The identity of the calling application could not be established

You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph… The identity of the calling application could not be established This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,…

Read More

How to sign in as a guest user in Graph Explorer

Besides tenant members, it is also possible to use Graph Explorer signed in as a tenant’s guest user. In Graph Explorer, add “?tenant=”{tenantname.onmicrosoft.com}” to the URL in the address bar (eg https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=contoso.onmicrosoft.com), and press enter. This will explicitly make Graph Explorer to consider only that tenant when signing in. Now sign into Graph Explorer as usual, with a guest user’s credentials. Afterwards, try making this GET request: “https://graph.microsoft.com/v1.0/me”. In the…

Read More

Using the Application.ReadWrite.OwnedBy API permission

You have an application, when authenticated, and you want to be able to update its own properties such as the Client Secret or Certificate. The Application.ReadWrite.OwnedBy allows the application to manage applications in which it is a owner of. Otherwise meaning if you want to update its own properties, it would be have to an owner of itself. You can do this using the Microsoft Graph API: For more information…

Read More

Azure Active Directory: How to get the signed in users groups when there is a groups overage claim in an Access token.

Azure AD has a maximum number of groups that can be returned in an access token when you have selected to include the groups claim for your access token. This post will show you how to reproduce the scenario and then how to get the users groups using Microsoft Graph when a groups overage claim is present in the token instead of actual groups. For a JWT token, Azure has…

Read More

Why /memberOf Microsoft Graph API returning null fields for some attributes.

What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: {     “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”,     “value”: [         {             “@odata.type”: “#microsoft.graph.group”,             “id”: “b0a133d4-3f3d-4990-be22-879151155f19”,             “deletedDateTime”: null,             “classification”: null,             “createdDateTime”: null,             “creationOptions”: [],             “description”: null,             “displayName”: null,             “expirationDateTime”: null,             “groupTypes”: [],             “isAssignableToRole”: null,             “mail”: null,             “mailEnabled”: null,             “mailNickname”: null,             “membershipRule”: null,             “membershipRuleProcessingState”: null,         } } What is the reason behind seeing null values? When we make a call…

Read More

Receiving Error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”

Problem: This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”.  This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud. It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government…

Read More

Segment Users in Azure AD

If you have been using Microsoft Graph API to add or modify users in Azure Active Directory (Azure AD) you may have noticed that when you create a new user it lives with all the other users, some of which may have nothing to do with your application. Ideally, you may want a sub-directory or business unit of sorts. Fortunately, there are ways to segment these users in a more…

Read More

How to Use the ADAL .NET library to Call the Microsoft Graph API in a Console Application (Using Authorization Code Flow)

Introduction This post is to show how to use the ADAL .NET library to acquire a token interactively in a console application. It will go through setting up an Azure Active Directory Application, setting up the .net console application, acquiring an access token, and then make a HTTP request using the token acquired from the ADAL .net library to get 5 users using the Microsoft Graph API.   Setting up your…

Read More

Unable to Modify User Email, Phone Number, Password or Other Personal Information for Azure Active Directory Users

Introduction This post is in regards to the issues in regards to users having issues modifying Azure Active Directory User attributes such as mail, phone number, resetting passwords, or other personal attributes in user accounts. This will review the reason behind these changes and how to resolve the issue. For many users this was something that was working before and only recently stopped working properly.   Reason Behind Change There…

Read More

Using Postman to call the Microsoft Graph API using Authorization Code Flow

Introduction This article will help guide you through utilizing Postman to call a Microsoft Graph Call using the authorization code flow. This is part of a 5 part blog on accessing the Microsoft Graph API utilizing grant types : authorization code, implicit flow, client credentials, password, and refresh token flow. We will be utilizing the same Microsoft Graph call to reduce extraneous details on having to include setting up and…

Read More