Enable Graph Explorer with an access token or Service Principal integration

[bretthacker]

Is your feature request related to a problem? Please describe.
When testing API calls, it is often necessary to observe the results of application permissions, not just delegated. Logging into Graph Explorer using a user principal limits all API calls to delegated permissions.

Describe the solution you'd like
Either (a) allow us to obtain our own access token from a service principal, using whatever authentication mechanism has been setup (secret, cert, etc), and add that to our Graph Explorer session. Or, (b), allow us to put in a service principal appid, secret, and tenantid.

With either of these, the option to obtain JIT consent would be obviated - the SP has permission to call the api, or not. If a permission is needed, it's up to the tester/developer to go add that permission to the registration and re-consent.

Describe alternatives you've considered
The only other way to test here is to use something like Postman, which is what I currently do. This isn't as convenient.

Additional context
Add any other context or screenshots about the feature request here.

[thewahome]

Hello @bretthacker,

Graph Explorer was designed as a developer tool that allows users to explore and test the capabilities of the Microsoft Graph API. The consent process is made to use Delegated permissions is to ensure that users are aware of the permissions they are granting to an application and to provide them with the ability to grant or deny access on a case-by-case basis. This is why Graph Explorer does not support application permissions.

However, your suggestions are sound and I am going to rope in a number of people in the team so that they can see what aspects we can integrate, if any cc @adhiambovivian / @darrelmiller

[bretthacker]

Thanks. Fully aware of the current intentions of GE. I'm doing a lot of work with Graph and testing is extremely difficult when validating application flows and determining the correct consents to request. For example, I'm calling the invitation api and resetting consent with a new external email. It works in one app, not in another. I finally figured out through trial and error that it wasn't the consent but rather, that the guest account had a tenant role assigned (this limitation isn't documented). The error was "insufficient permissions", which wasn't helpful for this edge case. I'd spent hours comparing the consent requests in the two manifests. I finally figured it out in prod.

Having the ability to easily iterate raw API test cases while architecting a solution involving app permissions is crucial.