Unanswered

Authentication not working for Azure AD app with multiple resources

(1) Share

Report

Posted on by Community Power Pla...

Hi,

I'm trying to authenticate to an Azure AD app with both delegated permissions on Graph API (openid) as on Dynamics 365 (user_impersonation). I get the following error when I try to authenticate:

error=invalid_client
error_description=AADSTS650053%3a+The+application+%27PPUnitSandboxCDS%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+ee3bc53b-eb26-4972-a676-927649223c00%0d%0aCorrelation+ID%3a+c7aded2d-656e-43a0-81af-14844308ee92%0d%0aTimestamp%3a+2020-05-03+17%3a34%3a07Z&state=a89d884e30204443b2f32f08ae002826

Is there anything that is wrong in the authentication configuration? (I used the config from here: https://go.microsoft.com/fwlink/?linkid=2107230)

Or something in the Azure AD config?

I also tried getting it to work with the same app registration in power automate with the HTTP action and there it works.

Hope someone can help me 🙂

Cheers,

Daniel

Categories:

Authentication

All responses (7)

Answers (0)

AS133974 6 on at

Like (0)

Report

Re: Authentication not working for Azure AD app with multiple resources

everyone hi
HimanathD on at

Like (0)

Report
Re: Authentication not working for Azure AD app with multiple resources

Hi

Here are few things I would double check to make this flow work.

when using multiple scopes in connection , though scopes delimiter is "," Please consider using space for AAD in scopes field.
Looking in to the error description you provided, looks like user impersonation scope is being considered for graph resource which is not valid. If you look in AAD application manifest you can find the resource appid and validate it from the error description.
Also if multiple scopes needs to be in connection including appid URI/resource URL like below might help to resolve the issue.

https://graph.microsoft.com/User.Read https://admin.services.crm.dynamics.com/user_impersonation.

By including resource URI details in scope , you should be able to consent for multiple resources at a time on consent screen.
After passing through consent, you may see bad request and I believe it can happen when we are trying fetch token for different resources at a time. AAD might not issue access token for multiple resources at a time.

But it should work either connection having list of scopes related to single resource like either graph or dynamics.
For example , You can give a try by only including graph resource specific scopes like "https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid” which should work
Or you can give a try by only including scope like "https://admin.services.crm.dynamics.com/user_impersonation" , and you should be able to fetch token.

If above statement is true, then you need to create respective connection for each resource and use them in your authoring content. This way every connection is limited to a resource and a single token will not have permissions to all resources.

But since we have a limitation with PVA which is only allowing one connection for a bot, you may not be able to achieve it until PVA enables multiple connections which should be done in future releases.

Thanks
HimanathD
renatoromao 6,762 on at

Like (0)

Report

Re: Authentication not working for Azure AD app with multiple resources

Yes @Anonymous , but the idea is just to check if the issue persists.

@ggupta / @Diganta can you help him?
Community Power Pla... on at

Like (0)

Report

Re: Authentication not working for Azure AD app with multiple resources

Why would I do that? Then I'm only requesting the openid scope. I want both scopes. That's the whole case...
renatoromao 6,762 on at

Like (0)

Report

Re: Authentication not working for Azure AD app with multiple resources

@Anonymous ,

Try to remove the Scope "user_impersonation" to the Scopes field and try again. I insert this parameter inside my chatbot and I got the error.

---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.
Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/
Community Power Pla... on at

Like (1)

Report

Re: Authentication not working for Azure AD app with multiple resources

I did create the app registration as a multi-tenant app. I also tried the scopes with space, but that gives the same error. The user.read.all permission doesn't make a difference as well.
renatoromao 6,762 on at

Like (1)

Report

Re: Authentication not working for Azure AD app with multiple resources

Hi @Anonymous ,

Did you create your App Registration using the Multi-tenant?
And inside the Scopes field, you need to replace the comma to space like "openid user_...".
And to finish, I recommend that you allow more one permission inside your App Registration, that called "User.Read.All".

---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.
Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/

Authentication not working for Azure AD app with multiple resources

Helpful resources

News and Announcements

Quick Links

Welcome to the Power Platform…

Getting Started…

Welcome to the new Power Platform Community!…

more Community News

Leaderboard

Featured topics

Product updates

Authentication not working for Azure AD app with multiple resources

Helpful resources

News and Announcements

Quick Links

Welcome to the Power Platform…

Getting Started…

Welcome to the new Power Platform Community!…

more Community News

Subscribe to

Leaderboard

Featured topics

Product updates