Azure AD token for accessing Graph token
I need to access Microsoft Graph API using my API Scope and Audience.
I need to be able to acquire a token on behalf of a user in my API, using the token I received in my client mobile application. I have used MSAL package in Android and iOS to get the token from my client app registration in Azure.
I need to access multiple Graph resources.
Using Android and iOS native SDKs
Audience
Scope
Whenever I try to hit the API (https://graph.microsoft.com/v1.0/me) I get message stating Access token validation failure. Invalid audience.
The error usually occurs if you are trying to access Microsoft Graph with token generated with exposed API Scope and Audience.
Initially, I too got same error when I tried to call Microsoft Graph with token generated with custom API scope as below:
GET https://graph.microsoft.com/v1.0/me
To resolve the error, generate token using on-behalf of flow by passing above API token as assertion value.
In my case, I used below .NET code to acquire token using on-behalf flow and called Microsoft Graph API successfully like this:
using Azure.Core;
using Azure.Identity;
class Program
{
static async Task Main(string[] args)
{
var scopes = new[] { "User.Read" };
var tenantId = "tenantId";
var clientId = "appId";
var clientSecret = "secret";
var apitoken = "token_with_api_scope";
var onBehalfOfCredential = new OnBehalfOfCredential(tenantId, clientId, clientSecret, apitoken);
var tokenRequestContext = new TokenRequestContext(scopes);
// Get the token
var token = await onBehalfOfCredential.GetTokenAsync(tokenRequestContext, new CancellationToken());
// Print the token to the console
Console.WriteLine($"Access Token: {token.Token}");
// Use HttpClient to call Graph API
using var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", tokenResult.Token);
var response = await httpClient.GetStringAsync("https://graph.microsoft.com/v1.0/me");
Console.WriteLine("\n API Response:");
Console.WriteLine(response);
}
}
Response:
Reference:
.net - Azure AD AcquireTokenOnBehalfOf - Stack Overflow by me
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- MSAL for non-SPA? Server side authentication?
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Getting a token from Microsoft Intra ID with PostMan using MFA
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- Add Azure Active Directory User to Azure SQL Database
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- How do I connect locally to Azure SQL database with Microsoft Entra ID registered app in C#?
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App
- Fetch employee id from from job description properties .NET 8
- How to check if a device is AD joined or Azure AD joined/registered?