Azure AD returns Authentication_ExpiredToken on valid access token

Question

I'm getting Your access token has expired. Please renew it before submitting the request. when I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5 endpoint.

To prevent any stupid questions - Yes, I know that using Microsoft Graph is recommended instead of Azure AD Graph. I'm aware of it and I'm using it. But for my current case I need to request exactly Azure AD Graph.

Tests case:

1. I successfully login on https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=.... and get code in the response.
2. I successfully exchange code and get access_token on https://login.microsoftonline.com/common/oauth2/v2.0/token.
3. I successfully make requests to any Microsoft Graph endpoint (ie https://graph.microsoft.com/education/me/classes).
4. I call https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.5.
5. I get the error Authentication_ExpiredToken Your access token has expired. Please renew it before submitting the request.
6. I successfully make requests to any Microsoft Graph endpoint, so the access_token is valid.

Based on this article: https://docs.microsoft.com/azure/active-directory/develop/active-directory-appmodel-v2-overview, I can use this access token to access both Microsoft Graph API as well as Azure AD Graph API.

So, I'm using v2.0 which should work for those: https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code.

What I'm doing wrong?

Thank you!

Answer 1

A token used to call the Microsoft Graph cannot be used to call the Azure AD Graph API.

When you look at the access token from Azure AD, there is a parameter called aud which stands for "audience". This property tells the API receiving the token the valid audience for that token.

If I own an API, "WebAPI1", and I get a token where the audience is something else, like "WebAPI2", I should reject that token, and not give the client access to my APIs. The reasons for this behavior should be obvious, but it causes major security issues if this check does not occur.

The aud value for the Microsoft Graph is https://graph.microsoft.com/ while the aud for Azure AD Graph API is https://graph.windows.net/.

When requesting an access token, you need to specify which specific resource you want a token for using the scopes parameter. This and more information can be found here.

The solution here is to get a different access token for the different API, and your issues should be resolved.

Let me know if this helps!