Graph API returns Authorization_IdentityNotFound error

Question

We are using GET /v1.0/users/${email} API to fetch the user details in a tenant and getting the following error in the response.

{
   "error":{
      "code":"Authorization_IdentityNotFound",
      "innerError":{
         "client-request-id":"a1fdaeb3-775d-47ba-8be3-27ce3a134a77",
         "date":"2023-03-15T12:53:29",
         "request-id":"a1fdaeb3-775d-47ba-8be3-27ce3a134a77"
      },
      "message":"The identity of the calling application could not be established."
   }
}

The app asks for User.Read.All Application type scope and using https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token endpoint to get the token after admin consent. All this was setup using this doc.

We have checked that the app has given scope permission successfully in Azure portal by an admin of tenant

Permission given to App

Went throught existing questions on Stackoverflow and Microsoft support page. All answer point to app not given permission successfully but that is not the case for us.

We were thinking if it is possible to check more error details for request-id: a1fdaeb3-775d-47ba-8be3-27ce3a134a77 on Microsoft side? Or some other steps that can help us in debugging and finding the cause for the error.

Answer 1

Hi @Shubham Betterworks,

Thanks for reaching out.

From your query I understood that you are getting error when trying to acquire the token using console app.

This error generally occurs when scopes are not defined correctly, or admin consent has not been granted for the defined permissions.

Can you please check the below details:

• • If your App type is Multi-tenant apps, set Tenant to "common": https://login.microsoftoneline.com/common, For single-tenant apps must use the tenant ID from the Azure portal: https://login.microsoftoneline.com/TenantID
• Is your app provisioned in the target tenant? If no, I am guessing you are calling in application-only context. For this, the admin of the tenant must consent to your application using the url: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=YOURAPPIDHERE&prompt=admin_consent. Once the consent is granted, a service principal for your application will be provisioned and you should be able to get a token with the right roles and information on it.

After by checking all the above provided details, if you are still facing the same issue, I would recommend you to raise a support case with Microsoft Graph, a Support Engineer will be able to assist you better. You can raise support ticket from [http://aad.portal.azure.com]/ or https://admin.microsoft.com/#/support/requests.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

Answer 2

Hi @Shubham Betterworks

I can reproduce your issue locally, you are using the /common endpoint to get the access token and that is what is causing the issue. Please change common to the tenant id of the target tenant to get the access token of the target tenant.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Answer 3

Hi Shubham Betterworks
We are also facing the same issue can you please help us with the solution
we are not able to fetch the user info even we got the access to it