Authorization_IdentityNotFound Error while accessing graph API

5
votes

I have searched with the error which I found, Did not find any matching questions. So posting question. Appreciate if some one provides some pointers to proceed.

My goal is to access graph API in my desktop client. I have started using fiddler to experiment.

  • I have followed instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only
  • registered Web APP using Application Registration portal using my Microsoft work account.
  • Provided 'Read all users' full profiles in Delegated permissions

  • Requested token and Used the token in Authorization header to call the graph API, Getting following error.

    https://graph.microsoft.com/v1.0/users
119
{
  "error": {
    "code": "Authorization_IdentityNotFound",
    "message": "The identity of the calling application could not be established.",
    "innerError": {
      "request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
      "date": "2016-05-11T00:46:23"
    }
  }
}
5
azureoffice365azure-active-directorymicrosoft-graph-api
In one of the answer (stackoverflow.com/questions/33791463/…) It is said that APP only requires application permissions. Since I am using Microsoft work account, In azure AD it shows, you are only allowed to set delegated permissions. Is above issue due to delegate permissions ?Manohar
Did you ever solve this?joshcomley
Was this solved?NBajanca
Yeah, check out my answer belowIrwin

5 Answers

10
votes

In my case, I got the same error after I used Quickstart (step 1), then configured automatically .net sample (step 2), then download the code sample (step 3) as shown in the picture below.

enter image description here

All steps was done successfully except step 3. Microsoft code generate, generate app id, and app secret in project successfully but the tenant was set to common in appsetting.json as seen in image below.

enter image description here

I thought it was a valid thing, but later found out that this caused the issue.

Solution: I copied the Directory (tenant) ID, than replace common with tenant Id, and it worked. I am not sure if this is a bug in Azure Quickstart code generation.

enter image description here

8
votes

This sample helped me understand the flows around app-only permissions. https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/

Key takeaways for me:

  • Ensure you set up the app and specify the Application Permissions needed
  • Do have an admin grant the app permission to run against the relevant directory.

  • Get the relevant token:

    Notice the scope in the request below is https://graph.microsoft.com/.default

    POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

  • Use the token to request the relevant graph resource, eg:

    GET https://graph.microsoft.com/v1.0/users/demouser01@[tenant-name].onmicrosoft.com/drive/root/children

Accept: application/json
Authorization: Bearer eyJ0eXAiOi
6
votes

For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.

From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked. 

GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
0
votes

You'll find that this document is a better set of instructions for app-only apps.

There are two issues from your description that stand out.

  1. You'll need to make the call with an X509 certificate for app-only flows.
  2. You need to set up app scopes, rather than delegated scopes on your app - delegated scopes are for delegate flows rather than app-only flows.
0
votes

while generating new access token, make sure to replace tenant_id with the actual tenant id https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token