I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.

Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.

When trying to access https://login.microsoftonline.com/{mydomain}.net/oauth2/token using the following (yes, I know that grant_type is not recommended, but that's not the point)

grant_type: password
username: {user}@{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}

I get:

AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password

If I use an administrator like admin@{mydomain}.onmicrosoft.com it works fine.

In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.

It says in the management portal:

"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."

Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?