Missing example for the SAML token Graph API token exchange

[gazben]

Hi,

Is there a tutorial on how to do the SAML token, Graph API token exchange? Do I need to use the https://login.microsoftonline.com/<TENANTID>/oauth2/v2.0/token endpoint to do this?

Because when, I do I will get the error message explained in ths issue: https://github.com/MicrosoftDocs/azure-docs/issues/40210

Is there another method with cookies? (according to the docs I have to use the session cookie)

Use case: Our users logs in to our application with SAML2. SAML2 does not have the profile picture, and we want to query that also. To query that, we need to access the Graph API: https://graph.microsoft.com/v1.0/me/photo/$value

Is there a way the handle the use-case above?

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 0426f50b-e03b-4e77-4a8a-390b0ae08c62
• Version Independent ID: 0039b994-8481-1214-b42a-c2113b07fafc
• Content: Microsoft identity platform token exchange scenario with SAML and OIDC/OAuth in Azure Active Directory - Microsoft Entra
• Content Source: articles/active-directory/develop/scenario-token-exchange-saml-oauth.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @OwenRichards1
• Microsoft Alias: owenrichards

[AjayBathini-MSFT]

@gazben Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

@gazben I'm going to assign this to the document author so they can take a look at it accordingly

@OwenRichards1 please review this.

[gazben]

@OwenRichards1 Do you have link/example for this?

[OwenRichards1]

Hi @gazben, thanks for your feedback.

Can you take a look at this article and see if it suits your needs?

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion

Please let me know if it helps, otherwise I will investigate further.

Thanks!

[gazben]

I checked this previously but this method only works for SAMLv1 tokens. I have an SAMLv2 token.

Accorind to the warning: You cannot exchange a SAMLv2 token issued by Azure AD for a Microsoft Graph access token.

If you know another tip/suggestion on how to query the profile picture with an SAMLv2 token that would be enough to solve my issue.

[gazben]

I've investigated further but I haven't found a solution.

@OwenRichards1 Can you check if there is an alternative way?

[gazben]

@OwenRichards1 Did you get a chance to investigate further? Should I provide more information on the issue?

[gazben]

@OwenRichards1 Is there any more info I should provide? Or is there an alternative way of getting the profile picture with the SAMLv2 integration?

[gazben]

@OwenRichards1 Are there any updates on this issue?

[OwenRichards1]

@gazben Thanks for your feedback - this repo is currently undergoing a migration. I am required to close this issue, although it has been assigned in product backlog and will be addressed when migration is complete.

[OwenRichards1]

please-close