Creating custom app with OAuth2 Client Credentials flow

Question

We want to setup user provisioning with Entra ID with SCIM using OAuth2 for authentication. Due to the "Secure Future Initiative" it is currently not possible for us to get any new app added to the Entra ID app gallery (https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/v2-howto-app-gallery-listing).

At https://feedback.azure.com/d365community/idea/10a3a9e4-5803-ed11-a81b-6045bd8606d4 there is a request for adding support for OAuth2 to non-gallery applications too. 2 years ago it was answered by Microsoft that the work was in development.

I believe that based on that development a feature flag exists to be able to setup OAuth2 flows in custom apps - https://portal.azure.com/?feature.userProvisioningV2Authentication=true .

Currently, when creating a custom app with that flag in the portal, it is possible to select OAuth2 client credentials flow for authentication and supply the necessary details (client secret, client id, token endpoint, etc).

Unfortunately, when clicking "Test connection" it fails and we can see that it uses the Microsoft Entra bearer token instead (see https://learn.microsoft.com/en-us/entra/identity/app-provisioning/use-scim-to-provision-users-and-groups#handling-endpoint-authentication).

An error message is displayed, but Q&A restricts me from posting it in text form.

Most interesting in there is that the WWW-Authenticate header shows that the issuer is invalid and has the same format as the Microsoft Entra bearer token:

WWW-Authenticate: Bearer error=\"invalid_token\", error_description=\"The issuer 'https://sts.windows.net/wwwwww-xxxx-yyyy-xxxx-zzzzzz/' is invalid\"

Using browser dev tools we can see that the Azure Portal sends the parameters after clicking "Test connection":

Therefore, it appears to be an error in how the access token is obtained using those parameters, or that those parameters are ignored.

Would appreciate any help on how we can use OAuth2 when setting up user provisioning for non-gallery apps.

Best regards,

Andreas Häber

Answer 1

Hi @Andreas Häber

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:

The issue you're experiencing seems to be related to how the OAuth2 flow is being handled during the user provisioning setup for your custom application in Microsoft Entra ID. Although you've enabled the feature flag (feature.userProvisioningV2Authentication=true) to allow OAuth2 client credentials flow, but when you attempt to "Test Connection," it fails and uses the Microsoft Entra bearer token instead of the OAuth2 token as expected.

Solution:

Issue resolved by @Andreas Häber

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information. Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.