Share via

Issue when trying to receive an Azure auth token for usage in Microsoft Graph

Chris T 71 Reputation points
2022-01-04T14:30:57.343+00:00

When making a POST request with the following details:

URL:
https://login.microsoftonline.com/{my tenant id}/oauth2/v2.0/token

Headers:
Content-Type: application/x-www-form-urlencoded
Content-Length: XXX
Host: login.microsoftonline.com

Body (x-www-form-urlencoded):
username: my Azure admin email address
password: {my_password}
grant_type: password
scope: api://xxxxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxxx/.default
client_id: {my_app_id}
response_type: token
client_secret: {my_app_secret}
tenant: {my_azure_tenant}

I'm receiving the Response:

{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account {EmailHidden} does not exist in the {azure_tenant} directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 23e024ac-9edf-44c6-b697-1892d5300900\r\nCorrelation ID: fd944f28-fce6-4ea2-9a80-1e96f15e26c5\r\nTimestamp: 2022-01-04 14:07:09Z",
"error_codes": [
50034
],
"timestamp": "2022-01-04 14:07:09Z",
"trace_id": "23e024ac-9edf-44c6-b697-1892d5300900",
"correlation_id": "fd944f28-fce6-4ea2-9a80-1e96f15e26c5",
"error_uri": "https://login.microsoftonline.com/error?code=50034"
}

However, upon trying to query the API for my UPN, by using:
https://graph.microsoft.com/beta/users?$select=userPrincipalName,onPremisesSamAccountName

I am getting the same email address as the UPN.

Therefore, I cannot proceed to making a proper request for receiving an auth token.

This auth token needs to be generated for usage in the Graph Exploer and in Postman, for modeling the API requests for our application.

Perhaps the issue is that we don't yet have a verified domain in Azure. However, is this absolutely necessary in order to generate this auth token, so that we can use it to make app requests without requiring user login to our app?
What steps do we need to follow, in order to resolve this?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,903 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,646 Reputation points
    2022-01-04T16:24:06.183+00:00

    Hello @Chris T ,

    Thanks for reaching out.

    This is an expected behavior as I could see that you had used personal account (outlook.com) to get token from Azure AD which is not a supported scenario for the Resource Owner Password Credentials (ROPC) flow. Therefore, you need to use native account that was created in Azure AD tenant instead guest account. Hope this helps.

    162247-image.png

    Refer to Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials to learn more.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chris T 71 Reputation points
    2022-01-05T17:10:42.63+00:00

    UPDATE:

    When trying to add the scopes as exact parameters, eg
    scope=openid%20profile%20email%20User.Read%20User.ReadWrite%20offline_access%20OnlineMeetings.Read%20OnlineMeetings.ReadWrite%20OnlineMeetingArtifact.Read.All%20Calendars.ReadWrite

    I receive the error:

    AADSTS1002012: The provided value for scope openid%20profile%20email%20User.Read%20User.ReadWrite%20offline_access%20OnlineMeetings.Read%20OnlineMeetings.ReadWrite%20OnlineMeetingArtifact.Read.All%20Calendars.ReadWrite is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).\r\nTrace ID: 7160453b-6d76-4d4b-b7c1-58b23159ee01\r\nCorrelation ID: aa430782-b9c7-4904-a307-50f0924f0d69\r\nTimestamp: 2022-01-05 16:50:36Z

    It seems that the end-point will either accept one of:
    scope=api://b1b282f0-1c1e-46c6-b8f1-bf5aafc8c592/.default [the app having pre-configured scopes and granted by the Admin]
    OR
    scope=https://graph.microsoft.com/.default

    The problem with the 1st was that it did not return any scopes to the Bearer token, even though I have set up the required Application and Delegated permissions for the API.
    whereas the 2nd works ok, but only if it is sent NON-URLencoded (so far, I was sending it URL-encoded).

    Thus, the problem has been now solved (by using "https://graph.microsoft.com/.default" in non-URLencoded format), so you can close or ignore this Support Request.

    Thank you all for your support.

    Will check for other issues on the work-flow.

    1 person found this answer helpful.
  2. Chris T 71 Reputation points
    2022-01-04T18:41:58.813+00:00

    Thank you for your prompt reply. We will investigate this; however we are more inclined on using a more standard user login approach for the API.

    So, could you please also help us with the following:

    For the more standard flow of getting a Bearer token for a user who has signed in in our application, in case we need to use this Bearer token to perform actions on behalf of this user, we have used the Steps and procedure in this Documentation:
    https://learn.microsoft.com/en-us/graph/auth-v2-user
    and we successfully receive a Bearer token.

    However, this token is no good for any Graph action, producing (example when trying to create an Online Meeting):

    {
    "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Invalid x5t claim.",
    "innerError": {
    "date": "2022-01-04T18:07:21",
    "request-id": "925a85dd-d2a7-42fc-a38e-90560605b04c",
    "client-request-id": "925a85dd-d2a7-42fc-a38e-90560605b04c"
    }

    Not sure if this is an app setup issue (scopes / permissions) or it is again because this specific user is not a Microsoft work / school account.

  3. Chris T 71 Reputation points
    2022-01-05T11:15:33.687+00:00

    Thanks.

    I have went ahead, and configured the scopes correctly.
    Signed in a new user to the app per these scopes:

    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={my_app_id}&response_type=code&redirect_uri={my_redirect_uri}&response_mode=query&scope=openid%20profile%20email%20User.Read%20User.ReadWrite%20offline_access%20OnlineMeetings.Read%20OnlineMeetings.ReadWrite%20OnlineMeetingArtifact.Read.All%20Calendars.ReadWrite&state=someCustomInfo

    OnlineMeetingArtifact.Read.All cannot be added as delegated, as it is only on Graph / App level.

    Again, according to the Documentation on
    https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http
    https://learn.microsoft.com/en-us/graph/api/onlinemeeting-get?view=graph-rest-1.0&tabs=http
    https://learn.microsoft.com/en-us/graph/api/onlinemeeting-delete?view=graph-rest-1.0&tabs=http

    These should all the scopes I should require, to make it working.
    These scopes are of course set up on the application, as delegated, and on the "API expose".

    Then, after getting the "code" on the callback, I used
    https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
    to get the user's Bearer token
    The scope in this request is defined as
    api://{app_id}/.default
    Not sure if this is the issue.

    And finally I made the same API request to create an online Meeting, using this Bearer token, and still getting the same error.
    The error with the id of the request is:

    {
    "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Invalid x5t claim.",
    "innerError": {
    "date": "2022-01-05T11:11:21",
    "request-id": "003465d9-eba7-4478-990c-5d74d43c8365",
    "client-request-id": "003465d9-eba7-4478-990c-5d74d43c8365"
    }
    }
    }

    Also, the API Documentation mentions that a user needs to have a "Microsoft work or school account" in order to create a Meeting:
    https://learn.microsoft.com/en-us/azure/marketplace/company-work-accounts
    Not sure if this is the problem here, or the fact that I have used "api://{app_id}/.default" in the "scope" when getting the Bearer token, or something else.

    0 comments
  4. Chris T 71 Reputation points
    2022-01-05T14:20:40.1+00:00

    Finally, as a last resort, we have also tried the more simple CGF (Credential Grant Flow), which could also be an option for us, for our integration:
    https://learn.microsoft.com/en-us/graph/auth-v2-service

    in order to

    Use this Bearer token, in order to create an Online Meeting.
    Again, I have made sure that all the necessary scopes / permissions are set up on Graph level and on App level, that Administrative Consent has been provided from the Azure Portal and that, additionally, the User settings & the Enterprise application user Settings are ok, and that the relevant permissions have been set under "Permission Classifications". I suppose that I'm missing something here in the setup, perhaps.

    However, even this request fails. Following is the failed result of that flow, including the request Id:

    {
    "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Invalid x5t claim.",
    "innerError": {
    "date": "2022-01-05T13:57:19",
    "request-id": "0cf35783-5e46-4ddb-a11d-3fad27747bd8",
    "client-request-id": "0cf35783-5e46-4ddb-a11d-3fad27747bd8"
    }
    }
    }

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.