Get AccessToken to Microsoft Graph from Azure App Service Easy Auth

Question

I have a .NET core application hosted on Azure App Service. The application is secured with Azure App Service Authentication.

I need to get an access token to access Microsoft Graph.

Since I have Azure App Service Authentication turned on, and all the users that access the web application should already be authenticated, I was wondering if it is possible to get the access token from /.auth/me or Request.Headers["x-ms-token-aad-access-token"].

I tried to follow the example posted on here , where I configured my additionalLoginParams /config/authsettings to ["resource=https://graph.windows.net"] (or ["resource=https://graph.microsoft.com"] as per Rohit suggestion), which in turn should give me an access token to MS Graph either via /.auth/me on client side or Request.Headers["x-ms-token-aad-access-token"] on C#.

However I checked both server side and client side, and there were no access token found. Any idea what went wrong?

Answer 1

since this was tagged azure-gov I presume the App Service is running in Azure Government? If so, what AAD authority are you specifying in the authentication context or /config/authsettings when calling Graph? If it's in Azure Gov, and you're planning to authenticate Azure Gov users, the AAD authority should be login.microsoftonline.us. What was the HTTP response to the request?

Also, as others have mentioned there are two "Graph" APIs (Azure AD Graph and Microsoft Graph) available at the moment. Microsoft Graph will ultimately replace Azure AD Graph but for now either can be used.

The resource uri for AAD Graph in Azure Gov, for now, is the same as Azure Public: graph.windows.net.

The resource uri for Microsoft Graph in Azure Gov, however, is graph.microsoft.us compared to graph.microsoft.com in Azure Public.