Access token validation failure. Invalid audience

4
votes

I need help in the context of error = I am getting "message": "Access token validation failure. Invalid audience.",

I am using the Authorisation code grant type in Oauth. I have mapped custom claims to the app using Azure AD policy. So If I user Scope = AppId/.default then I get a custom claim in token and scope what APP has API permission on Azure AD such as user.read, directory.read. But with this when I call graph API for a user profile to see a member of "https://graph.microsoft.com/v1.0/me/memberOf" I get error "Invalid audience"

However, If I use scope = https://graph.microsoft.com/.default Then I am able to query though custom claim which is mapped to App does not come up.

Any help would be appreciated?

1
azure-active-directorymicrosoft-graph-api
You probably need 2 tokens. One for Graph API and one for your API.juunas
Thanks for your replySuuny

1 Answers

1
votes

Tokens can only have one audience, which controls which API they grant access to. The token for your app/API cannot be used for Graph. It isn't clear what your exact scenario is here, but if you're calling Graph from your app/API, you may want to look at the on-behalf-of flow to exchange your first token for a Graph token.