Reputation: 113
Azure client credentials grant oath not working in hybrid setup for Graph Mail API access
In hybrid setup if client credentials grant type is used to get token and if that token is used to get on-prem user messages (https://graph.microsoft.com/v1.0/users('[email protected]')/messages/) using graph api it fails by providing UnknownError.
When debugged on IIS logs error shown was "This token profile 'V1S2SAppOnly' is not applicable for the current protocol." error_category="invalid_token".
However if authorization code grant or resource owner password credential (ROPC) grant if used to obtain token , we were able to get messages of on prem user using graph API. Have attached screenshot of token for both. How to make client credentials grant work for on-prem user messages access using graph API (in hybrid setup) ?
Update
Update i went and edited web.config of rest in Exchange server to have V1S2SAppOnly in profiles. After that previous error is gone and new error is seen.
Bearer+client_id="00000002-0000-0ff1-ce00-000000000000",+trusted_issuers="00000001-0000-0000-c000-000000000000@ea6064aa-d6fc-48d3-abb8-1728e1f39e0b",+token_types="app_asserted_user_v1+service_asserted_app_v1",+error="invalid_token" 2000008;reason="The+token+should+have+valid+permissions+or+linked+account+associated+with+partner+application+'00000003-0000-0000-c000-000000000000'.";error_category="invalid_grant"
Upvotes: 2
Views: 748
Answers (2)
Reputation: 2580
What you want is:
Application with Client credentials => Graph API => Local Exchange.
This scenario isn't supported out-of-the-box, but you can however tell your local exchange server to accept those tokens. See this answer https://stackoverflow.com/a/56131954/639153
In a nutshell, you need to change the authentication config of your front-end exchange servers to accept client credentials from the graph api. By default only delegated credentials are supported, and these settings are not documented on the exchange side.
Warning, we tested these settings, and it's working but not supported by Microsoft
This is the blog where I've found the answer to your question. https://blog.thenetw.org/2019/05/13/using-client_credentials-with-microsoft-graph-in-hybrid-exchange-setup/
Upvotes: 0
Reputation: 9664
I think the problem is with the aud claim, i.e. the audience for token.
For the first token that you have shared
audvalue is00000002-0000-0000-c000-000000000000. This is the resource Id for Azure AD Graph API and not Microsoft Graph API. For Microsoft Graph API, you should be usinghttps://graph.microsoft.comor Id00000003-0000-0000-c000-000000000000- this token is probably the one where you used client credentials grant, as there isn't any user claim
For the second token that you have shared
audvalue ishttps://graph.microsoft.comwhich is correct- this token is acquired in context of a user name
anoopso I guess this is the one which is working for you.
Upvotes: 1
Related Questions
- Microsoft graph return "access token is empty"
- Azure & Microsoft Graph: Access denied accessing inbox, using Client Secret
- MS Graph api user authentication failing
- Microsoft Graph client error : Authentication challenge is required
- Microsoft Graph API Access Token Issue
- How to configure Hybrid mode for Exchange 2016 to have OAuth2 Client Credentials flow working with Microsoft Graph API
- Microsoft Graph API not able to use mail.read
- Microsoft Graph API - Client Credentials Grant Flow
- Azure AD with MS Graph API, can't grant my app Mail.Read
- Client Credentials access token not working office 365