get an access_token from an authorized code granted by a user from another Microsoft account

Eric Blanquer​ 0 Reputation points
2024-03-08T00:26:07.11+00:00

Hi,
I'm trying to get access to MS Graph API from my application to users of another Microsoft account to avoid to request to our customers they have to create the application themself

I'm able to get an authorization code from the user consentment with this request:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=<clientId>&response_type=code&redirect_uri=<redirectURI>&response_mode=query&scope=User.Read.All&state=12345

I'm able to read users from this another account, but only 1 time, if I try to get users twice, I get this error message:

OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.

and if I try to get a token from https://login.microsoftonline.com/<tenantId>/oauth2/v2.0/token I get this error message:

Provided Authorization Code is intended to use against other tenant, thus rejected.

I only know my own clientId, tenantId and secret, I don't know what is the customer tenantId

How to solve my issue? thanks

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,526 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 36,811 Reputation points
    2024-03-08T06:52:24.65+00:00

    Hi @Eric Blanquer​

    The maximum lifetime of the authorization code is 10 minutes. But in reality, most services set the expiration time to be shorter, around 30-60 seconds. This is to ensure that the authorization code is a one-time use to avoid misuse.

    Therefore, you can only redeem an access token once using an authorization code, after which it will expire immediately. If you are trying to apply your multi-tenant application to other tenants, then I recommend that you use refresh tokens to renew new access tokens to avoid frequent login authentication.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. Eric Blanquer​ 0 Reputation points
    2024-03-08T11:04:53.9166667+00:00

    found, I'm able to obtain the accessToken with "common" instead of my tenantId https://login.microsoftonline.com/common/oauth2/v2.0/token

    0 comments No comments