Authorization_IdentityNotFound Error while accessing graph API

Question

I have searched with the error which I found, Did not find any matching questions. So posting a question. Appreciate it if someone provides some pointers to proceed.

My goal is to access graph API in my desktop client. I have started using fiddler to experiment.

• I have followed the instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only

• registered Web APP using the Application Registration portal using my Microsoft work account.

• Provided 'Read all users' full profiles in Delegated permissions

• Requested token and Used the token in the Authorization header to call the graph API, Getting the following error.

   https://graph.microsoft.com/v1.0/users
   119
   {
     "error": {
       "code": "Authorization_IdentityNotFound",
       "message": "The identity of the calling application could not be established.",
       "innerError": {
         "request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
         "date": "2016-05-11T00:46:23"
       }
     }
   }
  

Answer 1

In my case, I got the same error after I used Quickstart (step 1), then configured automatically .net sample (step 2), then download the code sample (step 3) as shown in the picture below.

All steps were done successfully except step 3. Microsoft code generates, generates app id, and app secret in the project successfully but the tenant was set to common in appsetting.json as seen in the image below.

I thought it was a valid thing but later found out that this caused the issue.

Solution: I copied the Directory (tenant) ID, then replace common with tenant Id, and it worked. I am not sure if this is a bug in Azure Quickstart code generation.

Update As I was reading recently, the reason for common.

• For Multi-tenant apps can use "common".
• For single-tenant apps must use the tenant ID from the Azure portal

Answer 2

This sample helped me understand the flows around app-only permissions. https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/

Key takeaways for me:

• Ensure you set up the app and specify the Application Permissions needed
• Do have an admin grant the app permission to run against the relevant directory.

• Get the relevant token:

  Notice the scope in the request below is https://graph.microsoft.com/.default

  POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
  Content-Type: application/x-www-form-urlencoded
  
  grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
  

• Use the token to request the relevant graph resource, eg:

  GET https://graph.microsoft.com/v1.0/users/demouser01@[tenant-name].onmicrosoft.com/drive/root/children
  
  Accept: application/json
  Authorization: Bearer eyJ0eXAiOi
  

Answer 3

For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.

From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked.

GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions

Answer 4

while generating new access token, make sure to replace tenant_id with the actual tenant id https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

Answer 5

You'll find that this document is a better set of instructions for app-only apps.

There are two issues from your description that stand out.

1. You'll need to make the call with an X509 certificate for app-only flows.
2. You need to set up app scopes, rather than delegated scopes on your app - delegated scopes are for delegate flows rather than app-only flows.