Azure AD Graph API using client credentials OAuth

Question

I am trying to make an API call to 'https://graph.windows.net/{{tenantId}}/accounts?api-version=1.6

I first use a client_credentials token call to get an access token. Here is the call:

POST /{{tenantId}}/oauth2/token HTTP/1.1
  Host: login.microsoftonline.com
  Content-Type: application/x-www-form-urlencoded
  User-Agent: PostmanRuntime/7.19.0
  Host: login.microsoftonline.com

  grant_type=client_credentials&client_id={{client_id}}&client_secret={{client_secret}}&\
  resource=https%3A%2F%2Fgraph.windows.net

THis returns a JWT (i removed elements not relevant to this issue):

{
  "aud": "https://graph.windows.net",
  "iss": "https://sts.windows.net/e1642542-781d-481e-a194-1c271a68a5f1/"   
  "roles": [
     "Application.ReadWrite.OwnedBy",
     "Application.ReadWrite.All"
  ],
}

You can see that the aud is set to https://graph.windows.net and that the appropriate application roles are indicated.

YEt when I make the accounts call to the graph.windows.net endpoint, I get an error:

{
  "odata.error": {
    "code": "Authentication_MissingOrMalformed",
    "message": {
        "lang": "en",
        "value": "Access Token missing or malformed."
    }
  }
}

For the /accounts call, I added an Authorization header with the value set to Bearer: (the access token). THis same token is decoded perfectly in jwt.io, so I know the token itself is fine.

Any ideas?

Answer 1

Azure has stopped updating Azure AD Graph APIs. From this doc it is recommended to use Graph API instead of Azure AD Graph API.

From the data payload set the scope parameter accordingly.

Answer 2

For the /accounts call, I added an Authorization header with the value set to Bearer:(the access token).

Bearer: ey.... is not a correct bearer value, you must not include the colon in the value.

GET /resource HTTP/1.1
  Host: server.example.com
  Authorization: Bearer mF_9.B5f-4.1JqM