Calling Microsoft graph api through flutter app return 401

Sumesh Chandran 41 Reputation points

I am calling the graph api with the token returned from the app to create a user in the tenant. This api totally works fine when calling through postman but not when calling through the mobile app which is created using Flutter.
Here is my request to get the access token through my mobile app. The below code works as expected and returns an access token.

final response = await  
                            headers: {  
                            body: {  
                              "grant_type": "client_credentials",  
                              "resource": ""  

Now I use the access token to create a user, this returns 401 and does not create a user.

String url = "";  
                        Map<String, String> headers = {  
                          'Content-Type': 'application/json',  
                          'Accept': 'application/json',  
                              'Bearer $token'  
                        final body = jsonEncode({  
                          "accountEnabled": true,  
                          "city": "Seattle",  
                          "country": "United States",  
                          "department": "Sales & Marketing",  
                          "displayName": "Melissa Darrow",  
                          "givenName": "Melissa",  
                          "jobTitle": "Marketing Director",  
                          "mailNickname": "MelissaD",  
                          "passwordPolicies": "DisablePasswordExpiration",  
                          "passwordProfile": {  
                            "password": "82510f31-1c89-d103-73c8-9fbedda45dcc",  
                            "forceChangePasswordNextSignIn": false  
                          "officeLocation": "131/1105",  
                          "postalCode": "98052",  
                          "preferredLanguage": "en-US",  
                          "state": "WA",  
                          "streetAddress": "9256 Towne Center Dr., Suite 400",  
                          "surname": "Darrow",  
                          "mobilePhone": "+1 206 555 0110",  
                          "usageLocation": "US",  
                          "userPrincipalName": ""  
                          final response = await,  
                              headers: headers, body: body);  

Please advise!

Azure Active Directory External Identities
{count} votes

Accepted answer
  1. Shweta Mathur 15,066 Reputation points Microsoft Employee

    Hi @Sumesh Chandran ,

    Thanks for reaching out.

    The error you are getting is 401 which is an Unauthorized error. The access token you are getting does not have valid permissions to create the user.

    Did you tried to decode the token using to check the valid claims.

    As mentioned in your code, you are using client credential flow to get the access token which is usually called for daemon applications.

    Make sure you are passing application permissions User.ReadWrite.All, Directory.ReadWrite.All while registering the application and getting roles claim in your JWT token.

    Also, you need to make sure you have a token with the aud claim of or 00000003-0000-0000-c000-000000000000. If you are getting a.k.a. 00000002-0000-0000-c000-000000000000, that means the token is for AAD Graph API and not for Microsoft Graph.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

1 additional answer

Sort by: Most helpful
  1. Corjan Bos 1 Reputation point
    1. If Postman works but Flutter fails with 401 I am sure your Postman requests contains other data than your request. You should thoroughly check Postman header data and add any lacking header info to your command.
    2. Also make sure your $token is not a future and is 'available' at the time you invoke the command (you can check by simple put a print($token); just before the command. Make sure it is a String and not a Future<String> for example.
    3. Try to make use of HttpHeaders class to eliminate typos and make your code future proof. In your case for example use

    HttpHeaders.authorizationHeader: 'Bearer $token',

    0 comments No comments