Search code examples
azureauthenticationoauth-2.0microsoft-graph-apioffice365

Access token validation failure. Invalid audience, office 365 Graph API

Sorry I am at a bit of a loss trying to set up the graph API. My end goal is app only access. When I try to auth I get the error 'access token validation fail. Invalid audience.

My code

import requests
tenant = 'widgetsinc'
token_request_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(tenant)
auth_payload = {
                    'client_id': 'deaf-beef-cafe',
                    'scope': 'api://deaf-beef-cafe/.default',
                    'client_secret': 'hunter2',
                    'grant_type': 'client_credentials'
                }


x = requests.post(token_request_url, data=auth_payload)
token = x.json()
print(token)

url = "https://graph.microsoft.com/v1.0/users"
payload={'Authorization':token['access_token']}

x = requests.post(url, headers=payload)

print(x.json())
exit()```

The result of print(token)

{ 'token_type': 'Bearer', 'expires_in': 3599, 'ext_expires_in': 3599, 'access_token': 'REMOVED' }


the result of print(x.json())

{ 'error': { 'code': 'InvalidAuthenticationToken', 'message': 'Access token validation failure. Invalid audience.', 'innerError': { 'date': '2023-01-25T00:38:48', 'request-id': 'removed', 'client-request-id': 'this also removed' } } }```

my permissions for my app in the web ui permissions

Solution

  • { 'error': { 'code': 'InvalidAuthenticationToken', 'message': 'Access token validation failure. Invalid audience.', 'innerError': { 'date':'2023-01-25T00:38:48', 'request-id': 'removed', 'client-request-id': 'this also removed' } } }

    The above error occurs when you pass the incorrect scope, or your token has the wrong audience, to call the Microsoft Graph API in your environment. According to MS-Document, to get an access token you need pass https://graph.microsoft.com/.default in scope.

    I tried with same code using scope https://graph.microsoft.com/.default with same api permission to get all user got an error:

    Api permission:

    enter image description here

    Code:

    import requests
tenant = '<tenant-id>'
token_request_url = 'https://login.microsoftonline.com/{}/oauth2/v2.0/token'.format(tenant)
auth_payload = {
                    'client_id': '<client-id>',
                    'scope': 'https://graph.microsoft.com/.default',
                    'client_secret': '<client secret>',
                    'grant_type': 'client_credentials'
                }


x = requests.post(token_request_url, data=auth_payload)
token = x.json()
print(token)

url = "https://graph.microsoft.com/v1.0/users"
payload={'Authorization':token['access_token']}

x1 = requests.get(url, headers=payload)

token1=x1.json()
print(token1)

    Console:

    enter image description here

    To get all user you need to use User.read.all with application API permisson.

    API permission:

    enter image description here

    Console:

    After adding API permission to the application, the code executed successfully with all user.

    enter image description here

    Reference: List users - Microsoft Graph v1.0 | Microsoft Learn