Application addKey results in "Authentication_MissingOrMalformed"

Aaron 5 Reputation points
2023-07-17T18:04:44.9566667+00:00

I've been attempting for days to test using the addKey to rotate a key. But regardless of how I do it, I always end up with
"Authentication_MissingOrMalformed" and Error code 401. Is there something else I need to do?

I first created an Azure AD App Registration with the following permissions:

https://user-images.githubusercontent.com/22307415/253676379-1f620a2a-e993-4dcf-b6fe-d073d92b3093.png

I then created a Self-Signed certificate and uploaded it to use as a Client Certificate, following this guide.

I then followed the guide as specified here to generate the proof.

string pfxFilePath = "certandkey.pfx";
string password = "password";
string objectId = {objectId}";

// Get signing certificate
X509Certificate2 signingCert = new X509Certificate2(pfxFilePath, password);

// audience
string aud = $"00000003-0000-0000-c000-000000000000";

// aud and iss are the only required claims.
var claims = new Dictionary<string, object>()
{
    { "aud", aud },
    { "iss", objectId }
};

// token validity should not be more than 10 minutes
var now = DateTime.UtcNow;
var securityTokenDescriptor = new SecurityTokenDescriptor
{
    Claims = claims,
    NotBefore = now,
    Expires = now.AddMinutes(10),
    SigningCredentials = new X509SigningCredentials(signingCert)
};

var handler = new JsonWebTokenHandler();
var x = handler.CreateToken(securityTokenDescriptor);

Then I generated a new self-signed certificate that I'd like to add, and export that to another file. I then attempt to call the API as follows below, but I cannot get past the exception that I see.

string tenantId = "{tenantId}";
string clientId = "{clientId}";
string newCertPath = "newcert.pfx";
X509Certificate2 newCert = new X509Certificate2(newCertPath);
var credential = new ClientCertificateCredential(tenantId, clientId, signingCert);
var graphClient = new GraphServiceClient(credential);

var requestBody = new Microsoft.Graph.Applications.Item.AddKey.AddKeyPostRequestBody
{
    KeyCredential = new KeyCredential
    {
        Type = "AsymmetricX509Cert",
        Usage = "Verify",
        Key = newCert.GetRawCertData()
    },
    PasswordCredential = null,
    Proof = x,
};
var result = await graphClient.Applications[objectId].AddKey.PostAsync(requestBody);

I would really appreciate some help in figuring out what I'm doing wrong here. I've tried this using both C# and Java, and have resulted in the same error.

I should not need to give my app registration any additional permissions, because in the documentation, it specifically says I do not need to do so.

User's image

I would appreciate any help in troubleshooting this situation.

Thanks!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,035 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Julian Sperling 451 Reputation points
    2024-03-29T15:22:23.3133333+00:00

    The Audience has to be "00000002-0000-0000-c000-000000000000" - The Documentation was incorrectly updated to use the client ID of the new Microsoft Graph Endpoint while this one specifically needs Azure AD Graph - it has since been fixed : https://github.com/microsoftgraph/microsoft-graph-docs-contrib/commit/03bf982d8b96b400f2d178b195fee8af9f93521b

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.