This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 49%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBK%3C/text%3E%3C/svg%3E)
Hi Team,
When I'm creating an application through Graph API and then trying to access the user access url it is giving the below error.
{"StatusCode":500,"StatusDescription":"InternalServerError","Message":"IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'."}
But when I'm trying to create the same application manually with same configuration it is working fine.
Here are some steps to troubleshoot and resolve this issue:
Check Token Audience: Ensure that the audience (aud) claim in your access token matches the application's identifier (the Application ID or the Application ID URI). When you create an application via the Graph API, double-check that the audience is correctly set.
Application Registration: Compare the application registration details between the application created via the Graph API and the one created manually. Pay close attention to details like the Application ID URI and any other identifiers.
Token Endpoint: Verify that you're obtaining the token from the correct token endpoint and with the correct scopes. Sometimes, using a wrong endpoint or scope can lead to such issues.
Manifest File: If you have access to the application's manifest file in Azure AD, compare the manifest of the manually created application with the one created via the Graph API. There might be subtle differences that could lead to this issue.
Permissions and Consent: Make sure that the required permissions are correctly set and consented to for the application, especially if different permissions are needed for API-created applications compared to manually created ones.
Graph API Request Details: Review the exact request you're sending via the Graph API. There might be an issue with how the request is formulated, such as missing or incorrect parameters.
Logging and Debugging: Implement detailed logging and debugging around the point where you make the Graph API call and where you try to use the token. This can provide more insights into what might be going wrong.
Microsoft Documentation and Support: Consult the Microsoft Graph API documentation for any specific requirements or known issues related to creating applications. If the issue persists, consider reaching out to Microsoft Support for more in-depth analysis.
hope this helps!
Using above link we created the application through Graph API and certificate also created using API call. Apart from App roles and Claims and attributes we did everything through Graph API only.
I compared both payloads and found no difference expect appid and some other unique values.
Using SAML tracer found difference <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">_ewdVHabLu3DZXQ-xq82w0boInB28YhlGQKNiexEyx8</NameID> - API created one
SAML 1.1 and nameid-format: emailaddress in manually created one.
Hi @Bharat Kumar Hazar Hazar (iCORE-CRS)
Use jwt.ms to decode your access token and check the aud claim to make sure it matches the target API URL.
We are using certificate x509 in this case