How to access Azure AD 2.0 Graph with Azure AD 1.0 Token

2
votes

We have a large micro service architecture. All services work with JwtBearer against the Azure AD 1.0 endpoint.

Now we want to access user schema extensions of Azure AD. The recommended way in this case is Microsoft Graph. But we dont want to move all services and auth endpoints to 2.0 right now.

But the problem is, that the token of Azure AD 1.0 is not valid to get an on-behalf-token for Azure AD 2.0:

Microsoft.Identity.Client.MsalUiRequiredException: AADSTS70002: Error validating credentials. AADSTS50013: The token issuer doesn't match the api version: A version 1 token cannot be used with the v2 endpoint

We use this code right know

// create instance to read cca with a user token cache
ConfidentialClientApplication cca =
    new ConfidentialClientApplication(_azureOptions.ClientId, _azureOptions.RedirectUri,
        new ClientCredential(_azureOptions.ClientSecret),
        userTokenCache, null);

// try to get an on behalf token
AuthenticationResult result;
try
{
    result = await cca.AcquireTokenOnBehalfOfAsync(
        _graphOptions.GetScopesCollection(),
        new UserAssertion(accessToken.RawData), _graphOptions.Authority);
}
catch (Exception exc)
{
    // ...
    throw;
}

In this case _azureOptions works against Azure AD 1.0 and _graphOptions against 2.0 (/v2.0 endpoint)

The exceptions happens on AcquireTokenOnBehalfOfAsync

Thanks, Ben

1
azure-active-directorymicrosoft-graph-api
Why do you need to use v2.0? Can't you use v1.0 to access MS Graph?juunas
@juunas I get the same exception if I change _graphOptions.Authority from 2.0 to 1.0Benjamin Abt
@juunas it looks like that this kind of code (MSAL libs) only supports Azure AD 2.0. The problem is that Graph 1.0 with ADAL do not support user extensions. But are we able to access V1 APIs with a V2 token? Or how to communiate to applications we do not operate but they use V1?Benjamin Abt
Ahh.. You might need to do the HTTP requests manually with v1juunas
@juunas i removed all dependencies from MSAL and reverted back to ADAL. A pitty there is no valid migration strategy right now :-( Thanks for your help!Benjamin Abt

1 Answers

1
votes

The answer is: there is no mix between ADAL and MSAL.

We have re-written our code to support ADAL. Here is our test code:

AuthenticationContext authContext =
    new AuthenticationContext(_azureOptions.Authority);

ClientCredential clientCredential;
try
{
    clientCredential = new ClientCredential(_azureOptions.ClientId, _azureOptions.ClientSecret);


}
catch (Exception exc)
{
    // ...
    throw;
}

// try to get an on behalf token
AuthenticationResult result;
try
{
    result = await authContext.AcquireTokenAsync(
        "https://graph.microsoft.com/",
        clientCredential,
        new UserAssertion(accessToken.RawData));
}
catch (Exception exc)
{
    // ...
    throw;
}

// Access the graph 
GraphServiceClient graphServiceClient =
    new GraphServiceClient(new AccessTokenAuthenticationProvider(result.AccessToken));