Share via

Attempts to get a token from Azure B2C With multi Tenant App Registration are failing with AADSTS7000229

Dave Barrett 0 Reputation points
2025-04-16T12:01:09.06+00:00

Background :
We have a system with hundreds of app registrations for client applications which need to authenticate and get a token in order to access our API.

We are using the client credentials flow.

In the last few days clients have started reporting that they are unable to retrieve a token and we are getting AADSTS7000229 returned when we try using their credentials.

I have tracked the problem down to the token URL that we are using, all of our documentation refers to
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
This is the URL that is shown in the "endpoints" page in B2C and the one that our clients have been using for 3 years.

However it seems to have stopped working and we have to use

https://login.microsoftonline.com/0bdad8b5-fe48-4ccd-b807-e6b2662a6d0c/oauth2/token

Instead. Its a subtle difference but that /v2/ in the URL seems to cause the AADSTS7000229 error.

Nothing has changed our side as far as I can tell with regard to how we create the app registrations - they are all done via GraphAPI and that code hasn't changed in over a year.

Whats the fix? I dont want to have to tell 1k customers to update the token URL in their code without first understanding what is going on.

EDIT :

I have identified 2 app registrations created on the same day around 1 hour apart.
Using the URL https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token one can get a token, the other cant.

I have compared the registrations side by side in Azure and diffed their manifests and everything is identical (other than the things you would expect to be different such as the IDs and Secrets).

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,588 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Barrett 0 Reputation points
    2025-04-16T16:38:38.3966667+00:00

    Found the issue.

    We have not been creating a service principle when creating the app registrations.

    I have updated the script now and have scripted a retrospective fix for the other affected applications.

    Still dont understand why some app registrations worked and some didnt (Both using the /v2.0 endpoint... But it seems to work.

    0 comments
  2. Navya 18,830 Reputation points Microsoft External Staff Moderator
    2025-04-18T18:23:49.31+00:00

    Hi @Dave Barrett

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Experiencing issues with client applications failing to retrieve tokens using the v2.0 endpoint (/oauth2/v2.0/token), resulting in the AADSTS7000229 error, while the legacy v1.0 endpoint (/oauth2/token) still works. This seems inconsistent across app registrations, even when their configurations are identical, suggesting a potential backend change or issue in Microsoft Entra ID (Azure AD B2C) affecting the client credentials flow.

    Solution:

    Issue resolved by @Dave Barrett

    User's image

    Still dont understand why some app registrations worked and some didnt (Both using the /v2.0 endpoint... But it seems to work.

    When configuring an identity provider for sign-up and sign-in in Azure Active Directory B2C (Azure AD B2C) applications, you must use the correct Azure AD B2C endpoints. Applications and APIs should no longer reference login.microsoftonline.com for user authentication with Azure AD B2C.

    Some customers leverage Microsoft Entra enterprise tenant capabilities, such as acquiring access tokens to call Microsoft Graph APIs for the B2C tenant.

    This change does not impact endpoints that do not include a policy parameter in the URL. These endpoints are exclusively accessed via login.microsoftonline.com and are not compatible with b2clogin.com or custom domains. For example, the following is a valid Microsoft identity platform token endpoint:

    https://login.microsoftonline.com/<tenant-name>.onmicrosoft.com/oauth2/v2.0/token

    For more information refer this document: redirect URLs to b2clogin.com for Azure Active Directory B2C

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.