When you have a code module that will interact with Microsoft Graph API you need to register an application in Microsoft Azure AD, set permissions and choose if the integration should be "on behalf of a user" or by then end user logged in to Pims (requires that the end user in Pims is authentication as Office 365/Azure AD user)

Register application in Azure AD

To be able to authenticate against Azure AD the code module must be registered as an application in Azure AD. Details for for how to do this can be found here.

After the application is registered you need to set which permissions that the application needs, in this example we will use our Pims OneDrive integration permissions:

  1. In the API permissions pane, click add - Microsoft Graph - Delegated permissions and then choose these permissions: Files.ReadWrite, Files.ReadWrite.All, Sites.ReadWrite.All, User.Read
  2. The permission that have now been added to the Application needs consent. Click the Grant consent button above the permissions.
  3. Go to the Certificates & Secrets pane and Create a new secret; give it a name and copy the value.

Once the application is registered and configured in Azure AD you need to copy the Application (client) ID, Directory (tenant) ID and Client Secret. You can find the Client ID and Tenant ID from the Overview.


To be able to use the Graph API as this application you need to add the URL and set grant and client type. In the Authentication pane

  1. Click Add URI and add the Pims URI for the Code Module and Web App, eq: "" and " "
  2. Select Access Tokens and ID Tokens under Implicit grant
  3. Select Public Client under Client Type
  4. Click save at the top of the page

Pims example App

In Pims R4 Dev we have created an example Web App: msgraphapi, this app will use the Microsoft MSAL library to authenticate the user and it can also access and use the GraphAPI, if you need to use a Code Module to do the operation againts GraphAPI instead of the Web app, we have created an example Code Module: api/graphapiauthentication, this Code Module requires to get the User Access Token as a parameter and it will use this to access the GraphAPI. In Pims OneDrive and Sharepoint integration we use the MSAL library in the Web application to authenticate and retrive the access token for the user and pass this to the code module which will do the file operation (update, create, delete etc)

Consent / Permission update

If the application was registered with Files.ReadWrite, Files.ReadWrite.All, Sites.ReadWrite.All, User.Read and you want to use the Mail api in Graph API you need to add this permission to the Application through Microsoft Azure AD and provide consent before using the API

Related articles

Placeholder "LocalizeWeb2016" failed