Error when using Oauth flow with msads.manage scope (Bing Ads)

Question

The issue seems to be similar to https://learn.microsoft.com/en-us/answers/questions/409464/bing-ads-api-error-code-650052-1.html

We created an azure app as per https://learn.microsoft.com/en-us/advertising/guides/authentication-oauth-register?view=bingads-13

But when we initiate the OAuth dialog for the user, we get following back:

"AADSTS650052: The app needs access to a service ('https://ads.microsoft.com') that your organization 'c12f2bf2-....' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.  
Trace ID: eeed7e17-d24c-48fd-bfae-db8297522400  
Correlation ID: 9fb30520-cca4-4894-987e-59bf6934e5e9  
Timestamp: 2021-08-26 16:01:19Z"  

Here's the sample code that produces above:

    private static oauthUrl = 'https://login.microsoftonline.com/c12f2bf2-.../oauth2/v2.0/authorize';  
  
    getOauthRequestUrl(envUrl: string): string {  
        const params: string = new HttpParams()  
            .append('redirect_uri', `http://localhost:4200/oauth-redirect`)  
            .append('client_id', 'c97f5f4f-....')  
            .append('response_type', 'code')  
            .append('response_mode', 'query')  
            .append('prompt', 'consent')  
            .append('scope', 'https://ads.microsoft.com/msads.manage')  
            .toString();  
        return `${MicrosoftOauthStrategy.oauthUrl}?${params}`;  
    }  

The error is the same if we use "common" fragment instead of tenant id in the url.

Also, we made sure that redirect_uri is in our azure application.

I should note that on the "Api Permissions page" on Azure, we have no option to choose "msads.manage" permission.

If I go "+ Add Permission",

• I can't see Microsoft Advertisiing api in the list of "Commonly used Microsoft APIs";
• I also don't see it on "API my organisation uses" page.

So I am not sure how my organisation can really subscribe to this Api?
And is this likely to cause the mentioned issue?

Thanks

Answer 1

As the error message suggests, the Bing Ads API (identified by "https://ads.microsoft.com") has not been provisioned in your organization's directory.

Different Microsoft services/APIs get provisioned for different reasons (e.g. Microsoft Graph API is always provisioned, but Azure APIs are provisioned when you first sign up for Azure or enable a specific Azure service). In the case of the Bing Ads API, it gets provisioned when you sign up for a Microsoft Advertising account using your Azure AD (work or school) account.

So, what you can do is go to https://ads.microsoft.com > "Sign up now". As soon as you complete the first step ("Create Account"), you'll notice that in the Azure portal, under Azure AD > Enterprise apps > All applications, a new service is listed: "Microsoft Advertising API service" (you may need to change the "Application type" filter to "Microsoft Applications", or "All applications"). You'll also find that it's now listed under Azure AD > App registrations > (app) > API permissions > Add a permission > APIs my organization uses. Most importantly, you'll find that you no longer get the error message above when attempting to sign in to an app which is requesting access to that service.

Note: Unrelated to your question, I notice you're using prompt=consent in your authorization request. There are very few scenarios where this is actually necessary, and yours doesn't seem to be one of them. If you want to force the account selection page, use prompt=select_account, but otherwise, just omit the prompt parameter entirely. Since you're explicitly stating that you require the msads.manage permission for the Bing Ads API (by including scope=https://ads.microsoft.com/msads.manage), the Microsoft Identity platform will automatically prompt the user for consent if necessary (and if the user is allowed to grant consent).

Answer 2

For folks who are not able to see the "Microsoft Advertising API Service" in 'APIs my organization uses' - here is a catch which we figure out after trying for a few days. 

"Microsoft Advertising API Service" gets added automatically on signing for a Microsoft Advertising account (https://ads.microsoft.com/). 

Your Azure account will be under a directory xxx.onmicrosoft.com. You will need a work account user eg: user1@xxx.onmicrosoft.com and will need to signup for Microsoft Advertising account using that user. This will ensure that your Azure direction gets the "Microsoft Advertising API Service" 

Then you can continue adding "Microsoft Advertising API Service" to your App Registration

In Azure, go to App Registrations:
- Select your app
- Click on API Permissions from the menu option
- Click Add a Permission
- Click Tab: APIs my organization uses
- Search for Microsoft Advertising API Service
- Select the App and the required msads.manage and ads.manage permissions

Answer 3

I also ran into the same problem that "Microsoft Advertising API Service" was not visible under Enterprise Applications / API Permissions. In addition to the steps from Akshay Surve it seems to be important that the account used for "Sign up now" on https://ads.microsoft.com/ has admin rights in the corresponding tenant like Global Admin. When trying with a standard AAD user, the registration is successful but no Enterprise App is provisioned.

Additional quick hint: When searching just for "Advertising" under your App registration > "API permissions" you won't get any results. Search value "Microsoft Advertising" will work 😉

Also, don't mix up private and work/school Microsoft accounts. An org in Microsoft Advertising might also be set up by a private Microsoft account, but with corporate mail domain...