Hi @SumitA • Thank you for reaching out.
This error occurs when the access token is acquired for a given resource/api but being consumed by different resource/API.
For example, if you acquire a token with audience https://vault.azure.net (Azure Key Vault) and you pass it as a bearer token while making a graph call, you will get Invalid audience error. You can check the audience by decoding your access token at https://jwt.ms
To resolve this error, you need to make sure the audience in the token is https://graph.microsoft.com by using scope: https://graph.microsoft.com/.default
during your token acquisition call and make sure below permissions are consented under the application whose client ID you are using during token acquisition call.
- User.Invite.All
- User.ReadWrite.All
- Directory.ReadWrite.All
To provide consent, you need to navigate to:
Azure Portal > Azure Active Directory > App Registration > search the application using client ID > API Permissions > Add Permission > Select Microsoft Graph API > Delegated Permissions (If you are using user context) or Application Permission (If you are using Application/servicePrincipal context) and select above permissions > once permissions are added click on grant admin consent button.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.