** NOTE ** - This is a legacy article and no longer necessary due to updates in the product with service accounts no longer being needed. For updated instructions, see here.
Morbit studio utilises the Microsoft Graph API to access your MS Teams data using ‘Modern Authentication’ methods. MS Graph API is a powerful tool that allows you to access and manipulate data across Microsoft 365 services, such as Outlook, OneDrive, Teams, SharePoint, and more. For us to use Microsoft Graph API, we need to authenticate your app (the one you created in Entra) with the Microsoft identity platform and get an access token that grants our solution the permissions to access your data.
There are different ways to authenticate your app with the Microsoft identity platform, depending on how you want your app to access the data. The solution we recommend is using a service account, which is an account that represents your app’s own identity, rather than a user’s identity. A service account is useful when you want your app to perform background tasks or access data that is not tied to a specific user.
However, using a service account also poses some security challenges. How do you ensure that your service account is secure and authorized to access the data? How do you prevent unauthorized access or misuse of your service account? How do you comply with the security policies and regulations of your organization and industry?
One of the possible solutions is to use multi-factor authentication (MFA) for your service account. MFA is a method of authentication that requires more than one factor to verify a user’s identity, such as something that the user knows (e.g., a password or PIN), something that the user has (e.g., a security token or smartphone), or something that the user is (e.g., a fingerprint or iris scan). MFA can enhance the security of your service account by adding an extra layer of protection against password breaches, phishing attacks, or compromised devices.
However, using MFA for your service account also has some drawbacks. MFA can introduce complexity and friction in your app’s authentication flow, as it requires user intervention and interaction. MFA can also cause compatibility issues with some legacy protocols and applications that do not support MFA. Moreover, MFA does not address some of the other security aspects of using a service account, such as managing the lifecycle of the service account, enforcing the principle of least privilege, and auditing the activities of the service account.
This is where modern authentication comes in. Modern authentication is an umbrella term for a multi-functional authorization method that ensures proper user identity and access controls in the cloud. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0 protocols, which enable features like MFA, smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.
Modern authentication is designed to provide a more secure and convenient way of authenticating users and apps in the cloud era. Modern authentication uses multiple factors to verify a user’s or app’s identity, but it also supports conditional access policies, which can dynamically adjust the level of authentication required based on the context of the request, such as the device, location, network, app, or risk level. Modern authentication also supports application permissions, which can limit the scope and duration of the access token granted to an app based on its role and function. Modern authentication also supports audit logs and reports, which can help you monitor and track the activities of your service account.
In conclusion, modern authentication is better than MFA for Microsoft service accounts because it offers more security features and benefits than just requiring multiple factors to authenticate. Modern authentication can help you protect your service account from unauthorized access or misuse, comply with the security policies and regulations of your organization and industry, and simplify your app’s authentication flow. To learn more about modern authentication for Microsoft Graph API, you can refer to these articles:
- Authentication and authorization basics - Microsoft Graph
- Get started with the Microsoft Graph authentication methods API
Finally, morbit studio supports the use of very long and complex passwords for service accounts. We recommend using a minimum of a 20 character complex password.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article