Have an enterprise web application with a Web API 2 backend and other external backend processes. Both of these send mail with or without user interaction. I identified the client credential flow as the appropriate authorization flow for our application, but I discovered it is not supported for SMTP AUTH on Office 365.
Q: If we use the authorization code flow and have an admin user login to the Microsoft prompt, do consent, obtain an access token and refresh token, and store these (securely on the server or in our database), can we continually get new access tokens using the refresh tokens without user interaction again? Or will these expire at some point and require the user to interactively sign in again?
Our goal is a one-time system configuration, which is achieved with the client credentials flow via tenant, app id, and client secret, but going this route requires us to use Microsoft Graph for mail which has some limitations that SMTP AUTH does not. However, my concern is whether the authorization code flow might require an IT administrator of the system to continually log in on a periodic basis, which would not be acceptable.
Would the authorization code flow also fit our use case?
Migrating away from Basic Authentication for context; where Basic Authentication is a one-time system configuration in most software.
