Call Microsoft Graph API Using Azure AD 1.0 Endpoint Client Credentials Flow

3
votes

Is it possible to access the Microsoft Graph API using an access token obtained through the Azure Active Directory 1.0 Endpoint with the Client Credentials OAuth 2 flow?

For example:

POST https://login.microsoftonline.com/{mytenant}.onmicrosoft.com/oauth2/token
grant_type=client_credentials,
client_id={app id registered in azure portal},
client_secret={registered app key},
resource=https://graph.microsoft.com

When I use the token returned from this request, I get the following error trying to call https://graph.microsoft.com/v1.0/groups.

Decoded JWT

Header

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "HHByKU-0DqAqMZh6ZFPd2VWaOtg",
  "kid": "HHByKU-0DqAqMZh6ZFPd2VWaOtg"
}

Payload

{
  "aud": "00000002-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/{tenant id}/",
  "iat": 1504804880,
  "nbf": 1504804880,
  "exp": 1504808780,
  "aio": "Y2FgYDiiO8/s3smXRdxLg87zBPRNAwA=",
  "appid": "{client id}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{tenant id}/",
  "oid": "{enterprise app object id}",
  "sub": "{enterprise app object id}",
  "tenant_region_scope": "NA",
  "tid": "{tenant id}",
  "uti": "uIzrJNpHcEGXoQ4ZKZgqAA",
  "ver": "1.0"
}

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "request-id": "3537d28e-a061-4430-aef5-4a75bf791d90",
      "date": "2017-09-07T16:38:26"
    }
  }
}

I've ensured the application has the correct permissions assigned through the portal. Under Required Permissions > Application Permissions, "Read and write all groups" is selected.

Azure Portal Permissions

Is there anything I'm missing or is this not possible?

1
azure-active-directorymicrosoft-graph-api
Can you check the JWT in a service like jwt.io and make sure it contains the roles claim with the necessary permission?juunas
There doesn't appear to be any roles listed in the JWT. In that case is there something I need to add to my request?dallasg
Have you pressed the Grant permissions button in the place where you set up the permission requirements for the app? And also, make sure it was Microsoft Graph API that you requested the permissions for.juunas
Yes, I tried it before and after clicking Grant permissions. I also verified the API was Microsoft Graph.I added a link to a screenshot of my permissions settings.dallasg
Could you share the JWT token? (removing any sensitive properties) If it was a problem with missing Role Claims, I would expect the error to be "Insufficient Privileges". This error implies something is wrong with the token itself.Shawn Tabrizi

1 Answers

7
votes

In your JWT token, the Audience Value (aud) is wrong.

If you are trying to call https://graph.microsoft.com or any of it's APIs, you need a token with the aud claim of https://graph.microsoft.com or 00000003-0000-0000-c000-000000000000.

The token you have is for the AAD Graph API, https://graph.windows.net a.k.a. 00000002-0000-0000-c000-000000000000

While these two resources look similar in both URL and GUID form, they are completely separate identities. You should confirm throughout your code that you are specifying the correct resource value when retrieving your access token. Your small sample above implies that you are doing it correct, but the token shows that you are not.