MicrosoftDocs
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 64 additions & 0 deletions b/‎support/entra/entra-id/users-groups-entra-apis/error-call-me-endpoint-microsoft-graph.md‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-application-context.png‎
83.3 KB
diff --git a/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB b/‎support/entra/entra-id/users-groups-entra-apis/media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png‎
134 KB
@@ -0,0 +1,64 @@
+---
+title: The Identity of the Calling Application Could Not Be Established
+description: Provides solutions to the identity of the calling application could not be established error when using Microsoft Graph.
+ms.date: 04/03/2025
+ms.service: entra-id
+ms.custom: sap:Getting access denied errors (Authorization)
+ms.reviewer: willfid, v-weizhu
+---
+# resolve issues with calling the “me” endpoint in Microsoft Graph
+
+Microsoft Graph provides various methods to retrieve user information from Azure Active Directory (Azure AD). This includes user attributes, group memberships, email access, and more. However, specific endpoints in Microsoft Graph require particular permissions and contexts to function correctly. This article explains the functionality of the “me” endpoint, restrictions associated with it, common errors when using it improperly, and how to resolve these issues.
+
+## Symptoms
+
+When you try to call the `/me` endpoint from your Microsoft Entra ID-based application that use [client credentials grant flow](/entra/identity-platform/v2-oauth2-client-creds-grant-flow), the following error may occur:
+
+json
+{
+"error": {
+"code": "NoPermissionsInAccessToken",
+"message": "The token contains no permissions, or permissions can not be understood.",
+"innerError": {
+"oAuthEventOperationId": "48f66de9-xxx-xxxx1-xxxx-399ea6608ec0",
+"oAuthEventcV": "MkVd0xxxxxvjGFVJkoA.1",
+"errorUrl": "https://aka.ms/autherrors#error-InvalidGrant",
+"requestId": "80f8a0e9-xxxx-xxxx-xxxx-88e5d4bb5bb2",
+"date": "2021-07-30T04:04:38"
+}
+}
+}
+
+## Cause
+
+The `/me` endpoint is designed to allow signed-in users to retrieve their own information. To call the `/me` endpoint, it requires a user context because it uses delegated permissions. This means that a token generated by using the client credentials grant flow cannot use the `/me` endpoint due to the absence of user context information.
+
+Tokens obtained using the client credentials grant flow represent application identities, not user identities. These tokens contain a **roles** claim for application permissions instead of a scp (scopes) claim for delegated permissions. The absence of user context makes it impossible for the `/me` endpoint to determine the user associated with the request.
+
+#### Example tokens
+
+**Token with user context (delegated flow with a user signed in)**
+
+This token is granted by using delegated flow with a user signed in. It contains user-specific information and a `scp` claim that contains current user's the permissions:
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png" alt-text="Delegated token example" lightbox="media/error-call-me-endpoint-microsoft-graph/token-sign-in-user-context.png":::
+
+**Token with application identity (client_credentials grant flow)**
+
+This token is generated by using the client credentials grant flow. It doesn't contain user-specific information, but contains a `roles` claim for application permissions:
+
+:::image type="content" source="media/error-call-me-endpoint-microsoft-graph/token-application-context.png" alt-text="Application token example" lightbox="media/error-call-me-endpoint-microsoft-graph/token-application-context.png":::
+
+## Solution
+
+When you use the client credentials grant flow in your application, you must use the `/users` endpoint instead of the `/me` endpoint. This allows you to retrieve user-specific information using application tokens.
+
+For example, if you want to call `GET https://graph.microsoft.com/v1.0/me/memberOf` to get a list of groups a user is a member of, use the following method:
+
+1. Obtain an application token using the client credentials grant flow.
+2. Ensure that the application has the **User.Read.All** permission to query user information.
+3. Use the **users** endpoint to query specific user details. Replace {upn} with the User Principal Name (UPN) or User Object ID of the user.
+    ```
+    GET https://graph.microsoft.com/v1.0/users/{upn or userID}/memberOf
+    ```
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]