You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph…

The identity of the calling application could not be established

This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application.

Partner Scenario

If this is a Partner application, make sure you follow the Partner pre-consent process.

And do not forget to add your application/servicePrincipal to the AdminAgents group.

https://github.com/microsoft/Partner-Center-Explorer/blob/master/docs/Preconsent.md

Here is an updated script for using Microsoft Graph PowerShell

Connect-MgGraph

$AppId = 'INSERT-APPLICATION-ID-HERE'

$g = Get-MgGroup -All -Filter "displayName eq 'AdminAgents'"
$s = Get-MgServicePrincipal -All -Filter "appId eq '$AppId'"

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($s.id)"
}

New-MgGroupMemberByRef -GroupId $g.id -BodyParameter $params

Non Partner Scenario

Otherwise, the fastest way to resolve this is to add the servicePrincipal to the tenant. But you will still need to consent to the permissions the application may need to use.

You can build an Admin consent URL and will look something like this…

https://login.microsoftonline.com/common/adminconsent?client_id=INSERT-APPLICATION-ID-HERE

Sign in with a Global Administrator account of the tenant in which you are trying to access resources on.

Leave a Comment