Authentication Token Issues with Azure Data Factory When Accessing Microsoft Graph API

Xavier Ibanez-Padron 0 Reputation points
2024-05-29T19:46:22.4333333+00:00

I am currently facing challenges with an Azure Data Factory pipeline that's configured to access data from the Microsoft Graph in a production environment. While I can successfully fetch authentication tokens using a POST request (https://login.microsoftonline.com/{tenant}/oauth2/token), these tokens are deemed invalid when used in a GET request to the Microsoft Graph API. Curiously, when I replicate the process manually in POSTMAN with the same token, it works flawlessly. I initially encountered an issue using the OAuth v2.0 endpoint, where I could only fetch access tokens for half of my customers. Interestingly, for those customers whose tokens were successfully fetched, the tokens worked perfectly in the subsequent Microsoft Graph API GET requests. To address the fetching issue, I switched to the OAuth v1.0 endpoint, which allowed all customers to obtain their tokens. However, this led to a new problem where all the tokens, though successfully obtained, were deemed invalid when used in the Azure Data Factory pipeline to make GET requests to the Microsoft Graph API. Any insights or recommendations to resolve this issue would be greatly appreciated.

Error Message:
Request URL: https://graph.microsoft.com/v1.0/[endpoint]
Response:

  • Code: InvalidAuthenticationToken
  • Message: Access token validation failure. Invalid audience.
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,126 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,932 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Amira Bedhiafi 18,186 Reputation points
    2024-06-01T17:36:37.5266667+00:00

    Have you tried adding adding V2.0 in /oauth2/v2.0/token ?

    It appears that your token is intended for the wrong audience. To call the Microsoft Graph API, you need to obtain a token specifically for Microsoft Graph, meaning the access token should include "aud": "https://graph.microsoft.com".

    It seems you're using the [AAD auth code flow][1] to get the token. When requesting an authorization code, use the scope https://graph.microsoft.com/.default.

    Here's the authorization request URL:

    
    https://login.microsoftonline.com/common/oauth2/authorize?
    
    client_id=xxxxx
    
    &response_type=code
    
    &redirect_uri=xxxxxx
    
    &response_mode=query
    
    &scope=https://graph.microsoft.com/.default
    
    &state=12345
    
    

    When requesting the token, also use scope=https://graph.microsoft.com/.default.

    
    POST https://login.microsoftonline.com/common/oauth2/v2.0/token
    
    client_id=xxxxxx
    
    &scope=https://graph.microsoft.com/.default
    
    &code=0.AR8A3XwQy0FAmkSxxxx
    
    &redirect_uri=xxxxxx
    
    &grant_type=authorization_code
    
    &client_secret=xxxxx
    
    

    To successfully call the API, ensure that your client app has been granted the appropriate [Delegated Microsoft Graph API permissions][2] based on the API you intend to use. For example, if you want to call the [List users][3] API, you need the correct permissions.

    More links :

    https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

    https://docs.microsoft.com/en-us/graph/permissions-reference

    https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0

    https://learn.microsoft.com/en-us/answers/questions/993291/microsoft-graph-api-error-access-token-validation

    https://stackoverflow.com/questions/66658966/microsoft-graph-api-access-token-validation-failure-invalid-audience

    https://learn.microsoft.com/en-us/answers/questions/1634009/access-token-validation-failure-invalid-audience-e

    0 comments No comments