Calling to graph api after user authentication RRS feed

  • Question

  • Hi,

    After user is authenticated (using openID connect), can I use his JWT (id_token) to call to the Graph API (https://graph.windows.net/XYZ.onmicrosoft.com/users?api-version=1.0&...)?

    I want to get full user profile (including user groups).

    Currently, I'm getting the following error:

    Response body

      "odata.error": {
        "code": "Authentication_MissingOrMalformed",
        "message": {
          "lang": "en",
          "value": "Access Token missing or malformed."

    Response headers

    'request-id': '48c2e927-a746-42b9-8c59-49219ca5da48',
    'client-request-id': '323ff27a-e589-4cea-8060-5e5c6a419d2e',
    'x-ms-dirapi-data-contract-version': '1.0',
    'strict-transport-security': 'max-age=31536000; includeSubDomains',
    'access-control-allow-origin': '*',
    'www-authenticate': 'Bearer realm="XYZ.onmicrosoft.com", error="invalid_token", error_description="Access Token missing or malformed.", authorization_uri="https://login.windows.net/XYZ.onmicrosoft.com/oauth2/authorize", client_id="00000002-0000-0000-c000-000000000000"'


    Monday, May 18, 2015 7:53 PM


All replies

  • Hi,

    No - I'm afraid that the id_token can only be used for authentication purposes and cannot be used as an access token to call the Graph API.  For this you'll need to redeem an authorization code for an access token (and refresh token) from the token endpoint which can then be used to call the Graph API.

    Hope this helps,

    Dan Kershaw [msft]

    Tuesday, May 19, 2015 12:54 AM
  • How about this http://blogs.msdn.com/b/aadgraphteam/archive/2013/05/17/using-oauth-2-0-authorization-code-grant-for-delegated-access-of-directory-via-aad-graph.aspx ?
    Tuesday, May 19, 2015 1:14 PM
  • Solved! I need to specify "&resource=https://graph.windows.net":

    Request URL:



    Request Parameters:

    response_type code

    client_id               599cea60-a2ba-4f9b-8f06-9f92986560f1

    resource              https://graph.windows.net

    redirect_uri        https://localhost:9385/HandleAuthorizeResponse.php

    More info: http://blogs.msdn.com/b/aadgraphteam/archive/2013/05/17/using-oauth-2-0-authorization-code-grant-for-delegated-access-of-directory-via-aad-graph.aspx

    Tuesday, May 19, 2015 2:07 PM