Can an MS Graph Bearer Token be used to access the Office REST API?

2
votes

We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.

That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.

Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.

Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.

I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.

I'm hoping that I'm simply doing something wrong and this is a valid approach.

Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?

2
microsoft-graph-apioutlook-restapi
Outlook tasks are on Graph: developer.microsoft.com/en-us/graph/docs/api-reference/beta/…Yogesh
That's a good point, unfortunately it also has this warning at the top: "Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.". Thank you for pointing this out, I'll add it to the question as prior research.user310988
One note for future reference, the token you're getting isn't coming from Microsoft Graph but from Azure AD directly. Microsoft Graph is simply the audience/resource that you've requested the token for. Minor detail but understanding the separation of concerns between the Token and the API will help when it comes to debugging down the road.Marc LaFleur

2 Answers

4
votes

Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.

If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.

  1. Use the tasks APIs in Graph even though they are in beta.
  2. Make sure that you obtain a refresh token when you request your Graph token (by including the offline_access scope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.

You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.

1
votes

Just want to share how you can exchange Graph RefreshToken to a Outlook AccessToken using postman. (You can do this in whatever code language you wish)

First lets show how you use a RefreshToken to get a new Graph AccessToken:
enter image description here

Then use the Graph RefreshToken to get the new Outlook AccessToken: enter image description here

Hope this might help some other people :)