Hi @T Giri • Thank you for reaching out.
Yes, the audience claim in the token must match with the API that is consuming the token. You can use https://jwt.ms to decode the token that you are passing in the Authorization header of your first call and confirm if it is https://graph.microsoft.com
For the error AADSTS50056: Invalid or missing password: password does not exist in the directory for this user
, there can be 2 reasons:
- The password that you have provided in the body of your token acquisition call is a temporary password. Temp password is marked as expired and postman doesn't provide an option for you to reset that. If it is a temp password, please try to sign-in to portal.azure.com or portal.office.com and set a permanent password for the user account you are using.
- The user account you are using is a federated account and is not synced to the Azure AD. In that case, please follow the instruction I have provided in my blog post here: https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d
Feel free to tag me in your reply if you have any further question.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.