Authorization_IdentityNotFound Error while accessing graph API

Question

I have searched with the error which I found, Did not find any matching questions. So posting question. Appreciate if some one provides some pointers to proceed.

My goal is to access graph API in my desktop client. I have started using fiddler to experiment.

• I have followed instructions provided at https://graph.microsoft.io/en-us/docs/authorization/app_only
• registered Web APP using Application Registration portal using my Microsoft work account.
• Provided 'Read all users' full profiles in Delegated permissions

• Requested token and Used the token in Authorization header to call the graph API, Getting following error.

  https://graph.microsoft.com/v1.0/users
  119
  {
    "error": {
      "code": "Authorization_IdentityNotFound",
      "message": "The identity of the calling application could not be established.",
      "innerError": {
        "request-id": "4c3a7bc6-e3d8-453c-adc9-5a12fec3b0ee",
        "date": "2016-05-11T00:46:23"
      }
    }
  }
  

Answer 1

In my case, I got the same error after I used Quickstart (step 1), then configured automatically .net sample (step 2), then download the code sample (step 3) as shown in the picture below.

All steps was done successfully except step 3. Microsoft code generate, generate app id, and app secret in project successfully but the tenant was set to common in appsetting.json as seen in image below.

I thought it was a valid thing, but later found out that this caused the issue.

Solution: I copied the Directory (tenant) ID, than replace common with tenant Id, and it worked. I am not sure if this is a bug in Azure Quickstart code generation.

Answer 2

This sample helped me understand the flows around app-only permissions. https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/

Key takeaways for me:

• Ensure you set up the app and specify the Application Permissions needed
• Do have an admin grant the app permission to run against the relevant directory.

• Get the relevant token:

  Notice the scope in the request below is https://graph.microsoft.com/.default

  POST https://login.microsoftonline.com/{tenantname}.onmicrosoft.com/oauth2/v2.0/token
  Content-Type: application/x-www-form-urlencoded
  
  grant_type=client_credentials&client_id=6abf3364-0a60-4603-8276-e9abb0d843d6&client_secret=JfgrNM9CcW...&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
  

• Use the token to request the relevant graph resource, eg:

  GET https://graph.microsoft.com/v1.0/users/demouser01@[tenant-name].onmicrosoft.com/drive/root/children
  
  Accept: application/json
  Authorization: Bearer eyJ0eXAiOi
  

Answer 3

For me, I had not given admin consent. This is a critical step. My mistake was in thinking that by granting the app permissions, this was giving admin consent, but its not the same thing.

From step 3 on this site: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

I just pasted their call into a browser after filling in the tenant and client id, then signed in, and everything worked.

GET https://login.microsoftonline.com/{tenant}/adminconsent
?client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions