Using Microsoft Graph APIs with Azure AD 1.0 Authentication

Question

I'm trying to understand what is expected to fail (if anything) when using different Microsoft Graph REST endpoints with an access token that was obtained against the Azure 1.0 oauth endpoint (implicit flow). For example, I created a new app registration in Azure AD tenant, added the Microsoft Graph service and selected every single permission available - 66 in total. What I find is that I can use the access token I get from the https://login.windows.net/common/oauth2/authorize endpoint to execute basic directory queries against the https://graph.windows.net/ REST endpoint. However other things - like the "me" or OneNote REST endpoints fail with a 401 unauthorized error. As a side note - I can get ALL of these scenarios to work with the Azure 2.0 oauth endpoint and passing in SCOPES for my permission requirements.

So...based on all of that, I'm not sure if big parts of the Microsoft Graph endpoints are not expected to work in this scenario, or perhaps I'm passing in the wrong RESOURCE parameter when I redirect to the .../authorize endpoint to get my access code, or something else. So if there is any info that describes if this is not expected to be supported, or if it is other info we should know - for example, is there a different RESOURCE needed when using the 1.0 oauth endpoint (the only variable I'm seeing right now), or whatever. Any sort of specific details here would be appreciated.

Thanks.

Answer 1

An access token is available for one endpoint , you could check the aud(audience) claim in access token . That's why we suggest using microsoft graph api , since useing Microsoft Graph to build apps for organizations and consumers that connect to a wealth of resources, relationships, and intelligence, all through a single endpoint: https://graph.microsoft.com.

You said that execute basic directory queries against the https://graph.windows.net/ REST endpoint , so the access token could be used to call Azure AD Graph APi (https://graph.windows.net/) . If using that token to make microsoft graph api calls (https://graph.microsoft.com) , you can't do that since access token is not available for microsoft graph api endpoint .