azureoauth-2.0clientcredential

How do I get an access token for Microsoft Graph -- Azure docs are incorrect


I'm trying to get an access token using the OAuth 2.0 client credentials grant flow following Step 4. Here's my curl

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d '{"grant_type":"client_credentials","client_id":"my_client_id", "client_secret":"my_client_secret", "scope":"https://graph.windows.com/.default"}' https://login.microsoftonline.com/my_tenant_id/oauth2/v2.0/token

It gives this error message which is clearly wrong because my request body includes grant_type:

{"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'grant_type'.\r\nTrace ID: a95260ff-63b6-405f-880b-738bfda33b00\r\nCorrelation ID: d606ab93-59c7-4d7d-ac45-643074e23a75\r\nTimestamp: 2023-02-24 02:29:25Z","error_codes":[900144],"timestamp":"2023-02-24 02:29:25Z","trace_id":"a95260ff-63b6-405f-880b-738bfda33b00","correlation_id":"d606ab93-59c7-4d7d-ac45-643074e23a75","error_uri":"https://login.microsoftonline.com/error?code=900144"}

How can I get an access token to use http://graph.windows.net to find out about a registered application?


Solution

  • I tried to reproduce the same in my environment and got below results:

    I registered one Azure AD application and added API permissions like below:

    enter image description here

    To run the same curl command via Postman, I clicked on Import and pasted code like this:

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d '{"grant_type":"client_credentials","client_id":"678b1771-0703-401e-8056-xxxxxxxxxx", "client_secret":"xxxxxxxxxxxxxxxx", "scope":"https://graph.windows.com/.default"}' https://login.microsoftonline.com/58e70374-11f2-4e91-af40-xxxxxxxxxxx/oauth2/v2.0/token
    

    enter image description here

    After selecting Continue, it took me to next screen like this:

    enter image description here

    When I clicked on Import, I got the screen with below parameters where I got same error after selecting Send like this:

    enter image description here

    You are getting that error because you are not passing the parameters in correct format.

    To resolve the error, try changing your curl command by passing parameters separated by & in below format:

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<apID>&client_secret=<secret>&scope=https%3A%2F%2Fgraph.windows.com%2F.default' https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    

    I changed the curl command by passing parameters in above format and imported it again like this:

    enter image description here

    When I clicked on import, parameters passed correctly in Body section but got different error like this:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    grant_type:client_credentials
    client_id:<appID>
    client_secret: <secret>
    scope: https://graph.windows.com/.default
    

    Response:

    enter image description here

    To resolve the above error, I changed scope value to https://graph.microsoft.com/.default and got access token successfully like this:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    grant_type:client_credentials
    client_id:<appID>
    client_secret: <secret>
    scope: https://graph.microsoft.com/.default
    

    Response:

    alureenter image description here

    In your case, you need to change your curl command by passing parameters in correct format separated by & and scope value too like this:

    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=<appID>&client_secret=<secret>&scope=https://graph.microsoft.com/.default' https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token