CODEWITHSUNDEEP
pythonmicrosoft-graph-api
Ryan
Ryan

Reputation: 333

Microsoft Graph API: Authorization_IdentityNotFound

I'm following the Get access without a user guide to write a Python script that will call Microsoft Graph.

This script will be scheduled from cron so it cannot get admin consent (therefore authorize using Client Credentials). I am able to successfully obtain a token using this call:

request_url = "https://login.microsoftonline.com/mytenant.onmicrosoft.com/oauth2/v2.0/token"
data = { 
   'Host' : 'login.microsoftonline.com',
   'Content-Type' : 'application/x-www-form-urlencoded',
   'client_id' : 'my-client-id-1234',
   'scope' : 'https://graph.microsoft.com/.default',
   'client_secret' : client_secret,
   'grant_type' : 'client_credentials'
}
response = requests.post(url = request_url, data = data)

I then try to get a user listing with this call, using the valid token:

request_url = "https://graph.microsoft.com/v1.0/users"
headers = { 
   'Authorization' : 'Bearer ' + token,
   'Host' : 'graph.microsoft.com'
}
response = requests.get(url = request_url, headers = headers)

The problem is that I get an Authorization_IdentityNotFound error:

<Response [401]>
{
   "error": {
      "code": "Authorization_IdentityNotFound",
      "message": "The identity of the calling application could not be established.",
      "innerError": {
         "request-id": "2257f532-abc4-4465-b19f-f33541787e76",
         "date": "2018-03-27T19:11:07"
      }
   }
}

These are the permissions I've selected:

graphPermsScreenshot

Any idea how to fix this error?

Upvotes: 4

Views: 3549

Answers (2)

mschwartz
mschwartz

Reputation: 208

For others running into this issue, I was also getting this error until found out the documentation omits a very important caveat:

  • For client credentials, if the app belongs to a work or school (organization) context then for https://login.microsoftonline.com/common/oauth2/token replace common with a tenantId or domain name

See Authorization_IdentityNotFound on Microsoft Graph API request

Upvotes: 6

Marc LaFleur
Marc LaFleur

Reputation: 33124

First things first, you can go ahead an remove all those Delegated Permission scopes. If you're using the Client Credentials Grant, you will only be using Application Permission scopes.

Second, you need to execute the Admin Consent flow before you can use Client Credentials. This is done by having a Global Admin from the tenant authenticate and accept your scope request:

https://login.microsoftonline.com/common/adminconsent?client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]

You can read more about Admin Consent here: v2 Endpoint and Admin Consent

Upvotes: 2

Related Questions