This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 12%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESY%3C/text%3E%3C/svg%3E)
We have developed a web application using Azure AD authentication. It works perfectly in browser and provides REST APIs that return JSON data.
In Excel (Version 2401 Build 16.0.17231.20236), under the Tab "Data", click "From Web" and input a web URL (which is working in browser) and click OK:
Then there is a pop up window "Access Web content", where a few options are available for signing into the web application. I choose "Organizational account" and click the "Sign in" button, I get the message "You're currently signed in":
Then I click the "connect" button, I get an error message "We couldn't authenticate with the credentials provided. Please try again":
I have already added power query for excel (a672d62c-fc7b-4e81-a576-e60dc46e951d) as authorized client applications in App Registration in Azure:
I checked the log file in the server and found the following error messages:
Graph service exception Error code: InvalidAuthenticationToken
Error message: Access token validation failure. Invalid audience.
From the documentation here (https://learn.microsoft.com/en-us/power-query/connector-authentication), it reads "When you select Sign-in in Step 2 above, Power Query sends a request to the provided URL endpoint with an authorization header with an empty bearer token. The service is then expected to respond with a 401 response with a WWW-Authenticate header indicating the Microsoft Entra ID authorization URI to use. This response should include the tenant to sign into, or /common/ if the resource isn’t associated with a specific tenant. Power Query can then initiate the OAuth flow against the authorization_uri. Power Query requests a Microsoft Entra ID Resource or Audience value equal to the domain of the URL being requested. This value would be the value you use for your Azure Application ID URL value in your API/service registration."
As you can see here, the sign in step was completed successfully. The next step, where power query initiate the OAuth flow against the authorization_uri, should be executed automatically and implicitly, if I understand correctly. But I got the above error. It seams that power query for excel got an access token with a wrong audience value from the authorization_uri (https://login.microsoftonline.com/{tenant_id}/oauth2/authorize).
I have tried https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type=code&redirect_uri={redirect_uri}&response_mode=query&resource={resource_id}&state={state} and still got the same error.
How to get the right audience then? Any help would be greatly appreciated. Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 2%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
Hi Shiping, I'm trying to connect from power bi/excel with power query to my APIs, however I keep getting stuck with:
invalid_resource: AADSTS500011: The resource principal named http://localhost:5000 was not found in the tenant named XXXXXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: cdf03909-9f20-4343-9434-f4a8aa6e6d00 Correlation ID: aeee1537-5f8c-49ad-a126-41ee14909c59 Timestamp: 2024-09-16 09:13:15Z.
I see that you're also using the localhost, may I ask you how you set up the app in azure? does the authentication happen at code level or at azure level?
The issue was caused by using MS Graph to verify the access token getting from the authorization_uri. It is solved now. Thanks anyway.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 15%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Can you elaborate how did you change? if not using MS graph to verify, what did you use?
As Power Query initiate the OAuth flow against the authorization_uri, we cannot use MS Graph to verify it (invalid audience) and it is not necessary to do so.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Thanks for reaching out.
Did you tried to decode the access token using jwt.ms? What are the values you are getting there in scope and audience?
It seems scopes you are passing is not correct. It should be Application ID URI along with scope name. As per screenshot you have passed localhost URL in place of Application ID URI which is not able to identify your API.
Thanks,
Shweta