This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 5%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
i'm trying to use this guide to get a token with a web app managed identity to send Mail as a user with Microsoft Graph
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-powershell#prerequisites
var credential = new DefaultAzureCredential();
var token = credential.GetToken(
new Azure.Core.TokenRequestContext(
new[] { "https://graph.microsoft.com/.default" }));
var accessToken = token.Token;
var graphServiceClient = new GraphServiceClient(
new DelegateAuthenticationProvider((requestMessage) =>
{
requestMessage
.Headers
.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
return Task.CompletedTask;
I run the powershell and i can see the permission in the enterprise application as shown in the link, but when i decode the token i can't see any role in it.
What could I done wrong? Is there something else i could check?
Thanks
@Stefano Parse your token and provide a screenshot.
Here it is
Can you go to App registrations>your app>API permissions and see if your app is granted application permissions and has admin consent been granted?
Hi, there is no permission under "App registration", but only under "Enterprise applications." as shown in the guide, because it's a permission for the managed identity
In that section, there is no "grant admin" because of this
"The ability to consent to this application is disabled as the app does not require consent. Granting consent only applies to applications requiring permissions to access your resources." (the screenshot in the first )
Is your application a multi-tenant application? As far as I know, permissions cannot be granted under enterprise application, only grant admin consent.
No, my app is not multi tenant.
In this example, it shows how to do it (in fact, it's not possibile through UI, only with powershell)
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-powershell#prerequisites
The problem is that i need that the WebJob running Web App has to authenticate to the Graph Api, so i need that type of configuration
Hi @Stefano
Indeed! This is a problem caused by a delay, I can reproduce your problem locally and it seems to have a long delay.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 57.00000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVK%3C/text%3E%3C/svg%3E)
Hi ,
As far as what I understood you want to config to authenticate graph API through your app , if i am correct , you can follow the docs , Hope it will help you to fix your issue .
Thanks.
The guide shows how to "add access to Microsoft Graph from your web app and perform some action as the signed-in user. This section describes how to grant delegated permissions to the web app and get the signed-in user's profile information from Azure Active Directory (Azure AD)."
But i need to call Graph without a signed in user, using the app identity, as shown in the link in the post.
To be precise, i need to call Graph within a Web job in a Azure Web app.
I had the same configuration in a different tenant (but it's a develop tenant, with a lot of configurations)., so I think i'm missing something this time.
Thanks
Hi ,
could you please check the token in https://jwt.ms/ and provide us the screenshot of token's audience and scope as well , we would also like to confirm if are you using OBO authentication flow?
It seems that after a few days, it started to working without any edit.
I don't know why it takes so long to have the permission in the tenant, but it seems the first guide is correct, but need time to have the permission available.
Thanks anyway
Good to know that it has been solved now , If the 1st guide was helpful, please click "Accept Answer" and kindly upvote it , it will help others .
Thanks.
It seems that the guide is correct, but takes time to the permissions to be available