Invalid Client ID generated through Azure Portal

Question

Hi Team,

we have created an app registration using azure portal and got a client id for that app. we used that client id throughout our application services but our services failing at some places.

after tracing, we got that client id that we were using is invalid.

is there any chance of getting invalid client id created from azure portal?

Please find below steps used for validating client id and came to conclusion that its invalid. kindly let us know if this can happen then what preventive steps need to be taken after creating any app registration from azure portal?

I have not seen on azure documentation that after creating azure app, we need to validate its client id before using it, if this needs to be done lets us know where to refer for steps to follow.

======================================

Details of the error response with the initially created app-registration for Stage Env,
Microsoft Endpoint used for validating:  https://login.microsoftonline.com/ccccccccccccccccccccccccc/oauth2/v2.0/token
client_id: ccccccccccccccccccc529e1e475f1
client_secret : nnnnnnnnnnnnnnnnnnnnnnnn
scope: api://ccccccccccccccccccc529e1e475f1/Roles.Read offline_access
grant_type: password
Response Type: Bad Request
Response Status Code: 400
Reponse:
{
    "error": "invalid_client",
    "error_description": "AADSTS65005: The application 'ccccccccccccccccccc529e1e475f1' asked for scope 'Roles.Read' that doesn't exist.\r\nTrace ID: 44155b40-cd65-4da5-beaa-6dd695610b00\r\nCorrelation ID: 83924fd9-7d03-41ad-832e-2138c33577f3\r\nTimestamp: 2023-07-05 17:15:48Z",
    "error_codes": [
        65005
    ],
    "timestamp": "2023-07-05 17:15:48Z",
    "trace_id": "44155b40-cd65-4da5-beaa-6dd695610b00",
    "correlation_id": "83924fd9-7d03-41ad-832e-2138c33577f3"
}

Answer 1

Hello @Anonymous ,

I reviewed the error which is as below:

error_description: "AADSTS65005: The application 'ccccccccccccccccccc529e1e475f1' asked for scope 'Roles.Read' that doesn't exist".
Trace ID: 44155b40-cd65-4da5-beaa-6dd695610b00
Correlation ID: 83924fd9-7d03-41ad-832e-2138c33577f3
Timestamp: 2023-07-05 17:15:48Z",

There are no issues with Client Id generated on Azure AD App. Error focuses on the scope that specific app is requesting for. As the error says the 'Roles.Read' scope is not listed on your app registration. To get rid of this issue, you can try the following steps:

• Go to the app registration blade in Azure AD find the corresponding app registration whose App ID is mentioned in the error.
• Once you find the app, go to its API Permissions section and then check if the 'Roles.Read' permissions is listed there or not.
• If these permissions are not present there, select the "Add a permission" option and then select "Microsoft Graph API" or "Your Own API" which has scope 'Roles.Read' and add them.

Once the permissions are added successfully to your App Registration then give it a try it should work, as now the scopes mentioned in the request should be available.

Similar error has been discussed on following two Q&A posts:

• https://learn.microsoft.com/en-us/answers/questions/237980/the-application-asked-for-scope-that-doesn39t-exis.html
• https://learn.microsoft.com/en-us/answers/questions/99140/the-application-asked-for-scope-39wlbasicwlemails3.html

I hope this helps to resolve your query. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.