I kept running into this problem. I was using the following code to get a bearer token for my native app:
var authContext = new AuthenticationContext("AUTHORITY");
string token;
try
{
var authresult = authContext.AcquireToken("MYAPP_ID","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
token = authresult.AccessToken;
}
Using that token worked fine for authorizing actions within my own app, but I'd get the same error as the OP when trying to use the same token as authorization for the Graph API.
What I had to do was get a new token specifically for the Graph API - I used the same code as above but I used "https://graph.windows.net"
instead of "MYAPP_ID"
. So, to be clear, the following code gave me the correct OAuth token for the Graph API:
var authContext = new AuthenticationContext("AUTHORITY");
string token;
try
{
var authresult = authContext.AcquireToken("https://graph.windows.net","MYAPP_CLIENTID","MYAPP_REDIRECTURI");
token = authresult.AccessToken;
}
Just make sure that your application registered in Azure has the necessary permissions to access your Azure domain's directory.