My website is using the GraphClient Library ( to query Azure AD. Its using its own credentials and authorization token to access and this works fine.
I'm trying to change it so that when users log into my website and authenitcate using their own Microsoft tenant account, my website then queries the using that users token and not its (the webserver) own.
I'm using OWIN middleware, OpenID against Microsoft for authentication and finally the GraphClient to query AzureAD.
Right now my process is in OWIN Notifications => AuthorizationCodeReceived I do a AcquireTokenByAuthorizationCode() to retrieve the users AccessToken, then I try connect to the GraphClient like so..
new ActiveDirectoryClient(
new Uri(graphResourceID + '/' + tenantID),
async () => userAccessToken
The GraphClient always returns a response saying 'insufficient privileges' to all the calls I checked. But if I create a simple HTTPClient request to the REST API and inject the "Bearer" authoriaztion header with userAccessToken from above then the Graph API gives me a valid response.
Why is the GraphClient library returning 'insufficient privileges' when a simple HTTPClient request works fine?