I have a multi-tenant Blazor server application, which users can login with their company emails and work on their projects. Same application also needs to get list of users from MS Entra and update application's local users table as auto running background periodic task. I read Get access without a user and checked other sample codes from Microsoft. I have also assigned application permissions to my application. As seen here:
Following is my code:
var scopes = new[] { "https://graph.microsoft.com/.default" };var clientId = "12345-1234-1234-1234-123456";var tenantId = "common";var clientSecret = "somesecret";var options = new ClientSecretCredentialOptions{AuthorityHost = AzureAuthorityHosts.AzurePublicCloud, AdditionallyAllowedTenants = { "*" }};var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);var graphServiceClient = new GraphServiceClient(clientSecretCredential, scopes);var users = (await graphServiceClient.Users.GetAsync(x =>{x.QueryParameters.Select = ["Id", "AccountEnabled", "GivenName", "Surname", "Mail", "StreetAddress", "City", "State", "DisplayName", "MobilePhone"];}))?.Value;When code runs I have an exception:
{"ClientSecretCredential authentication failed: AADSTS53003: Accesshas been blocked by Conditional Access policies. The access policydoes not allow token issuance. The returned error contains a claimschallenge. For additional info on how to handle claims related tomultifactor authentication, Conditional Access, and incrementalconsent, see https://aka.ms/msal-conditional-access-claims. If you areusing the On-Behalf-Of flow, seehttps://aka.ms/msal-conditional-access-claims-obo for details."}
When I try to create a conditional access policy as exception message suggests, Microsoft requires a paid Entra Id+ subscription.
I want to make sure this is the correct way to access to Entra using graph without a logged in user and I need to buy this subscription. It seems to me there should be another way. Any help will be welcomed.