Graph API not able to connect to azure ad synced from On-Premise ad

1
votes

When I try to access the Azure AD using graph API

POST URL: "https://login.microsoftonline.com//oauth2/token"

Header "Content-Type":"application/x-www-form-urlencoded"

Body : client_id=&resource=https://graph.windows.net/&client_secret=&grant_type=password&username=&password=

Getting below Error:

"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: ea6bb39d-dc99-43ca-b8a0-850ba0041d00\r\nCorrelation ID: 690b7972-2322-462c-9821-c828242d9718\r\nTimestamp: 2018-03-14 10:05:42Z",

When I try to access portal.azure.com using the same credentials its working. While accessing portal.azure.com its redirecting to the ADFS page and then provide the same credetials and redirect to azure portal.

Will graph API supports for this kind of Azure AD? If not possible what is the alternate way to access AZURE AD?

2
azure-ad-graph-api

2 Answers

0
votes

"error_description": "AADSTS70002: Error validating credentials. AADSTS50056: Password does not exist in store for this user\r\nTrace ID: 8811d45e-3617-4b2b-807d-5deda7ac1700\r\nCorrelation ID: 5c0891c7-507f-4206-869b-f83a704773f6\r\nTimestamp: 2018-03-15 11:03:08Z",

Getting above error when i try to authenticate users synced from On-Premise AD. https://login.microsoftonline.com//oauth2/token

Is there any way to authenticate based on username and password and get the token from ADFS?

0
votes

According to your description, you are using OOAuth 2 Resource Owner Password Credentials grant in AzureAd. I have tested it on my side, it could work as expected:

enter image description here

"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: ea6bb39d-dc99-43ca-b8a0-850ba0041d00\r\nCorrelation ID: 690b7972-2322-462c-9821-c828242d9718\r\nTimestamp: 2018-03-14 10:05:42Z",

AFAIK, the member users under Azure AD could successfully retrieve the token, you could log into Azure Portal and check the user under your AAD tenant. Based on the error you provided, I assumed that your password is incorrect when sending the request for acquiring the token. You need to check your request and use postman or fiddler to simulate the request to narrow down this issue. Moreover, you could follow Resource Owner Password Credentials Grant in Azure AD OAuth.

UPDATE:

As Password synchronization states as follows:

Also, if you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password synchronization as a backup in case your AD FS infrastructure fails.

Since you have selected the user sign-in option Federation with AD FS, I assumed that you could enable Password synchronization option under "Sync > Optional Features" page under Azure AD Connect. Details, you could follow the Optional Features section under Pages under the Sync section. And you could use the username {username}@{your-domain}.onmicrosoft.com and the relevant on-premises password to acquire the token for accessing Azure AD Graph API.