Why am i getting an invalid access token from On-behalf-of-flow

Question

When I am using On-Behalf -Of-Flow and hitting /token endpoint with "common" tenant and word as middletier token as assertion with scopes as "openid profile offline_access user.read" i get a malinformed token , but it works for /me endpoint of microsoft graph, but not works for other microsoft api's such as GetAllFolders api etc.

{
  token_type: 'Bearer',
  scope: 'User.Read openid profile',
  expires_in: 2148,
  ext_expires_in: 2148,
  access_token: 'EwBoA8l6BAAUAOyDv0l6PcCVu89kmzvqZmkWABkAAcC8ou4ZlNy/KWYLLdVH0vH5mX0MiAuWOx+gxF.............................................................................................................................................................................................................................................9bsbChhpSgTqaDAn2/5e2ol0e+jVUfSFYGNfr45kqBZUoB32Q2HFI1p8wpIdQPOMXfQI=',
  refresh_token: 'M.C105_BAY.-CW5CZWj8ujA1gjI*WNj2u.........................................................................................................................................Ld5Mv40fbrVowHZdbrDkTPFTaKFidgiAN!qZhx472zJNxxnW0iVOFfQqNtU$',
  id_token: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJS.........................................................................................................................................................................................................................83ZPxcotsRG-wGV30ULbnXyI8PFg'
}

Normally a accessToken starts with "ey..." , when we add more scopes we get different responses such as :-

    {   error: 'invalid_grant',  
  error_description: "AADSTS500202: User account '{EmailHidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint.\r\n"
    
     }

Answer 1

Note that: The scenario you are trying to achieve doesn't work for Personal Microsoft accounts. To resolve the issue you have to make use of work or school accounts.

I tried to generate the access token using Personal Microsoft Account and got the error like below:

https://graph.microsoft.com/v1.0/sites/6897a344-7c37-441b-aa3c-dcff235035c7/drive/root/children

To resolve the issue, I generated the token using OBO flow like below signing in with Work or School account:

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:scope
code:code
redirect_uri:https://jwt.ms
client_secret:-ClientSecret

https://login.microsoftonline.com/common/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:Scope
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:
requested_token_use:on_behalf_of

Now, by using the above access token, I am able to list the sites successfully like below:

https://graph.microsoft.com/v1.0/sites/6897a344-7c37-441b-aa3c-dcff235035c7/drive/root/children

Reference:

https://learn.microsoft.com/en-us/graph/api/site-list?view=graph-rest-1.0&tabs=http

Answer 2

According to the documentation, currently list sites endpoint does not support delegated personal permission. So maybe that's the cause of the problem,

I also tested it locally, and the same account returns different results under different {tenant} value.

This link might help is anyone faces same issue :-

https://learn.microsoft.com/en-us/answers/questions/1287189/why-am-i-getting-an-invalid-access-token-from-on-b?page=1&orderby=helpful&comment=answer-1255205#newest-answer-comment