Azure AD token for accessing Graph token
I need to access Microsoft Graph API using my API Scope and Audience.
I need to be able to acquire a token on behalf of a user in my API, using the token I received in my client mobile application. I have used MSAL package in Android and iOS to get the token from my client app registration in Azure.
I need to access multiple Graph resources.
Using Android and iOS native SDKs
Audience
Scope
Whenever I try to hit the API (https://graph.microsoft.com/v1.0/me) I get message stating Access token validation failure. Invalid audience.
The error usually occurs if you are trying to access Microsoft Graph with token generated with exposed API Scope and Audience.
Initially, I too got same error when I tried to call Microsoft Graph with token generated with custom API scope as below:
GET https://graph.microsoft.com/v1.0/me
To resolve the error, generate token using on-behalf of flow by passing above API token as assertion value.
In my case, I used below .NET code to acquire token using on-behalf flow and called Microsoft Graph API successfully like this:
using Azure.Core;
using Azure.Identity;
class Program
{
static async Task Main(string[] args)
{
var scopes = new[] { "User.Read" };
var tenantId = "tenantId";
var clientId = "appId";
var clientSecret = "secret";
var apitoken = "token_with_api_scope";
var onBehalfOfCredential = new OnBehalfOfCredential(tenantId, clientId, clientSecret, apitoken);
var tokenRequestContext = new TokenRequestContext(scopes);
// Get the token
var token = await onBehalfOfCredential.GetTokenAsync(tokenRequestContext, new CancellationToken());
// Print the token to the console
Console.WriteLine($"Access Token: {token.Token}");
// Use HttpClient to call Graph API
using var httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", tokenResult.Token);
var response = await httpClient.GetStringAsync("https://graph.microsoft.com/v1.0/me");
Console.WriteLine("\n API Response:");
Console.WriteLine(response);
}
}
Response:
Reference:
.net - Azure AD AcquireTokenOnBehalfOf - Stack Overflow by me
- Azure Remove User Consent to API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API