Use the OAuth 2.0 ROPC grant for highly trusted applications where the user enters their credentials directly into the client and the client can safely handle confidential credentials. Authorization Code + PKCE is preferred for public clients.

Key points

• Audience: Confidential clients owned by the same organization as the authorization server
• Sensitive: App directly handles end‑user credentials
• MFA: Some tenants may require MFA; see MFA endpoints below

Next steps

• Obtain your OAuth Client ID/Secret from OAuth Application
• Implement Get Token
• If MFA is required, continue with MFA Verify or MFA Bind

Previous pageCompute PKCE Code Challenge

Next pageGet Token