InvalidAuthenticationToken using Azure AD v1 Client Credentials with Microsoft Graph

2
votes

We have setup a v1 Azure AD application, and align closely with this setup guide.

We have successfully made client-credential based oAuth calls to Azure AD Graph API. Also with v2 apps we have successfully made client-credential based calls to Microsoft Graph API.

However, we are hoping to make a multi-tenant application which uses both Azure AD Graph and Microsoft Graph, and so we need to call Microsoft Graph with a v1 application. We also feel that client-credential based authorization is the cleanest approach.

When calling the Microsoft Graph with a v1 application we see the following error in the response to our call:

InvalidAuthenticationToken.  Access token validation failure.

here is a sample token payload:

{
  "aud": "00000002-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/a0482499-f164-4e2f-8564-909dabfc74cb/",
  "iat": 1509393647,
  "nbf": 1509393647,
  "exp": 1509397547,
  "aio": "Y2NgYNhb5ao7R09dJ+qAWf/tDcEnAA==",
  "appid": "eb7e150b-8a01-4c63-8e6c-31acbf1f0730",
  "appidacr": "1",
  "idp": "https://sts.windows.net/a0482499-f164-4e2f-8564-909dabfc74cb/",
  "oid": "16dd4917-534c-4633-88fc-dcb84e9b9a99",
  "roles": [
    "Directory.Read.All",
    "Directory.ReadWrite.All"
  ],
  "sub": "16dd4917-534c-4633-88fc-dcb84e9b9a99",
  "tenant_region_scope": "NA",
  "tid": "a0482499-f164-4e2f-8564-909dabfc74cb",
  "uti": "Zm-DzqIyX0u8RsXaO9kcAA",
  "ver": "1.0"
}

our token was generated from the following endpoint, with our domain as {tenant}:

https://login.microsoftonline.com/{tenant}/oauth2/token

In our application we added the following permissions for Microsoft Graph. (Basically we just grabbed a lot to see something work)

Application Permissions:

  • Read and write all users' full profiles
  • Read all users' full profiles
  • Read and write directory data
  • Read directory data
  • Read and write all groups
  • Read all groups

Delegated Permissions:

  • Read and write directory data
  • Read directory data
  • Read and write all groups
  • Read all groups
  • Read and write all users' full profiles
  • Read all users' full profiles
  • Read all users' basic profiles
  • Read and write access to user profile
2
azure-active-directorymicrosoft-graph-apiazure-ad-graph-api

2 Answers

0
votes

The audience of your token is: 00000002-0000-0000-c000-000000000000.

The audience of the Microsoft Graph is: 00000003-0000-0000-c000-000000000000

This is the resource ID for the Azure AD Graph API, not the Microsoft Graph API. You didn't state if you were using an auth library, but in the case you're using ADAL, you'll need to do a new AcquireTokenSilent(...) requesting access to https://graph.microsoft.com in addition to your Azure AD Graph API request.

Make sure in the Azure Portal you have also configured permissions for your app to call the Microsoft Graph.

0
votes

We found the full solution in this other post: Call Microsoft Graph API Using Azure AD 1.0 Endpoint Client Credentials Flow

we needed to use the api variable 'resource' instead of 'scope'