How can I access Azure Graph AND Microsoft Graph using same OAuth2 token?

4
votes

I want to access both the Azure AD Graph API and the Microsoft Graph API using the same OAuth2 token (in a Swift 3 application for iOS) - is this possible?

I want to access the following APIs:

I have created a Native application in the Azure Portal and added permissions for both Microsoft Graph and Microsoft.Azure.ActiveDirectory (with the above permission scopes).

I can access both APIs by only changing the resource property when authenticating (on login) - the Azure configuration seems correct. But I get an "Unauthorized" error when trying to use the same token to access the other API when authentication using the first resource. I have tried to add both URL to the resource property but then I get an error ("AADSTS50001: The application name was not found in the tenant."). What am I doing wrong or what am I missing...?

If it's not possible - why is it then possible to add multiple APIs in the Azure Portal?

Reason for accessing both APIs: Microsoft Graph doesn't give me all properties (but support delta changes) and Azure AD Graph gives me the full profile - both without the admin consent (using delegated permissions)

2
oauth-2.0microsoft-graph-apiazure-ad-graph-apiazureportal
Which workflow are you using here (code grant, implicit grant, client credentials, etc.)? Note that for class code grant, the resource parameter is optional.Marc LaFleur

2 Answers

4
votes

You cannot literally call both APIs using the same Access Token. Because the access token has a specific audience, and one of the APIs will reject the token when the audience claim does not match its own app id URI.

It seems like what you really want to accomplish is getting two tokens using a single login experience, and you can do this.

Using the Authorization Code Grant Flow, you can have the user sign in without ever specifying the resource. The user will be presented with consent for both AAD and MS Graph API permissions, and your application will get the authentication code back when the sign in is complete.

At that point, your application can call the token endpoint two times with the same authorization code to get two access tokens for the two endpoints. From there, you can manage the two tokens and maintain access to both APIs at the same time.

I do this in one of my Python samples here, except my two endpoints are AAD Graph API and Azure Resource Manager.

0
votes

There is another option besides Authorization Code Grant Flow. If you have an existing access token which is addressed to one audience and want to use it for another audience (while keeping the both the identity of the client and the user which is contained in the token) you can use the On-Behalf-Of Grant to exchange the token with a new one, only this time addressed for the resource you need.

You can read about it in the formal docs or in my post Getting Access Token for Microsoft Graph Using OAuth REST API.