0

I am using the example msal-react to authenticate and consume sharepoint services using their graph api, create an application on AAD with delegated permissions.

I am assigning the scopes "https://mytenant.sharepoint.com/.default" and I get the following error code: "InvalidAuthenticationToken" message: "Access token validation failure. Invalid audience." check the token I get on the JWT.io page enter image description here. Thank you very much for your support

shadowsa7x07
  • 33
  • 3

2 Answers2

0

You are using the graph API to perform CRUD operations for SharePoint sites, so you should get an access token for the graph API instead of the SharePoint REST API.

So please change your scope to: https://graph.microsoft.com/.default.

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • I am using Graph API and endoint that I use is the following: "https://graph.microsoft.com/v1.0/sites/{{IdSite}}/lists/List Contact/items?$Select=Id&$expand=fields" When I log in with a sharepoint administrator user and I get the access token I can consume the sharepoint graph api services without problem, this error happens when I log in with a user who does not have permissions in the sharepoint, but I am interested in being able to consume the services without it being able to access the sharepoint. – shadowsa7x07 Feb 02 '23 at 18:01
  • You must grant the user the appropriate graph API permissions to call this API endpoint. – Carl Zhao Feb 08 '23 at 08:12
  • I am checking to see if this issue is resolved or not. If you have any concerns, please feel free to reply. – Carl Zhao Feb 08 '23 at 08:13
  • These permissions must be given in the online sharepoint, in the "site permissions" section, is this correct? – shadowsa7x07 Feb 09 '23 at 23:25
  • You need to give these API permissions in your Azure AD application like [this](https://i.imgur.com/xJve1r3.png). – Sridevi Feb 13 '23 at 09:35
0

I tried to reproduce the same in my environment via Postman and got below results:

I registered one SPA application and added SharePoint API permissions like below:

enter image description here

I generated access token via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:authorization_code
scope: https://mytenant.sharepoint.com/.default 
code:code
redirect_uri: https://jwt.ms
code_verifier:S256

Response:

enter image description here

When I decoded the token, it has SharePoint as audience and scp claim as below:

enter image description here

I got the same error as you when I used above token to call SharePoint from below graph API call:

GET https://graph.microsoft.com/v1.0/sites/<siteID>/lists

Response:

enter image description here

To resolve the error, assign Microsoft Graph API permissions for SharePoint like below:

enter image description here

Now, generate the access token again by changing the scope to https://graph.microsoft.com/.default as suggested by @Carl Zhao like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:authorization_code
scope: https://graph.microsoft.com/.default 
code:code
redirect_uri: https://jwt.ms
code_verifier:S256

Response:

enter image description here

When I decoded the above token, I got Microsoft Graph as audience and scp claims are as below:

enter image description here

When I used above token to call SharePoint site lists from below graph API call, I got the results successfully like below:

GET https://graph.microsoft.com/v1.0/sites/<siteID>/lists

Response:

enter image description here

Note that, your token audience should be https://graph.microsoft.com while making graph calls and scp claim should contain Microsoft graph permissions.

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • thanks for your reply: I am currently getting "aud": "https://graph.microsoft.com" as audience when decoding the token, however I did the steps you mentioned again and still got the same error. What happens, I can access the graph api services when I authenticate with a user who has permissions to see the sharepoint, what I want is to be able to consume the services without first giving the user permissions to access the sharepoint – shadowsa7x07 Feb 02 '23 at 18:29
  • Without giving the permissions, you cannot access SharePoint. Make sure to **grant** required permissions before accessing SharePoint. – Sridevi Feb 02 '23 at 18:44
  • 1
    Thank you very much for your support, I am going to resort to assigning minimum privileges in sharepoint – shadowsa7x07 Feb 03 '23 at 20:28