So, ***bash/curl*** and Perl fail where Node succeeds. I guess you need to watch the headers that Node sends and see how they compare to the other 2 methods. I have shown you how to check the headers with Perl. You need to do the same with Node. Or it may be easier via the browser if you have successfull access with that (developer tools, monitor the network request)

Please update your posts to the fact that curl does not work (if I understood correctly). That's an important point.

No, bash/curl nor Perl fails. The problem was between the keyboard and the chair, as allways.

After an "Oh shit" experience when I found out I had forgotten to define the scope for the token request it still did not work. After some (actually a lot) googling I found that I allso had to ad a resouce in the request. In the process learned about "jq" and came up with the following bash script:

#! /usr/bin/bash

token=`curl \
    -d grant_type=client_credentials \
    -d client_id=[client_id] \
    -d client_secret=[client_secret] \
    -d scope=https://graph.microsoft.com/.default \
    -d resource=https://graph.microsoft.com \
    https://login.microsoftonline.com/[tenant_id]/oauth2/token \
    | jq -j .access_token`

curl -X GET \
    -H "Authorization: Bearer $token" \
    -H "Content-Type: application/json" \
    https://graph.microsoft.com/v1.0/groups \
    | jq .
[download]

This does the job. Gets a token an uses that token to request a listing of groups.
Getting that I could use the curl2lwp site and came up with the following Perl script

#! /usr/bin/perl -W

use strict;
use Data::Dumper;
use JSON;
use Config::Simple;
use FindBin;
#use lib "$FindBin::Bin/../lib";
use LWP::UserAgent;

my %config;
Config::Simple->import_from("$FindBin::Bin/groups.cfg",\%config) or di
+e("No config: $!");

my $ua = LWP::UserAgent->new(
    'send_te' => '0',
);

sub login_app { #    {{{1
    my $url = "$config{'LOGIN_ENDPOINT'}/$config{'TENANT_ID'}/oauth2/t
+oken";
    my $r = HTTP::Request->new(
        'POST' => $url,
            [
                'Accept'        =>    '*/*',
                'User-Agent'    =>    'curl/7.55.1',
                'Content-Type'    =>    'application/x-www-form-urlenc
+oded'
            ],
            "grant_type=client_credentials&client_id=$config{'APP_ID'}
+&client_secret=$config{'APP_PASS'}&scope=$config{'GRAPH_ENDPOINT'}/.d
+efault&resource=$config{'GRAPH_ENDPOINT'}"
    );

    my $result = $ua->request($r);

    if ($result->is_success){
        return decode_json($result->decoded_content)
    }else{
        print Dumper $result;
        die $result->status_line;
    }
    
}#    }}}

sub fetch { #    {{{1
    my $token = shift;
    my $url = shift;
    my $r  = HTTP::Request->new(
        'GET' => $url,
            [
                'Accept'        => '*/*',
                'Authorization' => "Bearer $token",
                'User-Agent'    => 'curl/7.55.1',
                'Content-Type'  => 'application/json'
            ],
    );    
    my $result = $ua->request($r);
    if ($result->is_success){
        return decode_json($result->decoded_content)
    }else{
        print Dumper $result;
        die $result->status_line;
    }
    
}#    }}}

my $token_request = login_app();
print Dumper $token_request;

if ($$token_request{'access_token'}){
    my $url = "$config{'GRAPH_ENDPOINT'}/v1.0/groups";
    my $groups = fetch($$token_request{'access_token'}, $url);
    print Dumper $groups;
}
[download]

I think the data line in the request is kinda ugly. There is problably a better/neater way of doing that. But I'm satisfied for now

Thanks all for the help, appreciate it a lot!

$$token_request{'access_token'}

I write that as $token_request->{'access_token'}