"Access Token missing or malformed" error while accessing Azure AD Graph API

Question

I have an account on Azure where we run various applications in docker containers.

I would like to connect to Active Directory on this account and be able to manage various aspects such as creating new users, etc.

I found following API browser: https://docs.microsoft.com/en-us/rest/api/graphrbac/users/list

Unfortunately when I log in as a user with admin rights (Global Administrator) and provide tenant ID, when I call users/list endpoint, I get following error with 401 status: { "odata.error": { "code": "Authentication_MissingOrMalformed", "message": { "lang": "en", "value": "Access Token missing or malformed." }, "date": "2018-07-20T14:01:24", "requestId": "9f070c46-a949-41bf-85c9-f1ccf97975db", "values": null } } What is interesting - if I use any other random endpoint, for example: https://docs.microsoft.com/en-us/rest/api/servermanagement/node/list - it works fine. In this case it returns empty set, but at least it doesn't fail with strange authentication error.

Tom Sun - MSFT Tom Sun - MSFT · Accepted Answer · 2018-07-24T07:04:18

I also can reproduce the issue that you metioned if I test Users - List Rest API directly from the site.

https://docs.microsoft.com/en-us/rest/api/graphrbac/Users/List

According to exception, the root cause of the issue is token audience. You could check the actual access token in the JWT.io.

You could get that the audience is https://management.core.windows.net/. The token that is acquired will work for other Azure Services like webapps, compute, ResourceManager, etc. but not for Graph.

You could test it with Azue AD graph explorer, then it will work for you.

The audience should be https://graph.windows.net

"Access Token missing or malformed" error while accessing Azure AD Graph API

1 Answers