Access Token With Azure AD API Scopes and Graph Scops does not authenticate on Microsoft Graph

Question

I have a UWP Application that uses Microsoft Graph for Authentication. I have defined the scopes on the UWP App as follows

private readonly string[] _scopes = {"api://*******-***-****-***-********/access_as_user", "user.read"};

This successfully gets the token and signs in successfully and successfully authenticates with my API. The problem is that when I try using the same token to get user info from Microsoft Graph (using a GET Request to https://graph.microsoft.com/v1.0/me/), I get the error,

{
    "error": {
        "code": "InvalidAuthenticationToken",
        "message": "Access token validation failure. Invalid audience.",
        "innerError": {
            "date": "2020-08-27T08:07:04",
            "request-id": "c9a729a0-d566-428a-a715-8d179af1fa8a"
        }
    }
}

Is there no way I can use the same token for my backend and to Microsoft Graph?

score 0 · Accepted Answer · answered Aug 27 '20 at 08:25

0

No. An access token is only valid for one API as indicated by its audience (aud claim).

You need to acquire two tokens, one with your API scopes and another with Graph API scopes.

answered Aug 27 '20 at 08:25

juunas

54,244
13
113
149

If I do this, this makes the user sign in twice. – Josh Aug 31 '20 at 07:58
1

Hmm, it shouldn't. The app should be able to use a refresh token to get the second token. – juunas Aug 31 '20 at 07:59

Access Token With Azure AD API Scopes and Graph Scops does not authenticate on Microsoft Graph

1 Answers1

Linked