Use Microsoft Graph API with FusionAuth entra login
-
Hi,
Version: 1.61.1
I have implemented FusionAuth with Azure Ad (Entra Id) to my application and I am able to successfully sign in to my app using my Microsoft account.
In this guide, it states that FusionAuth will have an Azure AD authorization code which can then be used to get an Azure AD access token:
https://fusionauth.io/docs/lifecycle/authenticate-users/identity-providers/enterprise/azure-ad-oidc.I haven't been able to find a way to get the azure ad token from the logged in user to then use it to access the Microsoft Graph API. I can only get the FusionAuth access and Id tokens which don't work with Microsoft Graph.
How can I achieve this/is this possible?
-
@mark-robustelli Thanks Mark! you were right.
I used an OpenId Connect Reconcile lambda and found that the Azure Ad token was stored in tokens.access_token.
-
@oliver-muthusami Have you looked at what Entra ID returns in the reconcile lambda?
-
@mark-robustelli Thanks Mark! you were right.
I used an OpenId Connect Reconcile lambda and found that the Azure Ad token was stored in tokens.access_token.
-
O oliver.muthusami has marked this topic as solved
-
@oliver-muthusami Awesome that you got what you need. Thanks for reaching out and letting us know!
-
M mark.robustelli has marked this topic as solved
-
No worries! I have a new issue now. When the Entra token expires, I don't have a refresh_token available to refresh the token. It seems like the Entra token expires before the FusionAuth token does.
Within the OpenId Reconcile lambda, the tokens parameter only has access_token and id_token in its properties.
I have "offline_access" included in my scope but the refresh token isn't provided.
Do you know how can can get the Entra Id refresh token?
-
This post is deleted! -
@oliver-muthusami hmmm. I did some poking around Microsoft's documentation and found this.
The inclusion of the refresh token in the response can depend on several factors, including the specific configuration of your application and the scopes requested during the authorization process. If you expect to receive a refresh token in the response but fail to, consider the following factors: Scope requirements: Ensure that you're requesting the offline_access scopes along with any other necessary scopes. Authorization grant type: The refresh token is provided when using the authorization code grant type. If your flow differs, the response can be affected. Client configuration: Check your application's settings in the identity platform. Certain configurations may restrict the issuance of refresh_tokens.Are you sure you have Entra configured correctly?