Access Graph API from OAuth protected website

Question

I have a website in Azure that is protected by AAD (as "Enterprise App"). So logging in to the website uses the Azure Active Directory of my company to get a valid OAuth token for the website. The ID-token and AAD-token are stored by Azure in header variables X-MS-TOKEN-AAD-ID-TOKEN and X-MS-TOKEN-AAD-ACCESS-TOKEN.

From within my website, I want to access the Graph API for getting information of the currently logged in user. For accessing the Graph API I need a new OAuth token with probably the graph API scope https://graph.microsoft.com/.default.

As my website has the required delegated permissions (Microsoft Graph, User.Read, Granted for my company), the website should have the delegated permission to "sign in and read user profile", e.g. the /me graph endpoint.

How do I get a new OAuth token to call the Graph api on behalf of the logged in user from my website? Can I redeem the OAuth ACCESS or ID token to get a new token for accessing the Graph API or something like that? It shouldn't be necessary to involve the user I assume, because then it is not really SSO like and my website already has the permission to act on behave of the user for accessing the user profile.

Alternatively for accessing the Graph API for the logged in user, I tried the website's ~/.auth/me endpoint, which works from the browser, but fails with an unauthorized when called from the website.

Thanks!

Answer 1

Azure AD supports the use of User Assertions (in OAuth standard terms) to swap the application access token for a new access token with a Graph scope. Microsoft call this the On Behalf Of Flow.

For some details on how this is coded and configured, see these resources of mine. I think you will need to Expose an API scope for the website:

• Code to get a graph token
• Code to get graph data
• Configuration settings
• Blog post with Azure AD setup