Obtain access token for both Microsoft Graph and individual service API endpoints (Outlook REST APIs etc.)

Question

I spent some time playing around with Azure AD OAuth 2.0.

An access token obtained with scope https://outlook.office.com/mail.read throws 401 Unauthorized when used with Microsoft Graph.

Similarly, an access token obtained with scope https://graph.microsoft.com/mail.read throws 401 Unauthorized when used with Outlook REST API endpoints.

Also, I get an error if I mention both the scopes while authorizing a user.

Is it possible to have access tokens that allow access to both Microsoft Graph and Outlook REST API endpoints?

I am building an emailing app. Initially, I will build basic features like syncing/sending emails.

I will be using Microsoft Graph, since it supports all that I need presently and Microsoft recommends it over individual service API endpoints.

I am worried about future. The OAuth access tokens that I will obtain at present will have scope https://graph.microsoft.com/mail.read. In future, it may happen that a new feature I want to build is not supported by Microsoft Graph but it is supported By Outlook REST API endpoints. At such time I would want to use the Outlook REST API endpoints.

Do I have to maintain two sets of OAuth access token for every user? Also asking every user to re-auth is not a good idea.

Answer 1

Yes, you can use the RefreshToken to get an AccessToken to the individual endpoints with the same scopes as authorized when you requested the graph access (scopes).

E.g. If you requested Mail.Read (shortname for https://graph.microsoft.com/mail.read) you can get back to the token issuing endpoint with the refresh_token with scope="https://outlook.office.com/mail.read" and get an accesss_token for this endpoint.