Can an MS Graph Bearer Token be used to access the Office REST API?

Question

We\'ve implemented Authentication in a .Net Core 2.0 app using Microsoft Graph to authenticate against Azure AD.

That works fine and we were aiming to use Microsoft

Answer 1

Just want to share how you can exchange Graph RefreshToken to a Outlook AccessToken using postman. (You can do this in whatever code language you wish)

First lets show how you use a RefreshToken to get a new Graph AccessToken:

Then use the Graph RefreshToken to get the new Outlook AccessToken:

Hope this might help some other people :)

Answer 2

Yes, this is correct behavior. Tokens are only valid for a particular "audience", which is indicated by the aud claim inside the token.

If you obtained a token for the Microsoft Graph API, then the aud parameter would be set to https://graph.microsoft.com. This doesn't match the Office 365 API endpoint (https://outlook.office.com or https://outlook.office365.com), so the token validation fails. You have two options here.

1. Use the tasks APIs in Graph even though they are in beta.
2. Make sure that you obtain a refresh token when you request your Graph token (by including the offline_access scope in your auth/token requests). Then use that refresh token to obtain a second token with the proper audience.

You can use the refresh token to request an Office 365 API-compatible token by qualifying your scopes in the refresh request. For example, if you requested a Graph token with Tasks.Read, you would qualify Tasks.Read in your refresh request as https://outlook.office.com/Tasks.Read.