How to Federate ADFS Issued Tokens with Azure AD for Microsoft Graph API Access Using ROPC Flow

DongJin Son 0 Reputation points
2024-09-02T07:20:37.59+00:00

I am working on integrating ADFS-issued tokens with Azure AD to allow access to Microsoft Graph API using the Resource Owner Password Credentials (ROPC) flow (grant_type=password). I have set up ADFS as the identity provider, and I can successfully obtain tokens from ADFS. However, when I try to use these tokens to access Microsoft Graph API, I encounter issues with token validation, such as InvalidAuthenticationToken or Invalid audience.

My goal is to have Azure AD trust the tokens issued by ADFS so that they can be used to authenticate against Microsoft Graph API. Specifically, I am using the ROPC flow to directly obtain a token on behalf of the user, but I am facing challenges with the token being accepted by Azure AD.

Could you provide guidance on how to properly configure federation between ADFS and Azure AD for this purpose? Specifically, I would like to know:

  1. What are the necessary steps to establish a federation trust between ADFS and Azure AD when using the ROPC flow?
  2. How can I ensure that tokens issued by ADFS using grant_type=password are recognized and accepted by Azure AD?
  3. Are there any specific configurations required in Azure AD or ADFS to enable this scenario?
  4. Can ADFS-issued tokens be directly converted or exchanged for Azure AD tokens to be used with Microsoft Graph API?

Any detailed instructions, documentation, or best practices would be greatly appreciated.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,608 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,830 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,247 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Yakun Huang-MSFT 4,160 Reputation points Microsoft Vendor
    2024-09-02T09:32:29.0833333+00:00

    Hi @DongJin Son

    When accessing the Graph API, you need to exchange SAML tokens issued by ADFS for Microsoft Graph access tokens, and before exchanging tokens, you need to set up ADFS and enable single sign-on to Office365.

    For details, refer to this document.

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.


  2. DongJin Son 0 Reputation points
    2024-09-03T07:02:16.8466667+00:00

    Here is the body of the token I obtained from ADFS

    {
      "aud": "https://graph.microsoft.com",
      "iss": "http://{adfs-domain}/adfs/services/trust", 
      "iat": 1725346694,
      "nbf": 1725346694,
      "exp": 1725350294,
      "apptype": "Confidential",
      "appid": "{app-id}",
      "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
      "auth_time": "2024-09-03T06:58:14.661Z",
      "ver": "1.0"
    }
    
    

    When using the Graph API, the following error occurs when using the token
    User's image

    What should I do?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.