为了使用委托权限，最终用户需要通过 OAuth2.0 流程以交互方式登录.

In order to use delegated permission, the end user needs to sign in interactively through an OAuth2.0 flow.

现在，您可以通过 资源所有者凭据流程 只是将用户名/密码发布到 Azure AD 并取回令牌.不推荐使用此路径，因为它很脆弱(例如，MFA 不起作用)并且需要您的应用来管理用户的凭据.

Now, you can use a user's creds with the Resource Owner Credentials Flow which is simply posting the username/password to Azure AD and getting tokens back. This path is not recommended as it's brittle (For example, MFA will not work) and requires your app to manage the user's credentials.

您***的选择是为您的用户创建某种登录体验，让他们能够登录并同意您的应用程序.Azure AD 中的刷新令牌具有 生命周期直到撤销意味着它们可以持续一年甚至更长.您将遇到的瓶颈是最终用户的密码过期，这将导致他们需要再次登录.

Your best bet is to create some kind of sign in experience for your users that allows them to sign in and consent to your application. Refresh tokens in Azure AD have a lifetime of until-revoked meaning they can last as long as a year if not longer. The bottleneck you'll hit is the end user's password expiring which would lead them to need to sign in again.

对于这方面的一些帮助，Azure AD 有一个 ADAL4j 库 你可以使用.我还为 Azure AD v2.0 端点(Microsoft使用第 3 方库的帐户 + Azure AD 帐户.

For some help with this, Azure AD has an ADAL4j library you can use. I've also written a small Spring MVC Java code sample for the Azure AD v2.0 endpoint (Microsoft Accounts + Azure AD Accounts) that uses a 3rd party library.