Authentication via Delegated Permissions (requires admin interactive login)
- Create an App Registration with public client flows Enabled
Permissions to ENABLE hardwareOath Method (Runonce, tenant-wide)
- Policy.ReadWrite.AuthenticationMethod
- Delegating user needs: GA, Security Administrator, or Authentication Policy Administrator
- enable for all users or targeted group(s)
Permissions to READ TOKENS
- app permissions graphAPI \ delegated \ AuthenticationMethod.Read.All
- user permissions Global Admin \ Priv Auth Admin \ Auth Admin
Permissions to CREATE / ASSIGN / ACTIVATE Tokens
- Policy.ReadWrite.AuthenticationMethod
- UserAuthenticationMethod.ReadWrite.All