question

SumitA-6867 avatar image
0 Votes"
SumitA-6867 asked diberry answered

Error calling User Invitation api : https://graph.microsoft.com/v1.0/invitations

Below error is coming

{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2021-08-13T13:25:00",
"request-id": "7ec55005-d218-490b-b053-f3ca58f1e0f2",
"client-request-id": "7ec55005-d218-490b-b053-f3ca58f1e0f2"
}
}
}

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
4 Votes"
amanpreetsingh-msft answered

Hi @SumitA-6867 • Thank you for reaching out.

This error occurs when the access token is acquired for a given resource/api but being consumed by different resource/API.

For example, if you acquire a token with audience https://vault.azure.net (Azure Key Vault) and you pass it as a bearer token while making a graph call, you will get Invalid audience error. You can check the audience by decoding your access token at https://jwt.ms

To resolve this error, you need to make sure the audience in the token is https://graph.microsoft.com by using scope: https://graph.microsoft.com/.default during your token acquisition call and make sure below permissions are consented under the application whose client ID you are using during token acquisition call.

  • User.Invite.All

  • User.ReadWrite.All

  • Directory.ReadWrite.All

To provide consent, you need to navigate to:
Azure Portal > Azure Active Directory > App Registration > search the application using client ID > API Permissions > Add Permission > Select Microsoft Graph API > Delegated Permissions (If you are using user context) or Application Permission (If you are using Application/servicePrincipal context) and select above permissions > once permissions are added click on grant admin consent button.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

diberry avatar image
0 Votes"
diberry answered

@amanpreetsingh-msft Can you please be more clear on which needs to happen for which app?

if the first app (client where the customer signs in) is called A, what does A's AD app permissions include? What are the loginParameters values for A?

What about the backend app (app B) for permissions and loginParameters?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.