I’m working on two ASP.NET Core 3.1 projects: a web API and an MVC app. Both are set up in Azure AD. The API is meant to create calendar events based on what the MVC app sends it. I’m following Microsoft’s guide, but when the API tries to use Microsoft Graph, I get this error:
I’ve tried adding “https://graph.microsoft.com” to the ValidAudiences in the API project, but it didn’t help. In the MVC project, I’m getting a token with the authority set to “api://client_id”.
Has anyone run into this before? What am I missing? I’ve been stuck on this for days and could really use some advice. Thanks!
I’ve encountered similar issues with Microsoft Graph API authorization. It sounds like your token’s audience doesn’t match what Graph expects. Instead of adding Graph’s URL to ValidAudiences, try requesting a token specifically for Graph.
In your MVC app, when acquiring the token, use the scope ‘https://graph.microsoft.com/.default’ instead of your API’s scope. This tells Azure AD to include all statically configured permissions for Graph in the token.
Also, ensure your app registration in Azure AD has the necessary Graph API permissions. You might need to grant admin consent for these permissions.
If you’re still stuck, double-check your app’s manifest in Azure AD. The ‘accessTokenAcceptedVersion’ should be set to 2 for v2.0 endpoints.
hey, ive had this problem before. its super annoying! make sure ur requesting the right scopes in ur token. try using ‘https://graph.microsoft.com/.default’ as the scope when u get the token. that should fix it. also check ur app registration in azure ad, sometimes the permissions there can mess things up. good luck!
I’ve dealt with this exact issue before, and it can be incredibly frustrating. From my experience, the problem often lies in how you’re acquiring the token for Graph API. Instead of using ‘api://client_id’ as the authority, try using ‘https://login.microsoftonline.com/{tenant_id}/v2.0’ where {tenant_id} is your Azure AD tenant ID.
Also, make sure you’re requesting the correct scopes. For Graph API, you typically want to use ‘https://graph.microsoft.com/.default’ as your scope. This tells Azure AD to include all the statically configured permissions for Graph in the token.
Another thing to check is your app’s configuration in Azure AD. Ensure that you’ve added the Graph API application ID (00000003-0000-0000-c000-000000000000) to your app’s API permissions.
If none of these solve the issue, you might want to use a tool like JWT.ms to decode your token and check if the audience (‘aud’ claim) matches what Graph API expects. This can provide valuable insights into what might be going wrong.
Don’t give up - once you get past this hurdle, working with Graph API becomes much smoother!