Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Microsoft Graph API: Authorization_IdentityNotFound

Tags:

python

microsoft-graph-api

I'm following the Get access without a user guide to write a Python script that will call Microsoft Graph.

This script will be scheduled from cron so it cannot get admin consent (therefore authorize using Client Credentials). I am able to successfully obtain a token using this call:

request_url = "https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token"
data = { 
   'Host' : 'login.microsoftonline.com',
   'Content-Type' : 'application/x-www-form-urlencoded',
   'client_id' : 'my-client-id-1234',
   'scope' : 'https://graph.microsoft.com/.default',
   'client_secret' : client_secret,
   'grant_type' : 'client_credentials'
}
response = requests.post(url = request_url, data = data)

I then try to get a user listing with this call, using the valid token:

request_url = "https://graph.microsoft.com/v1.0/users"
headers = { 
   'Authorization' : 'Bearer ' + token,
   'Host' : 'graph.microsoft.com'
}
response = requests.get(url = request_url, headers = headers)

The problem is that I get an Authorization_IdentityNotFound error:

<Response [401]>
{
   "error": {
      "code": "Authorization_IdentityNotFound",
      "message": "The identity of the calling application could not be established.",
      "innerError": {
         "request-id": "2257f532-abc4-4465-b19f-f33541787e76",
         "date": "2018-03-27T19:11:07"
      }
   }
}

These are the permissions I've selected:

graphPermsScreenshot

Any idea how to fix this error?

like image 908
Ryan Avatar asked Sep 18 '25 07:09

Ryan

2 Answers

For others running into this issue, I was also getting this error until found out the documentation omits a very important caveat:

  • For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name

See Authorization_IdentityNotFound on Microsoft Graph API request

like image 50
mschwartz Avatar answered Sep 19 '25 20:09

mschwartz

First things first, you can go ahead an remove all those Delegated Permission scopes. If you're using the Client Credentials Grant, you will only be using Application Permission scopes.

Second, you need to execute the Admin Consent flow before you can use Client Credentials. This is done by having a Global Admin from the tenant authenticate and accept your scope request:

https://login.microsoftonline.com/common/adminconsent?client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

You can read more about Admin Consent here: v2 Endpoint and Admin Consent

like image 37
Marc LaFleur Avatar answered Sep 19 '25 19:09

Marc LaFleur
Sign in to Comment

Related questions

Why is negative (MSE or MAS) Scoring parameter like- neg_mean_absolute_error in SKLEARN is considered for regression model evaluation
Errror parsing data in python FastAPI
No module named 'watchdog.observers'; 'watchdog' is not a package

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!