Is their any change/rollback for audience in access token, which was expected to be "https://graph.microsoft.com"?

Question

I am writing to seek clarification regarding an issue I encountered with the access token obtained through the following request:

Request Path: /sites/SITE_NAME/_api/Microsoft.SharePoint.Internal.ClientSideComponent.Token.AcquireOBOToken?resource=%27https://graph.microsoft.com%27&clientId=<client_id>

Until last week, the expected audience for the access token was 'https://graph.microsoft.com'. However, I received a token with the value '00000003-0000-0000-c000-000000000000' instead. As of October 8th, the request has started returning the expected audience 'https://graph.microsoft.com' again, despite no changes made to my configurations or code on my end.

Could you please confirm if there were any changes or rollbacks made by Microsoft that could explain this inconsistency? This issue is critical for my application, and I would appreciate your prompt response.

Answer 1

Hello M. R. Chaturvedi,

Thank you for reaching out to Microsoft Support!

As far as I know, Graph hasn't made any changes to the audience in the access token.

The request path for you to get access tokens is not the Graph recommended way, and it is recommended that you use Graph recommended requests instead, if possible.

If you are using delegated permissions, it is recommended that you use Auth code flow.

If you are using application permissions, Client Credentials flow is recommended.

In the meantime, you can refer to this case, which also occurs if the scope is miswritten.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.