i've spent hours researching without success.

We have an outlook addin that uses the on-behalf-of flow by using the getAccessToken() function. For this we used office.js, not the MSAL library.

Since legacy Tokens were disabled, we can't use EWS requests anymore.

Now we'd like to use the property forMSGraphAccess:true.

So we can make requests to the Micrososft Graph API.

When not sideloading we can use this property to get an AccessToken.

But when we try to use this Access Token for Graph Requests, the request is denied with "Invalid Audience"

The [aud] property in the Access Token, does not change if we use forMSGraphAccess:true.

But the [aud] should be "00000003-0000-0000-c000-000000000000" or "/.default" to be able to access MSGraph.

I cannot find a single example that makes use of forMSGraphAccess and then accesses the GraphAPI.

Can anyone give me a hint, on what i am missig ? Or do you know of examples ?