This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 7.000000000000001%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Is it possible to access the Graph API with SAML 2 authentication? It is pretty straightforward with OAuth as the user already has a token that can be used to access Graph API but what about SAML? I found a process of requesting an OAuth token with the existing SAML assertion at the oauth/v2.0/token endpoint, using the "openid https://graph.microsoft.com/.default" scope and "urn:ietf:params:oauth:grant-type:saml2-bearer" grant_type, but I'm getting this error code 50107: AADSTS50107: The requested federation realm object 'https://sts.windows.net/24c41f78-xxxx-xxxx-xxxx-xxxxxxxxxxx/' does not exist
Maybe I'm doing something completely stupid, but I'm sure there must be a way? I am completely new to Azure and pretty new to SAML 2 and OAuth.
According to some of the github issues, this probably isn't possible without federation, i.e. when using SAML with AAD, it isn't possible to exchange an assertion for a token and access the graph API? Here are some links:
https://github.com/MicrosoftDocs/azure-docs/issues/40210
https://github.com/MicrosoftDocs/azure-docs/issues/59746
but mainly this one:
https://github.com/MicrosoftDocs/azure-docs/issues/45071
Background: I'm trying to set up a web-app (service provider) integration where Azure AD acts as the SSO identity provider, having signed up for Microsoft 365 Developer Program Sandbox. We need to support both OAuth and SAML 2. For Azure AD users, the group information returned directly in the OAuth ID token or as a SAML attribute is always just a set of group OIDs (names are only returned for on-premise AD depending on the claim setup) so we're using Graph API to get additional group details with the OAuth integration. Namely https://graph.microsoft.com/v1.0/me/memberOf. It would be helpful if we could do the same with SAML. The ultimate goal is to get group membership details for the authenticated user. I'm sorry if my terminology is not quite right.
Thanks for any ideas in advance!
Hello @Rado , thanks for your question. It is possible to Exchange a SAML token issued by AD FS for a Microsoft Graph access token but not a SAML token issued by Azure AD.
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.