Access both EWS and Graph

Question

Hello,

we have an application that utilizes Exchange Webservices (EWS). For accounts on O365 we user OAuth2/ModernAuth via MSAL.
I would like to add functionality that is only available via the Graph API, for example creating an online meeting.

According to https://learn.microsoft.com/en-us/outlook/rest/compare-graph#moving-from-outlook-endpoint-to-microsoft-graph

you cannot mix permissions for one endpoint with permissions for the other in a single request

My default authorization is EWS.AccessAsUser.All, and for the calendar operation i need Calendars.ReadWrite.
I have tried the following scenarios:

1. Use both scopes (prior to reading the article linked above). Results in a token that can be used for Graph, but gets a 401 on EWS
2. Aquire a token with EWS permission. Then use MSAL acquireTokenSilent with the graph scope. Gives me the same token for both, resulting in an "Invalid Audience" error on the Graph API
3. Use interactive authorization (MSAL acquireToken). This gives me a second token with the correct scope, but now i have to present the user with two authentication flows and would probably have to retain two separate IMultipleAccountPublicClientApplication instances (which i have not tried yet, maybe not even possible)

Any tips on how i can use both EWS and Graph API?

Answer 1

I have found the solution to the issue: Qualify the scope of the second call with https://graph.microsoft.com/
The problem was, that the unqualified scope gave me a token for the outlook.office.com endpoint, not for the graph.microsoft.com endpoint.
As both endpoints offer the same functionality (unless they don't, see link above) this had me quite confused for some time.