We´re trying to get the token for Oauth using the official docs request:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id='my client id'
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&code='my auth code obtained in previous auth request'
&grant_type=authorization_code
&client_secret='my client secret'
But when we make the request it responds with this error:
AADSTS65001: The user or administrator has not consented to use the application with ID 'mya app id' named 'my app name'. Send an interactive authorization request for this user and resource"
Thing is, we already gave them this permissions on Azure portal AD and app registration even with the admin consent but still:
is there any permission missing there ?, any clue about this ?
I have tried in my environment and got the access token successfully.
Please check whether you followed the same steps as below:
1) Go to Azure portal -> Azure AD -> App registrations -> Your app -> Authentication -> check the below options -> Save.
2) To resolve the error, make sure to grant below Api permissions along with permissions you have given:
3) To get the token, I used postman by giving parameters like below:
4) I successfully got the token like below:
After every change, try refreshing your Azure Portal and Postman.
For more in detail, please refer below links:
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs
azure - AADSTS65001: The user or administrator has not consented to use the application with ID ' - Stack Overflow
Related
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I'm building a CLI app for provisioning Azure resources. Previously I was using the authorization code flow with the resource set to https://management.azure.com/. Now, I would like to switch to using the RFC 8628 device authorization grant type (Azure documentation). I can successfully login with scopes like openid profile. However, when I use a scope like https://management.azure.com I get an error:
{
"error": "invalid_scope",
"error_description": "AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope openid https://management.azure.com/ is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>.\r\n[..]",
"error_codes": [70011],
}
I'm sending a POST request with a body like client_id=<client-id>&scope=openid+https%3A%2F%2Fgraph.microsoft.com%2F.default to https://login.microsoftonline.com/<tenant>/oauth2/v2.0/devicecode. With these scopes, I can login just fine, but any subsequent requests to Azure resource management APIs (for example, to DELETE a resource group) will fail with 401 Unauthorized.
If you want to use the device code flow to access the azure resources, please follow the steps as below.
1.Navigate to your AD App in the Azure Active Directory in the portal -> API permissions -> Add a permission -> select Azure Service Management API -> select the user_impersonation.
2.Navigate to the subscription in the portal -> Access control (IAM), make sure your user account used to login has a role e.g. Contributor in the subscription. If not, please add the user as a role in the subscription, follow this doc.
3.In the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/devicecode
Request Body:
client_id=<client-id>
scope=https://management.azure.com/user_impersonation
In the browser, navigate to the https://microsoft.com/devicelogin, input the code and login your user account, the app will let you consent the permission, click the Accept.
4.After login successfully, in the postman, use the request below.
Request URL:
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Request Body:
grant_type: urn:ietf:params:oauth:grant-type:device_code
client_id: <client-id>
device_code: <device_code in the screenshot of step 3>
5.Use the access_token in step 4 to call Azure REST API, e.g. Resource Groups - List, it works fine.
For more details, you could refer to - Microsoft identity platform and the OAuth 2.0 device authorization grant flow.
Besides, to consent the permission successfully in step 3, make sure the setting below( Azure AD -> Enterprise applications -> User settings -> Users can consent to apps accessing company data on their behalf) in your tenant is set to Yes, otherwise, you need to let your admin click the Grant admin consent for xxxx button in step 1.
We following the v2 of the OAuth2 of Microsoft Code grant flow as documented in the following,
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
After we created an application in App Register under Microsoft Azure, and try to get the code from the following url
https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=profile%20openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=skip_get_token2&prompt=consent
Then we got the following error
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'c4app2019'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 46424a2f-a3a2-45da-8902-888f5ca61c00\r\nCorrelation ID: 49d0a6ad-e158-4bc9-97b8-a6391c6470bb\r\nTimestamp: 2019-12-11 07:51:31Z","error_codes":[65001],"timestamp":"2019-12-11 07:51:31Z","trace_id":"46424a2f-a3a2-45da-8902-888f5ca61c00","correlation_id":"49d0a6ad-e158-4bc9-97b8-a6391c6470bb","suberror":"consent_required"}
Any idea what permission we need to grant to our application?
I can not reproduce your issue on my side. Here are my steps for your reference.
1.Create an application with User.Read and profile permissions.
2.Since the permissions I added don't need admin consent, so I can consent by the first time I login.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=59437d85-46f8-409c-8211-b3db91a8b0e5
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
3.Get the token by using the code I got from step2
To locate your issue, please provide the screenshot like step2(App registrations->your application->API permissions). And the value of scope you used to get code/token.
