →
Interactive Browser Flow link
When to Use link
- Desktop applications
- Command-line tools with user authentication
- Personal productivity apps
- Interactive sessions
How It Works link
- Application launches system browser
- User authenticates in browser
- Browser redirects to localhost with authorization code
- Application exchanges code for token
Requirements link
- Redirect URI:
http://localhost:{port} configured - Delegated permissions
- User account credentials
- Browser availability
1
| entratool get-token -p desktop-app -f InteractiveBrowser
|
Full guide →
Flow Selection link
Automatic Inference link
If you don’t specify a flow with -f, the tool automatically infers based on your profile’s authentication method:
- Client Secret or Certificate → Client Credentials
- Other methods → Interactive Browser
You can override this by setting a default flow in your profile or using the -f flag.
Setting Default Flow link
When creating or editing a profile:
1
2
3
4
| entratool config create
# ... other prompts ...
Set default OAuth2 flow? y
Default OAuth2 flow: ClientCredentials
|
Or specify at runtime:
1
| entratool get-token -p myprofile -f DeviceCode
|
Comparison Matrix link
User Experience link
| Flow | User Action | Complexity |
|---|
| Client Credentials | None | Simple |
| Authorization Code | Sign in + consent | Moderate |
| Device Code | Sign in on another device | Moderate |
| Interactive Browser | Sign in in browser | Simple |
Security link
| Flow | Security Level | Best For |
|---|
| Client Credentials | High (with certificate) | Automation |
| Authorization Code | High | Web apps |
| Device Code | Medium | Constrained devices |
| Interactive Browser | Medium-High | User apps |
Token Properties link
| Flow | Token Scope | User Context |
|---|
| Client Credentials | Application | No |
| Authorization Code | User + Application | Yes |
| Device Code | User | Yes |
| Interactive Browser | User | Yes |
Common Scenarios link
Scenario: Automated Azure Resource Management link
Flow: Client Credentials
Auth: Certificate (recommended)
Scopes: https://management.azure.com/.default
1
| entratool get-token -p azure-automation -f ClientCredentials
|
Scenario: Personal Microsoft Graph Access link
Flow: Interactive Browser or Device Code
Auth: No client secret needed (public client)
Scopes: https://graph.microsoft.com/User.Read
1
| entratool get-token -p personal-graph -f InteractiveBrowser
|
Scenario: CI/CD Pipeline link
Flow: Client Credentials
Auth: Client Secret (stored in CI/CD secrets)
Scopes: API-specific scope
1
| entratool get-token -p cicd-deployer -f ClientCredentials
|
Troubleshooting link
“This application requires user consent” link
- Flow: Use Authorization Code or Interactive Browser
- Permissions: Configure Delegated permissions, not Application permissions
“Client credentials flow not supported” link
- Fix: Enable Application permissions and grant admin consent
- Alternative: Use user-interactive flow instead
“Redirect URI mismatch” link
- Fix: Add exact redirect URI to app registration
- Format:
http://localhost:8080 (include port)
Next Steps link