This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and finding the correct permissions for every Microsoft Graph Calls while still maintaining the consistency of setting up for the entire Microsoft Graph Call from start to finish.


Setting Up the AAD Application

The first step to getting access to the Microsoft Graph REST API is to setup an AAD Application Registration.

First we are going to want to create the AAD Application registrations in the portal. For this we will need to configure the application to be able to work with Postman so that we can make the call to the Microsoft Graph API. First we go to the Azure Active Directory Blade, go to App Registrations, and then create a new application registration.

2018-03-31 19_16_00-Create - Microsoft Azure - Internet Explorer

From there we are going to want to create a web app with any name. Here I have set the name as web app and then we want to set the callback url to : and set the application type to web app/ API.

Note: that you can set whatever URLs you would like



You will have to click out of the sign-on URL to make it check whether or not if it’s correct.

After that we have created our web app, we will want to create a secret. Please keep track of the secret as you won’t be able to see the secret again. You will have to press save in order for the secret to generate.


With this information in hand, we will be able to move forward and connect to this AAD registration. But without the correct permissions we won’t be able to get an access token to make calls to the Microsoft Graph API.


Finding Which Permissions We Need for a Microsoft Graph Call Using Authorization Code Flow

Assuming we would like to have granular control on what the AAD Application registration has access to and what it doesn’t have access to. We are going to want to make sure that the AAD Application registration only has the permissions it needs to make the Microsoft Graph API calls that we are wanting to make.

There has been a separate blog post on finding the correct permissions for your graph API call listed below :


For this Authorization Code flow, we will want to set the required permission for Read all users’ full profiles under Delegated Permissions. You can utilize the Application Permission as well, however you won’t get the permissions based on the user logging in, instead you will receive the permission on behalf of the Application.




Retrieving an Access token Using Authorization Code Grant Type Flow

When using the Authorization Code flow to get the access token, the preview feature of postman when requesting for an HTML page doesn’t properly load the HTML page. In addition to that I’m not sure if the preview feature would even properly add the cookies to Postman, so you won’t be able to make requests to the authorization endpoint and get the authorization code back and send that to the token endpoint.


However, Postman does include a way to get an Access token via OAuth2’s Authorization Code Grant type by going to the authorization tab in Postman and then requesting a new access token.


After opening up Postman click on the authorization tab shown in the picture below. After that, click on the highlighted drop down menu.




After clicking on the menu, we will want to click on OAuth 2.0




This will now change the User Interface and there will be a “Get a New Access Token” button on the right side now. Click on the button on the right side and that will open a new pop up section.




You will now be able to choose your grant type, this article is meant to follow the grant type authorization code.


The callback URL will be your first reply URL for your AAD Application Registration, I have set mine to

The Auth URL will be the auth endpoint for the tenant that your AAD Application Registration is in. You can find this in the picture below in your AAD App Registration blade.

Note that you will need to add the resource you are asking access to as a query parameter in your auth url. For example: This auth url is asking for authorization to get access to the Microsoft Graph.



The Access token URL is highlighted in the picture above, the OAuth 2.0 token endpoint URL.

The client ID is the application ID/Client ID for your AAD Application Registration. This is found when you first enter the blade for your AAD Application.

The client secret can be found by following the directions described here :

Note: There are some issues with Postman and utilizing the “Get New Access Token feature” when the client secret has a # and +. So you will need to continue to get a new secret until it doesn’t have a + or # symbol in the client secret. This issue is described in the GitHub issue :

The Client Authentication will work using either option, here I’m using “Send Client Credentials in Body”




Now when you click on request token, an interactive pop up will show asking you to login. After you login with your username and password, it will then automatically go through the flow and send the authorization code to the token endpoint. After logging in you will receive the Access token, and it will look like the picture below.




Now that you have the access token you will want to add it to your headers. Postman will do this for you, but you have to remember to scroll down in the “Manage Access Tokens” frame and press “Use Token”.






We have gone through the steps to get an access token utilizing postman’s feature to request access tokens from the token endpoint by getting the authorization code from the authorization endpoint. If you would like to learn more about how the OAuth 2.0 flow works in terms of AAD Web Applications please take a look at this documentation that reviews how it works :


If you have anymore issues feel free to open a support ticket and one of our engineers will reach out to you to resolve the issue.

8 Thoughts to “Using Postman to call the Microsoft Graph API using Authorization Code Flow”

  1. Excellent article – added to the bookmarks

  2. Excellent article – added to the bookmarks

  3. Arun Manjila Purushothaman

    Thank you so much for sharing, very useful. Really struggled a lot to get through that.
    You should highlight the trouble of having the + or # in the token.

  4. Arun Manjila Purushothaman

    Thank you so much for sharing, very useful. Really struggled a lot to get through that.
    You should highlight the trouble of having the + or # in the token.

  5. Spencer York

    Helpful article, but it seems like the author’s thoughts were a bit rushed, and some things were not as clear as the author assumed.

    1. Frank Hu MSFT

      Hey Spencer,
      Can you please clarify on which parts aren’t very clear? And if there are any questions in regards to this please let me know and I will reply back to you as soon as possible.

  6. […] Postman’s Authorization Code flow to obtain an access token for the bhbackend app. For oauth2 applications, use the following […]

Leave a Comment