Documentation/Security

OAuth2 app registration

How the OAuth2 connection works: app registration, admin consent, PKCE, and how tokens are handled.

The model

ServiceChanger uses a multi-tenant Microsoft app registration. When you grant admin consent, an enterprise application (service principal) is created in your tenant that carries the approved application permissions. All Graph access then runs through that service principal in your tenant.

So you are not giving ServiceChanger blanket access; you authorize an app in your own tenant with exactly the scopes you approved. You can revoke it at any time.

The consent flow

  1. You start the connection and are redirected to Microsoft.
  2. The request uses OAuth2 with the Authorization Code flow and PKCE (S256). No client-side secrets or certificates are involved in your browser.
  3. Microsoft shows the requested application permissions. You approve them as an admin.
  4. Microsoft creates the service principal and returns an authorization code.
  5. ServiceChanger exchanges that code for tokens through a confidential client (the client secret stays server-side).
The scope request uses .default, which means: grant exactly the permissions declared on the app registration that you approved, nothing more.

Tokens

  • Tokens are managed server-side, not in the browser.
  • The token cache is stored encrypted (AES-256) and not kept as plain text.
  • Refresh runs through standard Microsoft identity mechanisms; no passwords or certificates of your administrators are stored.

Multiple tenants

You connect each tenant separately, and each gets its own service principal and its own rules. Useful for holdings or managed-service environments. Tenants do not share rules or data with each other.

What you can audit as an admin

In Azure Portal > Microsoft Entra ID > Enterprise Applications > ServiceChanger you can see:

  • The exact granted permissions.
  • Which user granted consent and when.
  • Sign-in and audit activity of the service principal.

Revoking

Delete the enterprise application in Azure Portal, or use Disconnect in ServiceChanger. After that, access is fully revoked. Existing group memberships stay as they are at that point.

Related