Authenticate a server application to Microsoft APIs using Azure Entra client credentials flow

Verified steps

1. Register an application in Azure Entra (Entra ID / Azure AD): go to App Registrations, create a new registration, note the Application (client) ID and Directory (tenant) ID
2. Create a client secret under Certificates & Secrets (or upload a certificate — preferred for production); store the secret value securely; it is only shown once
3. Grant the required API permissions to the application registration under API Permissions; for application permissions (daemon flows) click Grant admin consent — without this, token requests succeed but API calls return 403
4. Request an access token by POSTing to https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token with grant_type=client_credentials, client_id, client_secret (or client_assertion for certificate), and scope set to the target API's app URI followed by /.default (e.g., https://graph.microsoft.com/.default)
5. Parse the access_token from the JSON response and include it as a Bearer token in the Authorization header of downstream API calls; cache the token until the expires_in seconds have elapsed (typically 3600 s) and refresh proactively before expiry
6. For certificate-based auth, generate a signed JWT client assertion using your certificate private key and send it as client_assertion with client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer