How do I access Azure Chart and Microsoft Chart using the same OAuth2 token?

Question

How do I access Azure Chart and Microsoft Chart using the same OAuth2 token?

I want to access the Azure AD Graph API and Microsoft Graph API using the same OAuth2 token (in Swift 3 iOS app) - is this possible?

I want to access the following APIs:

Azure AD Graph API
- API: https://graph.windows.net/myorganization/users/delta
- Scope: https://graph.windows.net/Directory.AccessAsUser.All
Microsoft Chart
- API: https://graph.microsoft.com/v1.0/users
- Scope: https://graph.microsoft.com/User.ReadBasic.All

I created my own app in the Azure portal and added permissions for Microsoft Graph and Microsoft.Azure.ActiveDirectory (with specified permission scopes)

I can get access to both API using only by changing the property of the resource authentication (for logon) - Azure configuration seems correct. But when trying to use the same token to access a different API while authenticating using the first resource, I get an "Unauthorized" error. I tried to add both URLs to the resource property, but then I get an error ("AADSTS50001: Application name was not found on tenant"). What am I doing wrong or what am I missing ...?

If this is not possible - why then can you add multiple APIs to the Azure Portal?

Reason for accessing both APIs: Microsoft Graph doesn't give me all properties (but does support delta changes) and Azure AD Graph gives me full profile - both without admin console (using delegated permissions)

+3

oauth-2.0 microsoft-graph azure-ad-graph-api azureportal

Kim Rasmussen 01 Aug 17 at 13:14

source to share

2 answers

There is another option besides the authorization authority flow . If you have an existing access token that is addressed to one audience and wants to use it for another audience (keeping both the identity of the client and the user that is contained in the token), you can use "On behalf of a grant" to exchange the token with a new one. only this time for the resource you need.

You can read about it in the official docs or in my post Getting an Access Token for Microsoft Graph Using OAuth REST API .

0

Eran hertz Apr 13 18 at 15:24

source to share

Shawn tabrizi · Accepted Answer · 2017-08-02T00:03:04+0000

You cannot literally call both APIs using the same access token. Since the access token has a specific audience, one of the APIs will reject the token if the audience's claim does not match its own id uri application.

It seems that what you really want to achieve is getting two tokens using one login experience, and you can do that.

By using the authorization code grant stream, you can login without specifying a resource. The user will be presented with consent for both AAD and MS Graph API permissions, and your app will return an Auth code when login is complete. At this point, your application can call the Token Endpoint twice with the same authorization code to obtain two access tokens for the two endpoints. From there, you can manage two tokens and maintain access to both APIs at the same time.

I do this in one of my python examples here , except my two endpoints are AAD Graph API and Azure Resource Manager.

How do I access Azure Chart and Microsoft Chart using the same OAuth2 token?

More articles: