Is it possible to get app only token for Azure AD where the resource or scope is https://graph.microsoft.com/?

0
votes

Is it possible to get app only token for Azure AD where the resource or scope is https://graph.microsoft.com/?

I read the article Service to service calls using client credentials (shared secret or certificate), and but I can't get an access token, the error is "fail to find resource https://graph.microsoft.com/ in tenant xxx".

If I change resource to scope, I can get an access token, but this token can't be used to get web api. I got 401 unauthorized error. But I have granted all permissions including app and delegated permissions for the graph api.

POST /contoso.com/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig2IpeuUZYKH1Wb8q1V0ju6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F
1
azureazure-active-directorymicrosoft-graph-api
Your call seems to be correct, but the client secret needs to be URL-encoded. (Like the resource URI is)juunas
Thanks, I found out why. I use a library to handle this, it encode the parameters, but I encode it one more time. I delete mine, and it works.albertxavier

1 Answers

0
votes

If you register the Azure AD application in Azure Portal and want to acquire token for microsoft graph api using client credential flow , you should use https%3A%2F%2Fgraph.microsoft.com%2F(url-encoded) as resource , and don't forget to make client secret URL-encoded as suggested by @juunas .

If you are acquiring token for your own web api which protected by Azure AD , you can use the App ID URI registered for the api application as resource. Code sample here is for your reference .