Office 365 REST API - Value Returning NULL (only specific users)

Question

I'm pulling my hair out over this, maybe someone has an idea. We have a web application, registered with Azure, that is grabbing calendar and event data from the Office 365 API that pertains to the logged in user's account.

When a user logs on to our system, we get the refresh token and access + ID tokens from Office365 API. I can send the access token directly to the server and I can see the users events, things are working properly. The "base" oauth code is lifted from the sample code here . We can also do this from within our application and it is also working properly.

This works properly for certain users, but not for other users. For those users, the system authenticates their token, but responds a NULL value in the "value" key on the reponse.

• The subscription types between working users and non-working users are identical (E1).
• The code that handles the calls does not change, there is no additional process that "specific users" go through. They are all treated the same by our local system.
• There are no environmental or variable differences. Some accounts will retrieve their events, other accounts get a NULL response. Even on the same computer.
• There are valid calendar events or messages in every case.

The exact server response we get is this, which happens after the access token is authenticated:

(string(196) "{"@odata.context":"https : //outlook.office.com/api/v1.0/$metadata#Me/Events","value":[{"error":{"code":"ErrorInternalServerError","message":"Object reference not set to an instance of an object."}}")

(spaces added after https due to reputation)

If I log in as a user on the oauth sandbox (https://oauthplay.azurewebsites.net/) the system WILL return the proper results in every case. It leads me to believe that the access token Office365 passes us is not correct, but it only seems to fail in certain situations with no common link between those users.

I'm trying to come up with any possible reason this could happen. If anyone has any ideas I'm all ears.

Answer 1

Without having too many details, from what you've described, my guess would be that this is an issue with how you've registered your application to interact with Azure AD. In some cases, users that aren't from the same Azure AD Tenancy as is registered with the application (or registered to be able to use the application) will result in generated access tokens via the initial OAuth phase, but when used against other Azure AD APIs, those tokens don't work. For more information, take a look at this article (the documentation for what this means is somewhat sparse. Note that to turn multi-tenancy on in your Azure management console, you'll need to register a fully-qualified domain name (FQDN).

This might not be your problem at all, nonetheless - I'd recommend you provide any other details about the nature of the accounts on which authentication works, and the nature of those accounts on which it doesn't.