Exchange Calendar APi to Microsoft Graph

Question

Issue:
We have a feature in our application which reads free_busy data of the users (Instructors in this case) who share the calendar with their exchange server. For getting this done Firstly we get “consent” from the Admin of the organizations (Universities in our case).
For this we are using Azure application (multi-tenant application) so that we can get the required consent with which we create OAuth token using the same application.

When we implemented this back in 2020 we used “Exchange API in Azure application” initially to get the admin consent. Now we are planning to migrate these applications. During the process of Migration we learnt that “Azure Exchange API” is deprecated and it is no longer available as an option to use when we create new azure application. We also learnt that we have to use “Graph API” for getting the API permissions.

Therefore we created Azure applications using Microsoft Graph and added required permissions to it. We are using “PublicClientApplication.class” from MSAL library and we are using “acquireToken(UserNamePasswordParameters)” method for generating OAuth token by passing the applicationId which we created.

When we decrypt the OAuth token generated we see that the Aud is https://outlook.office365.com/ but app_displayname/appid is exactly the one which we created newly using the Graph API for API permission

But, from (Case #:310486860) we learnt that that when we use Azure application having API Permissions created with GraphAPI, the “Aud” in OAuth token should be https://graph.microsoft.com/.

Questions:

• Does the “Aud” -> “https://outlook.office365.com” is expected and correct in this case? If Yes, do we need not migrate that to reflect "https://graph.microsoft.com/" ? If we need to Migrate it, we would need some assistance on the same.

Answer 1

Hi @JainRajendraKumarHarshith-5881

The outlook api is obviously wrong as the token audience, if you call the graph api with that token you will get a 401 error.

As you said, you need the graph api as the audience for the token. The solution is to change the scope to graph api.

I have written a piece of code for getting token for graph api, it should help you, please refer to:

        var scopes = new[] { "https://graph.microsoft.com/.default" };  
  
        // Multi-tenant apps can use "common",  
        // single-tenant apps must use the tenant ID from the Azure portal  
        var tenantId = "{tenant id}";  
  
        // Value from app registration  
        var clientId = "{client id}";  
  
  
        // using Azure.Identity;  
        var options = new TokenCredentialOptions  
        {  
            AuthorityHost = AzureAuthorityHosts.AzurePublicCloud  
        };  
  
        var userName = "{user name}";  
        var password = "{password}";  
  
  
        // https://learn.microsoft.com/dotnet/api/azure.identity.usernamepasswordcredential  
        var userNamePasswordCredential = new UsernamePasswordCredential(  
            userName, password, tenantId, clientId, options);  
  
        var accessToken = await userNamePasswordCredential.GetTokenAsync(new TokenRequestContext(scopes) { });  
        Console.WriteLine(accessToken.Token);  

Parse the token.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.