Graph Api - 401 Unauthorised

Question

just started in the graph/office API and wow is it a minefield!

Just wondering if anyone can give me any advice? I am getting a 401 when I attempt to contact https://graph.microsoft.com/beta/me/files .

My JWT is as follows:

{
  "aud": "https://graph.windows.net/",
  "iss": "https://sts.windows.net/916970f4-e570-4036-a353-8ae647af1d3e/",
  "iat": 1444794383,
  "nbf": 1444794383,
  "exp": 1444798283,
  "ver": "1.0",
  "tid": "916970f4-e570-4036-a353-8ae647af1d3e",
  "oid": "c454b826-612f-4525-8995-87f1a24dc3df",
  "sub": "c454b826-612f-4525-8995-87f1a24dc3df",
  "idp": "https://sts.windows.net/916970f4-e570-4036-a353-8ae647af1d3e/",
  "appid": "568d0906-4131-4b97-8b08-9efdbe1636c4",
  "appidacr": "1"
}

My tokens are aquired in a rather odd way... I have a web project azure AD, who's token is used to aquire a web api Azure Ad token, then that Token is used to produce the graph api jwt as shown above.

Heres how it woks:

Answer 1

Sorry you are running in to issues here. Two things...

1. You are getting a 401 because the audience of the token is for Azure AD Graph API, but it needs to be for the Office 365 unified API, since these are 2 differently APIs. To get a token for the unified API, you need to specify the resource in your token acquisition request as https://graph.microsoft.com . Basically tokens cannot be interchangeably used against different services - tokens are audience/resource specific. We should have some extra information and samples for this here http://dev.office.com/unifiedapis .
2. The Office 365 unified API ONLY supports the code flows (aka app+user or delegated flows). Your token appears to be a client credentials flow token (ie app only - no user context). This kind of token/flow is not possible yet with the unified api, but it is something we are working on. Stay tuned.

Hope this helps,