Help needed to Bypass MFA for App-Only authentication with Project Online (CSOM): Encountering 'User Not Found in Active Directory or Project DB' Error

Question

Issue

We are attempting to access Project Online data in Project Permission mode using app-only authentication, specifically to bypass MFA for programmatic access, as we aim for continuous, automated access without any user-interaction. We are using CSOM, using Microsoft.ProjectServer.Client.ProjectContext in .NET 4.8 to connect to Project Online. Despite following several documented approaches with client certificates, client secrets, and OAuth configurations, we keep encountering errors like 401 Unauthorized and User not found in Active Directory or in project db. Below is a summary of our steps. Despite multiple attempts, we consistently receive errors blocking access. We have followed recommended documentation for client credentials, certificates, and permissions but still face access issues.

Technology

• Project Online
• CSOM in .NET 4.8
• Microsoft.ProjectServer.Client.ProjectContext
• Azure AD (Entra ID)

Solutions Attempted

• Client Certificate Authentication:
  • Configuration: Registered an app in Azure AD (Entra) with a client certificate and set permissions including Sites.FullControl.All. NOTE: we could not select Project permissions (Project.Read, etc.) in the Application Permissions screen, only within the delegated permissions screen.
  • Token Acquisition: We acquired an access token using az account get-access-token --resource=https://

Answer 1

It seems you're facing challenges with app-only authentication for Project Online, particularly in bypassing MFA and accessing Project-specific data. Here are some insights based on your questions:

1. App-Only Authentication in Project Online: Project Online does not natively support app-only authentication in Project Permission mode. The permissions required for Project Online (like Project.Read or Project.ReadWrite) are typically granted through delegated permissions, which necessitate user context and may not bypass MFA.
2. Success with App-Only Credentials: There are limited documented cases of successfully applying app-only credentials for Project Online access, especially in Project Permission mode. Most implementations require user interaction or delegated permissions, which complicates automation without MFA.
3. Alternative Permission Configurations:
   • Ensure that the app registration in Azure AD has the correct permissions set. While you mentioned using Sites.FullControl.All, Project-specific permissions are often not available for app-only scenarios.
   • Review Azure AD settings and conditional access policies that might restrict app access. Sometimes, policies may inadvertently block app-only access.
   • Consider using the Microsoft Graph API for broader access, but note that it may not cover Project-specific data as you've discovered.

For your specific implementation, it may be beneficial to explore other authentication flows or configurations that align with your automation goals while adhering to the security requirements of Project Online.

---

References:

• Error occurs when accessing Project Web App
• Troubleshooting server-based authentication
• Office 365 SharePoint Assessment Prerequisites and Configuration - Unified
• Granting access via Azure AD App-Only
• Troubleshoot common issues with Microsoft Entra B2B collaboration

Answer 2

Project Online is currently not supported in the Q&A forum.

Please start a new discussion via the Project Community so that you can get dedicated support on this issue.

Thank you for your understanding.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.