"Access token validation failure. Invalid audience" error during Cloud Directory log collection

"Access token validation failure. Invalid audience" error during Cloud Directory log collection

In this article:  

  • Issue description

  • Prerequisites

  • Possible causes

  • Resolution

  • Related topics and articles

  • How to reach support

 Issue description   

When attempting to collect event log data from Cloud Directory in ManageEngine ADAudit Plus, the following error may be encountered:

Error: Access token validation failure. Invalid Audience  
Affected Domain: <domain>.onmicrosoft.com

This error prevents the successful retrieval of Azure event logs and usually occurs during the initial Entra ID (formerly Azure AD) configuration or when permissions are misconfigured.

 Prerequisites   

Before proceeding, ensure:

  • You have configured an Entra ID integration in ADAudit Plus.

  • You are using an App Registration in Entra ID with Microsoft Graph API permissions.

  • The ADAudit Plus instance is running a version that supports Microsoft Graph API.

  • The Entra ID app has the required API permissions granted and admin consent provided.

 Possible causes   

  • The Entra ID app is still using Azure AD Graph API, which has been deprecated.

  • The access token audience claim (aud) does not match the expected Microsoft Graph endpoint.

  • The required Microsoft Graph API permissions have not been granted or consented to.

 Resolution   

 Step 1: Migrate from Azure AD Graph API to Microsoft Graph API   

  1. Log in to the Entra ID portal.

  2. Go to Azure Active Directory > App registrations.

  3. Open the ADAudit Plus application registration.

  4. Navigate to API Permissions.

    • If you see permissions for Azure Active Directory Graph, remove them.

    • Click + Add a permission > Microsoft Graph > Application permissions.

    • Add the following as needed:

      • AuditLog.Read.All

      • Directory.Read.All

      • Any other permissions per ADAudit Plus documentation.

  1. Click Grant admin consent after assigning the new permissions.

 Step 2: Update configuration in ADAudit Plus   

  1. Open ADAudit Plus > Admin > Azure Configuration.

  2. Reconfigure the tenant using the same Client ID and Client Secret associated with the Entra ID app registration.

  3. Save the changes and test the configuration.

 Why this migration is required   

Microsoft has deprecated the Azure AD Graph API in favor of the Microsoft Graph API, which:

  • Offers a unified endpoint for accessing Microsoft 365 services.

  • Provides improved security, resilience, and feature coverage.

  • Has supported full parity since June 30, 2020, and is the recommended integration path by Microsoft.

Microsoft Graph API supports services such as:

  • Entra ID

  • Microsoft Teams

  • Exchange Online

  • Microsoft Intune

 Related topics and articles   

 How to reach support   

If the issue persists, contact our support team here


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products