Can an MS Graph Bearer Token be used to access the Office REST API?

Asked 30/1, 2018 at 16:2 Answered 30/11, 2018 at 9:48

Solved microsoft-graph-api outlook-restapi

We've implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.

That works fine and we were aiming to use Microsoft Graph for accessing Office 365 data.

Unfortunately, on deeper review, we've found that Tasks are currently unsupported via Microsoft Graph and must be instead accessed via the Outlook REST API.

Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.

I tried passing the Bearer Token retrieved via Microsoft Graph in the Outlook REST API headers but I get back an invalid token error.

I'm hoping that I'm simply doing something wrong and this is a valid approach.

Since MS Graph is the "unified" replacement for the Outlook REST API and others, can a Microsoft Graph token be used to access the Outlook REST API?

Pastoralist answered 30/1, 2018 at 16:2 Comment(3)

Outlook tasks are on Graph: developer.microsoft.com/en-us/graph/docs/api-reference/beta/… – Aguste 30/1, 2018 at 16:18

That's a good point, unfortunately it also has this warning at the top: "Important: APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.". Thank you for pointing this out, I'll add it to the question as prior research. – Pastoralist 30/1, 2018 at 16:27

One note for future reference, the token you're getting isn't coming from Microsoft Graph but from Azure AD directly. Microsoft Graph is simply the audience/resource that you've requested the token for. Minor detail but understanding the separation of concerns between the Token and the API will help when it comes to debugging down the road. – Wartow 30/1, 2018 at 22:33

Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.

If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.

Use the tasks APIs in Graph even though they are in beta.
Make sure that you obtain a refresh token when you request your Graph token (by including the offline_access scope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.

You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.

Feudality answered 30/1, 2018 at 16:49 Comment(2)

Thank you very much for this answer. That is a lot of very useful detail about what's going on and I now have a much better understanding of it. Since this will be going in to a production app I don't feel comfortable using the Tasks API due to the warning. But requesting a second token at the same time seems like a very promising option! I shall attempt to implement this tomorrow and accept if successful. – Pastoralist 30/1, 2018 at 17:8

That seems to be working great thanks. I'm now retrieving two tokens after the initial auth and have them cached for use elsewhere. var outlookResult = await outlookCCA.AcquireTokenByAuthorizationCodeAsync(code, outlookScopes); var graphResult = await graphCCA.AcquireTokenByAuthorizationCodeAsync(code, graphScopes); – Pastoralist 31/1, 2018 at 13:40

Just want to share how you can exchange Graph RefreshToken to a Outlook AccessToken using postman. (You can do this in whatever code language you wish)

First lets show how you use a RefreshToken to get a new Graph AccessToken:

Then use the Graph RefreshToken to get the new Outlook AccessToken:

Hope this might help some other people :)

Calysta answered 30/11, 2018 at 9:48 Comment(0)

Recommended topics

Hot tags