I'm trying to write a simple Azure Function that calls the Microsoft Graph API. But I could not make the access_token work. Here is what I've done:

1. Created a new Azure Function App from the Azure Portal
2. Turned on the "App Service Authentication" setting and instructed it to sign in with AAD (management mode is Express).
3. Configured the app to have delegated permissions like "Sign in and read user profile" for Microsoft Graph.
4. Created a new JavaScript function HttpTriggerJS1
5. Changed the authorization level of this function to "Anonymous" (otherwise by default the "Function" level would not even allow me to run the function, always returning 401 Unauthorized)
6. Installed the necessary Node module (npm install request)

7. And the actual function:

   var request = require('request');
   module.exports = function (context, req) {
       var token = req.headers['x-ms-token-aad-access-token'];
       var reqUrl = 'https://graph.microsoft.com/v1.0/me/';
       request.get(reqUrl, {'auth': {'bearer': token}}, function (err, response, msg) {
           context.res = {
               body: msg
           };
           context.done();
       });
   };
   

8. Tested this function in a separate browser window. Signed me in to AAD correctly.

9. But the message returned from Graph was:

   "{
     "error": {
       "code": "InvalidAuthenticationToken",
       "message": "CompactToken parsing failed with error code: -2147184105",
       "innerError": {
         "request-id": "4c78551d-f0fe-4104-b1d3-e2d96fd3c02c",
         "date": "2017-05-16T19:11:14"
       }
     }
   }"
   

I looked into the token I got from req.headers['x-ms-token-aad-access-token']. It's something like "AQABAA....", which seems different from the regular access_token I've seen before that starts with "eyJ....".

What could be wrong here? When calling the Graph API, am I supposed to be using the access_token from the request headers?

Thanks!

Edit:

According to Chris Gillum's suggestion, I also looked into the "on-behalf-of" flow. And here is my updated function, which acquires an access_token for a particular resource (https://graph.microsoft.com in my case) by providing the id_token (retrieved from the request headers).:

var request = require('request');

module.exports = function (context, req) {
    var parameters = {
        grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        client_id: process.env.WEBSITE_AUTH_CLIENT_ID,
        client_secret: process.env.WEBSITE_AUTH_CLIENT_SECRET,
        assertion: req.headers['x-ms-token-aad-id-token'],
        resource: 'https://graph.microsoft.com',
        requested_token_use: 'on_behalf_of'
    };
    request.post('https://login.microsoftonline.com/microsoft.com/oauth2/token', {form: parameters}, function (aadErr, aadResponse, aadMsg) {
        var msgJson = JSON.parse(aadMsg);
        request.get('https://graph.microsoft.com/v1.0/me/', {'auth': {'bearer': msgJson.access_token}}, function (err, response, msg) {
            context.res = {
                body: msg
            };
            context.done();
        });
    });
};

There are two ways you can make this work when using Azure App Service Authentication / Authorization:

1. Assign a default resource in your function app's AAD configuration.
2. Use the AAD on-behalf-of flow to exchange your ID token (x-ms-token-aad-id-token) for an MS Graph access token.

The simplest approach which doesn't require any code changes is to do #1. I outline the process in my App Service Auth and the Azure AD Graph API blog post (which needs some updates), but I'll give you the Functions-optimized version for the Microsoft Graph here.

The main things you need to do are:

1. Ensure your AAD settings include a client-secret (you already have this).
2. Ensure your AAD settings have the permissions to access the Microsoft Graph (you have already done this).
3. Open your function app in Resource Explorer (use the link in the portal under Platform Settings), navigate to config/authsettings on the left-hand panel, change "additionalLoginParams" from null to ["resource=https://graph.microsoft.com"], and save the changes.

After doing this and logging in again, the x-ms-token-aad-access-token request header will always give you an access token that works with the Microsoft Graph.

The disadvantage of the above approach is that it doesn't help you if you need to access more than one AAD-protected resource from your function app. If that's a problem for you, then you'll need to use approach #2 above.

The header should contain the proper access-token (more details here): https://docs.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication

Here's another post which runs into the same error and may be of help: How do I create an auth token with the new microsoft graph api?

One possible workaround is to use the service principal authentication flow, where you enable the function app to call Graph API via AAD.

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview#service-to-service-authentication

Azure Functions now supports native authentication for the Microsoft Graph. Docs are at https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-microsoft-graph

There's also a video at https://azure.microsoft.com/en-us/resources/videos/azure-friday-navigating-the-microsoft-graph-with-azure-functions-henderson/

For example, you can create an HttpTrigger function and add the following to function.json.

{
   "type": "token",
   "direction": "in",
   "name": "graphToken",
   "resource": "https://graph.microsoft.com",
   "identity": "userFromRequest"
}

Then, you can query the Graph API on behalf of the user making the request. The access token is passed in as a parameter that you can add as a header to an HttpClient

using System.Net; 
using System.Net.Http; 
using System.Net.Http.Headers; 

public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, string graphToken, TraceWriter log)
{
    HttpClient client = new HttpClient();
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", graphToken);
    return await client.GetAsync("https://graph.microsoft.com/v1.0/me/");
}

You can also run functions with the ClientCredentials authentication mode, which means it runs as an app instead of in the context of a particular user.