Skip to content

Commit 1467274

Browse files
AmandaAZAmandaAZ
authored
Update
1 parent 7f70dea commit 1467274

1 file changed

Lines changed: 9 additions & 28 deletions

File tree

support/entra/entra-id/users-groups-entra-apis/identity-of-calling-application-not-established.md

Lines changed: 9 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: The identity of the calling application could not be established
33
description: Provides solutions to the error "The identity of the calling application could not be established" when using Microsoft Graph.
4-
ms.date: 03/28/2025
4+
ms.date: 04/02/2025
55
ms.service: entra-id
66
ms.custom: sap:Getting access denied errors (Authorization)
77
ms.reviewer: willfid, v-weizhu
@@ -20,38 +20,19 @@ When using Microsoft Graph or some services that rely on it, you encounter the f
2020

2121
This error occurs because the `oid` and `sub` claims are missing from the access token. The root cause is that the service principal doesn't exist in the tenant or the tenant isn't aware of the application.
2222

23-
## Solution for Partner scenario
23+
## Solution
2424

25-
If the application is a Partner application, ensure that you complete the Partner pre-consent process and add your application or service principal to the AdminAgents group. For more information, see [Partner pre-consent](https://github.com/microsoft/Partner-Center-Explorer/blob/master/docs/Preconsent.md).
25+
To resolve this error, add the service principal to the tenant and consent to the permissions required by the application.
2626

27-
Here's an updated PowerShell script for using Microsoft Graph:
28-
29-
```powershell
30-
Connect-MgGraph
31-
32-
$AppId = '<Application ID>'
33-
34-
$g = Get-MgGroup -All -Filter "displayName eq 'AdminAgents'"
35-
36-
$s = Get-MgServicePrincipal -All -Filter "appId eq '$AppId'"
37-
38-
$params = @{
39-
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$($s.id)"
40-
}
41-
42-
New-MgGroupMemberByRef -GroupId $g.id -BodyParameter $params
43-
```
44-
45-
Ensure that you replace `<Application ID>` with your application's actual Application ID.
46-
47-
## Solution for Non-Partner scenario
48-
49-
If the application isn't a Partner application, add the service principal to the tenant and consent to the permissions required by the application.
50-
51-
You can [build an admin consent URL](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal#construct-the-url-for-granting-tenant-wide-admin-consent) like the following one:
27+
You can [build an admin consent URL](/entra/identity/enterprise-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent) like the following one:
5228

5329
`https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}`
5430

5531
Then, sign in with a Global Administrator account of the tenant where you are trying to access resources.
5632

33+
> [!NOTE]
34+
> - Replace `{organization}` with the tenant ID, for example "aaaaaaaaaaaa-bbbb-cccc-1111-22222222".
35+
> - Replace `{client-id}` with the Application ID of the application, for example "dddddddddddd-eeee-ffff-3333-44444444".
36+
37+
5738
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]

0 commit comments

Comments
 (0)