Microsoft Graph Authorization - always redirected with an invalid code parameter

Marin Desnica 11 Reputation points

I implemented Microsoft Graph authentication and authorization, I used the auth code flow to get a refresh/access token and it works on my localhost and it worked up until yesterday online.

The problem is that now every time a user authenticates he get's redirected to the right redirect_uri, but with a code parameter that seems to be invalid, and I am unable to get an access/refresh token with it.

When I start the flow from my local machine, it still works, I get redirected to my local machine with a valid code and get a valid access/refresh token. It only fails when I start the flow from my online app, even though nothing changed from yesterday when it worked, it always redirects with an invalid code.

The code itself is huge, it is usually was 45 characters and now it is 876... also, previously it started with M.R3_ and now it starts with 0.AQ4AaN-.

Also, the code is always the same no matter who tries to login, tested with multiple accounts and with multiple machines/IP addresses.

Can you help me solve this issue? I will gladly provide more information!


It started working again without any changes on my end, no changes where made in code or azure app.

I still don't know what happened and I would like to know how to prevent this failure in the future.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,019 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,726 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Zehui Yao_MSFT 5,811 Reputation points

    Hi @Marin Desnica , Hopefully this can give you some references. When authenticating with a personal account (setting the tenant parameter to common), a code that begins with M.R3_ is returned. On the other hand, when you authenticate with a work account, it returns a code that starts with 0.AQ4AaN-.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.