Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
Microsoft Graph Application AddPassword
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 91%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAF%3C/text%3E%3C/svg%3E)
Adrian Fiat
1
Reputation point
Hello,
I am trying to automate the creation of some Applications in a B2C tenant. I am using Microsoft.Graph.Beta and Azure.Identity libraries.
First I create an automation application and using AddPassword() method, I create a new ClientSecret for that application.
After application is created i am trying to create a new GraphServiceClient using ClientSecretCredential like this:
new GraphServiceClient(
new ClientSecretCredential(
tenantId,
automationAppId,
clientSecret));
When trying to use the newly created GraphServiceClient I always get this error:
MsalServiceException: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '0fa12801-f3c7-4a65-91d1-969ae65060dd'.
If I add this line of code "await System.Threading.Tasks.Task.Delay(20000)" before creating the GraphServiceClient, all is working.
Why is this happening? The client secret is correctly returned by the call.
Thank you.
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-02-03T23:40:34.677+00:00 Hmmmm very weird... I'm going to investigate this but I'm curious if it has to do with token validation somewhere? When you initially call it the token is invalid, but after you wait the token validates? Maybe wait until any tokens you're passing are valid before calling the API?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
Danstan Onyango 3,996 Reputation points Microsoft Employee2022-02-04T07:23:12.247+00:00 This can be related to replication within AAD as AAD has an internal distributed architecture. When you create new resources, it takes some short window for the resources to be replicated to all AAD nodes even though you get the resource created and returned in the request. This means the subsequent requests that depend on the new resource like the secret can potentially hit a node that does not have the update yet. You may have to implement some kind of retry to handle this. I will share resources that I can find if this is the case for you.
-
Adrian Fiat 1 Reputation point
2022-02-04T07:24:36.663+00:00 Trying to get the token using following code:
var credential = new ClientSecretCredential(
tenantConfiguration.TenantId,
automationAppId,
clientSecret);
var token = credential.GetToken(new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }));
is throwing the same exception. -
Adrian Fiat 1 Reputation point
2022-02-04T09:45:55.693+00:00 I am not using any replication in the AAD B2C tenant when creating it(if this replication is done automatically by Azure ... I do not know).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 53%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Tia 0 Reputation points2023-05-25T08:42:18.55+00:00 As a result of my testing, the same error occurs when issuing a token with an actual deleted key. (AADSTS7000215) I actually solved it by waiting a few seconds and then generating a token. It's a pity that Azure doesn't have a guide. In the case of GCP, it may take more than 60 seconds. (https://cloud.google.com/iam/docs/keys-create-delete)
Sign in to comment
Sign in to answer