I am working on integrating ADFS-issued tokens with Azure AD to allow access to Microsoft Graph API using the Resource Owner Password Credentials (ROPC) flow (grant_type=password
). I have set up ADFS as the identity provider, and I can successfully obtain tokens from ADFS. However, when I try to use these tokens to access Microsoft Graph API, I encounter issues with token validation, such as InvalidAuthenticationToken
or Invalid audience
.
My goal is to have Azure AD trust the tokens issued by ADFS so that they can be used to authenticate against Microsoft Graph API. Specifically, I am using the ROPC flow to directly obtain a token on behalf of the user, but I am facing challenges with the token being accepted by Azure AD.
Could you provide guidance on how to properly configure federation between ADFS and Azure AD for this purpose? Specifically, I would like to know:
- What are the necessary steps to establish a federation trust between ADFS and Azure AD when using the ROPC flow?
- How can I ensure that tokens issued by ADFS using
grant_type=password
are recognized and accepted by Azure AD?
- Are there any specific configurations required in Azure AD or ADFS to enable this scenario?
- Can ADFS-issued tokens be directly converted or exchanged for Azure AD tokens to be used with Microsoft Graph API?
Any detailed instructions, documentation, or best practices would be greatly appreciated.