{"id":9186,"date":"2022-11-16T20:18:10","date_gmt":"2022-11-16T20:18:10","guid":{"rendered":"https:\/\/blogs.aaddevsup.xyz\/?p=9186"},"modified":"2022-11-16T20:18:16","modified_gmt":"2022-11-16T20:18:16","slug":"the-identity-of-the-calling-application-could-not-be-established","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2022\/11\/the-identity-of-the-calling-application-could-not-be-established\/","title":{"rendered":"The identity of the calling application could not be established"},"content":{"rendered":"\n<p>You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph&#8230;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The identity of the calling application could not be established<\/p>\n<\/blockquote>\n\n\n\n<p>This error is thrown because the &#8220;oid&#8221; and &#8220;sub&#8221; claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Partner Scenario<\/h2>\n\n\n\n<p>If this is a Partner application, make sure you follow the Partner pre-consent process. <\/p>\n\n\n\n<p class=\"important-note\"><strong>And do not forget to add your application\/servicePrincipal to the AdminAgents group.<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/microsoft\/Partner-Center-Explorer\/blob\/master\/docs\/Preconsent.md\">https:\/\/github.com\/microsoft\/Partner-Center-Explorer\/blob\/master\/docs\/Preconsent.md<\/a><\/p>\n\n\n\n<p>Here is an updated script for using Microsoft Graph PowerShell<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">Connect-MgGraph\n\n$AppId = 'INSERT-APPLICATION-ID-HERE'\n\n$g = Get-MgGroup -All -Filter \"displayName eq 'AdminAgents'\"\n$s = Get-MgServicePrincipal -All -Filter \"appId eq '$AppId'\"\n\n$params = @{\n\t\"@odata.id\" = \"https:\/\/graph.microsoft.com\/v1.0\/directoryObjects\/$($s.id)\"\n}\n\nNew-MgGroupMemberByRef -GroupId $g.id -BodyParameter $params<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Non Partner Scenario<\/h2>\n\n\n\n<p>Otherwise, the fastest way to resolve this is to add the servicePrincipal to the tenant. But you will still need to consent to the permissions the application may need to use.<\/p>\n\n\n\n<p>You can build an <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/manage-apps\/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent\" target=\"_blank\" rel=\"noopener\" title=\"\">Admin consent URL <\/a>and will look something like this&#8230;<\/p>\n\n\n\n<p>https:\/\/login.microsoftonline.com\/common\/adminconsent?client_id=INSERT-APPLICATION-ID-HERE<\/p>\n\n\n\n<p>Sign in with a Global Administrator account of the tenant in which you are trying to access resources on.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph&#8230; The identity of the calling application could not be established This error is thrown because the &#8220;oid&#8221; and &#8220;sub&#8221; claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,&hellip;<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[185,10,1],"tags":[209,101,308],"class_list":["post-9186","post","type-post","status-publish","format-standard","hentry","category-consent","category-microsoftgraph","category-uncategorized","tag-consent","tag-microsoft-graph-api","tag-partner"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/9186"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=9186"}],"version-history":[{"count":4,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/9186\/revisions"}],"predecessor-version":[{"id":9197,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/9186\/revisions\/9197"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=9186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=9186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=9186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}