In case it's helpful to anyone, I was running into the same problem using the magical AzureServiceTokenProvider class from the Microsoft.Azure.Services.AppAuthentication.1.3.1 package. Very simple code
var tokenProvider = new AzureServiceTokenProvider();
string token = tokenProvider.GetAccessTokenAsync("https://mytenant.onmicrosoft.com/8a0bec0f-x-x-x-x").GetAwaiter().GetResult(); // Application ID URI
My error message was
AADSTS65001: The user or administrator has not consented to use the application with ID 'd7813711-9094-4ad3-a062-cac3ec74ebe8'. Send an interactive authorization request for this user and resource.
I couldn't find this d7813711 guid anywhere in my Azure AD. After looking into how this class works in a decompiler, it turns out when you don't specify an app ID, the class defaults to this guid. Maybe this guid is valid across tenants in Azure? To fix the issue so you can get a token for your app, simply add this as an authorized client application.
[Additional test 1]
Step 1:
I have create another app the use less API permission, which has the same issue
Step 2:
Get code by the following url
https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=15bf7752-....-c51cd145174c&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=https://graph.microsoft.com/User.Read&state=skip_get_token2
and got
Step 3:
It seems working
It seems that the scope in Microsoft document for getting code and token is not correct or need some additional permission.
We also had this issue. We have updated our graph client to a newer version. We have done the following steps:
Revoke all admin consent
Remove all permissions
Add removed permissions back
Grant admin consent
I hope this will help someone with troubleshooting.
I had a similar problem, following this video step by step on how to set up your App Registration in AAD and test it with Postman solved my problem (I was missing some details in the configuration), I hope this help
I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.
After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
I called the Azure API below:
https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01
In my app registration in Azure AD, I have given these permission to access the Azure API:
In my Web App Bot -> Settings -> OAuth Connection Settings, I select:
ClientId -> My application client id
ClinetSecret -> My application client secret
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType)
LoginURL -> https://login.microsoftonline.com
TenantId -> common (To allow any user)
ResourceURL -> https://graph.microsoft.com/
Scopes -> I just left blank
Why am I not able to access the Azure API with that token?
Any Help. Thanks
An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.
In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.
Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.
I want to make multi-tenant application on https://apps.dev.microsoft.com.
This work fine with single tenant but
My process for making multi-tenant app ----
LogIn with Other Tenant and appear consent window and got code successfully which code I passed for getting token
Token successfully generated:
Call graph API for office 365
But error genrate --
"We do not recognize this tenant ID 21f3be0a-xx-4b7f-ab05-xxxxx6. Please double-check the tenant ID and try again.
]2
When access data for office 365 report why this tenant id not recognized error raised?
Need to edit in manifest ?
My App on https://apps.dev.microsoft.com. Have Three 3 Microsoft Graph Permissions
Delegated Permissions - user.read , Reports.Read.All (Admin Only)
You can check whether a tenant is valid or invalid using the Well Known OpenId Configuration endpoint:
https://login.microsoftonline.com/<tenant>/.well-known/openid-configuration
Doing this for your tenant id gives this result:
https://login.microsoftonline.com/21f3be0a-713c-4b7f-ab75-3cc5ca25846/.well-known/openid-configuration
error: "invalid_tenant"
error_description: "AADSTS90002: Tenant
21f3be0a-713c-4b7f-ab75-3cc5ca25846 not found. This may happen if
there are no active subscriptions for the tenant. Check with your
subscription administrator.\r\nTrace ID:
bdd561b1-bc36-44ce-b3ab-33e53fda0100\r\nCorrelation ID:
c6ce0c0d-6550-4f5f-a398-a82f085e28c1\r\nTimestamp: 2017-11-01
17:38:31Z"
So simply stated, the tenant id that you are using is not valid for the AAD Worldwide endpoint.
Is it possible you are getting a token for a different instance of AAD? Can you share the contents of your Access Token (removing any sensitive details)?
I did some mistakes thats why this Error raised then need not do anything becoz this Portal app by default Multitenant and send request to common platform ..
Login with other tenant get code
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=XXXXX-XXX
&response_type=code
&redirect_uri=http://localhost:49876
&response_mode=query
&scope=Reports.Read.All
&prompt=consent
&state=12345
then get token
https://login.microsoftonline.com/common/oauth2/token
client_id =XXX
scope =
code= which you get
grant_type=
client_secret=
after get token use for Graph API & get office365 data for -https://graph.microsoft.com/beta/reports/getMailboxUsageMailboxCounts(period='D7')