Microsoft Graph API error: Access token validation failure. Invalid audience.

MelData 51 Reputation points
2022-09-04T13:01:51.96+00:00

We have registered the app in AAD and granted the following permission to Microsoft Graph under API permissions in Azure portal
237642-image.png

After passed in tenant id, client id, client secret.
237632-image.png

we generated an access token
237651-image.png

When I call the users API endpoint, I got an Invalid audience error as below:
237530-image.png

Can anyone please point me where the issue is. thank you. I am not sure about resource: "00000002-0000-0000-c000-000000000000"

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,723 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MelData 51 Reputation points
    2022-09-05T09:23:43.423+00:00

    It works after adding V2.0 in /oauth2/v2.0/token

    10 people found this answer helpful.

  2. Vasil Michev 111.4K Reputation points MVP
    2022-09-04T14:02:33.483+00:00

    First of all, you are using the client credentials flow - this requires Application permissions, not Delegate ones. To understand the difference between the two types and decide which one is more appropriate for your scenario, read here: https://learn.microsoft.com/en-us/graph/auth/auth-concepts#delegated-and-application-permissions
    Moreover, the method you seem to be using corresponds to the old Azure AD Graph API, not the Microsoft Graph one (audience/resource should be "00000003-0000-0000-c000-000000000000").


  3. arash ramez 0 Reputation points
    2025-01-08T12:36:51.59+00:00

    You should get access token from version 2 of token endpoint as below example

    curl --location 'https://login.microsoftonline.com/xxxxxxx-xxxxx-xxxxx-xxxxx/oauth2/v2.0/token' \

    --header 'Content-Type: application/x-www-form-urlencoded' \

    --data-urlencode 'client_id={Client-ID-HERE}' \

    --data-urlencode 'client_secret={CLIENT-SECRET_HERE}' \

    --data-urlencode 'grant_type=client_credentials' \

    --data-urlencode 'scope=https://graph.microsoft.com/.default'

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.