Merge pull request #8596 from AmandaAZ/Branch-CI4675

Simonx Xu · web-flow · commit 597cf01387c3 · 2025-04-03T15:23:40.000+08:00
AB#4675: Convert blog post to article
diff --git a/support/entra/entra-id/toc.yml b/support/entra/entra-id/toc.yml
@@ -282,9 +282,12 @@
    - name: The memberOf API returns null values for properties
      href: users-groups-entra-apis/memberof-api-returns-null-properties.md
    - name: Getting access denied errors (Authorization)
-     items:
-       - name: Add an owner to an application
-         href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
+     items: 
+      - name: Error "The identity of the calling application could not be established"
+        href: users-groups-entra-apis/identity-of-calling-application-not-established.md
+      - name: Add an owner to an application
+        href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
+
 - name: Microsoft Entra User Provisioning and Synchronization
   items:
   - name: User Sign-in or password Problems
diff --git a/support/entra/entra-id/users-groups-entra-apis/identity-of-calling-application-not-established.md b/support/entra/entra-id/users-groups-entra-apis/identity-of-calling-application-not-established.md
@@ -0,0 +1,44 @@
+---
+title: The Identity of the Calling Application Could Not Be Established
+description: Provides solutions to the identity of the calling application could not be established error when using Microsoft Graph.
+ms.date: 04/03/2025
+ms.service: entra-id
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: willfid, v-weizhu
+---
+# Error "The identity of the calling application could not be established"
+
+This article provides solutions to the error message "The identity of the calling application could not be established" when using Microsoft Graph.
+
+## Symptoms
+
+When using Microsoft Graph or some services that rely on it, you encounter the following error message:
+
+> The identity of the calling application could not be established
+
+## Cause
+
+This error occurs because the `oid` and `sub` claims are missing from the access token. The root cause is that the service principal doesn't exist in the tenant or the tenant isn't aware of the application.
+
+## Solution
+
+To resolve this error, add the service principal to the tenant and consent to the permissions required by the application.
+
+You can [build an admin consent URL](/entra/identity/enterprise-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent) like the following one:
+
+`https://login.microsoftonline.com/{organization}/adminconsent?client_id={client-id}`
+
+Then, sign in with a Global Administrator account of the tenant where you are trying to access resources.
+
+> [!NOTE]
+> - Replace `{organization}` with the tenant ID, for example, aaaaaaaaaaaa-bbbb-cccc-1111-22222222.
+> - Replace `{client-id}` with the application ID, for example, dddddddddddd-eeee-ffff-3333-44444444.
+
+## References
+
+- [Understanding Microsoft Entra application consent experiences](/entra/identity-platform/application-consent-experience)
+- [Overview of permissions and consent in the Microsoft identity platform](/entra/identity-platform/permissions-consent-overview)
+- [Retire Service Principal-Less Authentication](/entra/identity-platform/retire-service-principal-less-authentication)
+
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
