How to Fix Microsoft Graph 401 Unauthorized

What this error means

Microsoft Graph couldn't even authenticate the request. The bearer token is missing, expired, or doesn't validate against the tenant.

Why this happens

Common causes: expired access token, wrong tenant in the authority URL, invalid client secret/cert for app-only auth, or the token was acquired for a different audience.

Quick fix (for end users)

• Disconnect-MgGraph and run Connect-MgGraph again. Most 401s come from stale or expired sessions.
• Check that you're connecting to the right tenant.

Admin / engineer fix

• Force a fresh sign-in.

  commandCopy

  Disconnect-MgGraph
  Connect-MgGraph -Scopes 'User.Read.All'

• If using app-only auth with a certificate, verify it hasn't expired and is in the correct cert store.

  commandCopy

  Get-ChildItem Cert:\CurrentUser\My | Where-Object Subject -match 'MyApp'

• Confirm the system clock is within a few minutes of real time. Token validation fails on large clock skew.

Step-by-step fix

1. 1

   Disconnect any cached session.

2. 2

   Reconnect with the right tenant and credentials.

3. 3

   Retry the failing call.

Common variations of this error

People also see these phrasings of the same problem:

• 401 Unauthorized — Microsoft Graph
• InvalidAuthenticationToken

Still broken? Try these

• If using a federated identity, your IdP may be rejecting the sign-in upstream.
• App-only with secret? Check the secret hasn't been rotated.
• Try a known-good account in Graph Explorer to isolate whether the tenant is healthy.

Related errors

• Microsoft Graph PowerShell
  Authentication_MissingOrMalformed
• Entra ID
  AADSTS7000215: Invalid client secret provided
• Microsoft Graph PowerShell
  Microsoft Graph 403 Forbidden

Related searches

• microsoft graph 401 unauthorized
• graph token expired

Frequently asked questions