Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Microsoft Graph API client_credential docs are outdated. Getting Authorization_IdentityNotFound
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 56.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Parth P
40
Reputation points
Hi There,
I'm currently focusing on the authentication component of an application. Our primary objective is to gain access to the resources within Azure Active Directory, which is now known as Entra ID. Upon examining the documentation, it appears that I should use the Graph API's "Get access without a user" documentation. [official doc link].
I want to use a special login method (client credential grant type) so that my app doesn't depend on a specific user to access certain data.
I have set up my app with the necessary auth urls and params as mention in the official doc. The app has permission to access all Microsoft Graph data as an application (Not as Delegated Permission), and it's configured to work with multiple organizations. But, when I try to get a list of users or information about organizations, I'm encountering an error.
I've also noticed that the links in the official documentation about admin consent access are outdated or incorrect. The document suggests calling the URL "https://login.microsoftonline.com/{tenant}/adminconsent," but the error message advises using the "v.2" endpoint instead. After switching to "v.2," the authentication server complains that the "common" account cannot be passed with the admin consent endpoint, so use "organizations" instead. This part might be incorrect due to insufficient documentation.
Config:
site: 'https://login.microsoftonline.com',
authorize_url: '/organizations/v2.0/adminconsent'
token_url: '/common/oauth2/v.2.0/token'
Initial Auth Request params
client_id: '<<REDACTED>>'
redirect_uri: '<<REDACTED>>'
state: '<<REDACTED>>'
tenant: <==== I am not passing this since this is org in my case. Look at the auth url
adminConsent: True
Params for the Call to get the token
tenant: <===== This value is set to tenant id that I get from the auth req
client_id: '<<REDACTED>>'
client_secret: '<<REDACTED>>'
grant_type: 'client_credential'
scope: 'https://graph.microsoft.com/.default'
Error:
{
"error": {
"code": "Authorization_IdentityNotFound",
"message": "The identity of the calling application could not be established.",
"innerError": {
"date": "2023-11-03T19:02:21",
"request-id": "e71e7646-c150-4fb7-a3ec-7b882a5dfb99",
"client-request-id": "<<redacted>>"
}
}
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Catherine Kyalo 3,100 Reputation points Microsoft Employee2023-11-06T10:06:55.2+00:00 Hi
The error message "Authorization_IdentityNotFound" suggests that the identity of the application calling the Graph API could not be established.
Below is a similar question that maybe helpful https://stackoverflow.com/questions/37151346/authorization-identitynotfound-error-while-accessing-graph-api
I also share samples on Github that maybe helpful
Sign in to comment
Sign in to answer