azure active directory - Authorization_IdentityNotFound on Microsoft Graph API request first time,

Question

It is now 2021, but I meet this issue again....

When calling the /users MS Graph API, it says:

{
    "error": {
        "code": "Authorization_IdentityNotFound",
        "message": "The identity of the calling application could not be established.",
        "innerError": {
            "request-id": "b2d9ec62-0b65-44eb-9e0f-4aec52b45750",
            "date": "2021-01-22T10:19:48"
        }
    }
}

I use the 'client credentials' flow, and I've already configured to get the admin consent to get the tenant id. Then use it to call https://login.microsoftonline.com/{tenantId}/oauth2/token to get token.

And I configured the permissions/scopes as:

- Directory.Read.All
- User.Read.All
- Calendars.ReadWrite

Or even:

- Directory.Read.All
- Calendars.ReadWrite

The strange thing is that this error only happens with the token got by authorizing the app with a global admin account first time. It will work if use a second token gets back after a few seconds. And by comparing the two tokens, I found the differences are the not working one doesn't have 'roles: string[]` value in the JWT, while the working one has (see attached images).

token not working token working

Anyone can help me out? It's very appreciated!

Thanks

question from:https://stackoverflow.com/questions/65846011/authorization-identitynotfound-on-microsoft-graph-api-request-first-time

Answer 1

The reason for the error is not that you lack permissions, it is caused by the delay.

Your idea is correct. The reason why your first token call is unsuccessful is the lack of roles claim in the token, which means that the permissions are not injected into the first token. When you grant admin consent to the application, it will be delayed. If you get the token right now, it may cause the token to lack permissions. So, please wait a few minutes after you grant the admin consent before trying to obtain the token.