Microsoft Graph - Invalid Audience / Missing Scope

@Freddy Are you trying to get it working from within Thinkwise or something like Insomnia/Postman at this stage?

If from within Thinkwise: we have it working for a while now, and while reviewing our IAM I happen to notice that the Scope and Prompt columns of the table gui_appl_oauth_server are no longer visible in IAM (2022.2). Normally you could set the Scope there. Alternatively you can set the Scope in the OAuth login connector input parameters. Most likely the Scope should at least contain offline_access and potentially openid. I presume you have the Microsoft documentation at hand: https://learn.microsoft.com/en-us/graph/auth-v2-user

@Dick van den Brink Is it on purpose that those fields are no longer visible in IAM?

@Arie V , I tried opening an old IAM 2021.2 and 2022.1 but in both cases the scope and prompt was not visibile in IAM on that screen. I don't know if anything changed in this area recently. 

@Freddy, did you see the documentation here about connecting to the graph api: link.

It would be good to know if you configured Delegated permissions or Application permissions on your App Registration.
The question from Arie is also very good (Thanks Arie!). 

I see where I might have gotten confused. We did set the Scope and Prompt setting in the SF (Project > Project versions > OAuth servers) and only touched IAM for the Client ID and Secret override so far.

Still interesting why those two options cannot be overridden in IAM though. @Mark Jongeling Would you happen to know why those fields are not available in the GUI?

@Freddy I see that the Thinkwise documentation on OAuth servers does not mention anything about Scope, so let's hope the simple solution for you is to indeed add a Scope value there.

@Dick van den Brink Might be worth updating the docs accordingly.

@Freddy This blog from Dick (and my various comments below it) might help you get the Delegate option working.

Are you using the Universal GUI or the Windows GUI? The OAuth Login connector with the Consent pop-up screen does not yet work in the Universal GUI. Instead we use Insomnia to perform the initial login and get the Authorization and Refresh token. We added those manually in our Application and use the Authorization token in a Process Flow with a regular HTTP Connector.

In addition we use a separate Refresh process flow to update the tokens every 29 minutes, instead of a combined process flow as used in the Blog.

I see that my reference to an Insomnia screenshot from Vincent in one of my comments no longer works. Herewith a screenshot from my Insomnia. We use the MS Graph API specifically for a scenario to send notifications to MS Teams, therefore the Chat.Create and ChatMessage.Send values are included in the Scope.

EDIT: the above solution works for us, as we only have a single ‘Automation’ user from which we send those Teams notifications. Due to the lack of support of the OAuth login connector in Universal GUI it is not yet very feasible to have regular end users grant permissions and work with the MS Graph API. According to the latest Universal GUI Release Notes support for this Process action is to be expected with the next Release.

Thanks @Arie V ! 

I'll first make it work with the direct access and then hopefully when Universal supports the oauth login connector I can change it to a self-service scenario.  

The upcoming Universal release will offer support for the OAuth connector, which hopefully make this a lot easier for you guys.

This release is expected to be released tomorrow as a beta release versioned as 2023.1.12-b1.