Access Token For Using Graph API To Pull Azure AD Group Members

Question

I would like to list all users that are part of an Azure AD Group. I am trying to do this with a Service Principal which has Directory.ReadAll permissions. Would anyone know what values to use for requesting an authorization token body call?

I am using the GET Call for auth token I am using the url https://login.microsoftonline.com/\<tenant-id>/oauth2/token:

scope: https://graph.microsoft.com/.default
resource: ???
grant_type: client_credentials
response_mode: query

for the GET Call for getting members of group_id I am using the url https://graph.microsoft.com/v1.0/groups/\<group-id>/members?$count=true and bearer auth token from first call. I get the below error.

{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2021-11-12T10:57:02",
"request-id": "6e2db164-ba04-4d33........",
"client-request-id": "6e2db164....."
}
}
}

Answer 1

hi @Anonymous To get the access token you are using the V1 endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/token which seems is not picking the right audience here. Your API must validate this value and reject the token if the value doesn't match.

If you are trying to call any https://graph.microsoft.com API, you need a token with the aud claim of https://graph.microsoft.com or 00000003-0000-0000-c000-000000000000.

You can specify resource value https://graph.microsoft.com in the request to get the desired audience to call Microsoft Graph API.

You can check the value of aud in bearer token from jwt.ms