1

I am trying to migrate my app from Office 365 REST v2.0 to Microsoft Graph (v1.0). The token exchange seems to be working but as soon as I am trying to call an API, I am getting the following error:

    (
    [errorNumber] => 401
    [error] => Request returned HTTP error 401
    [message] => {
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure. Invalid audience.",
    "innerError": {
      "date": "2021-03-16T15:36:21",
      "request-id": "dda1e33a-2774-4986-8c45-1487404fbb72",
      "client-request-id": "e842d9a8-d71b-0563-f1ce-e58052e5bdb9"
    }
  }
}
)

The access_token has the following audience:

"aud": "https://outlook.office.com"

Here is the endpoint that I am using:

https://login.microsoftonline.com/common/oauth2/v2.0/token

Payload:

grant_type=authorization_code
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=https%3A%2F%2Fxxx.com%2Fproxy%2Foffice365authorize
&client_id=e2147faf-87f0-4e7f-xxxx-xxxxxxxxxxx
&client_secret=xxxxxxxxxxxx

Any hint would be greatly appreciated, thanks!

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
nimrod
  • 5,595
  • 29
  • 85
  • 149

1 Answers1

6

This means your token has the wrong audience, to call the Micrsoft Graph API, you need to get the token for Microsoft Graph i.e. the access token needs the "aud": "https://graph.microsoft.com".

Looks you are using the AAD auth code flow to get the token, so when you request an authorization code, use the scope with https://graph.microsoft.com/.default.

https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

Also use scope=https://graph.microsoft.com/.default when requesting the token.

POST https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id=xxxxxx
&scope=https://graph.microsoft.com/.default
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=xxxxxx
&grant_type=authorization_code
&client_secret=xxxxx

To call the API successfully, also make sure you have grant correct Delegated Microsoft Graph API permissions for your client app depends on the API you want to call, e.g. if you want to call List users, you need the permissions here.

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks for your answer. If I add your suggestion, then the API throws this exception: `Message: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid offline_access Calendars.ReadWrite https://graph.microsoft.com/.default is not valid. .default scope can't be combined with resource-specific scopes.` – nimrod Mar 18 '21 at 09:52
  • @nimrod Remove `openid offline_access Calendars.ReadWrite` from `scope`, just `https://graph.microsoft.com/.default` is enough as shown in my answer, it will get the token for all the MS Graph permissions added to the AD App by default. – Joy Wang Mar 18 '21 at 10:41
  • I just found out that the app used another login url than I had configured, that caused the problem: scope=openid+offline_access+https://outlook.office.com/Calendars.ReadWrite Thanks for your help! – nimrod Mar 18 '21 at 12:18
  • @JoyWang It works but refresh token isn't returned one the `offline_access` scope is removed. Any idea how to go about this? – Paschal Oct 27 '22 at 01:39