Skip to main content

Notifications

Calling Actions from Copilot Studio
Unanswered

Authentication not working for Azure AD app with multiple resources

Posted on by

Hi,

 

I'm trying to authenticate to an Azure AD app with both delegated permissions on Graph API (openid) as on Dynamics 365 (user_impersonation). I get the following error when I try to authenticate: 

 

 

 

error=invalid_client
error_description=AADSTS650053%3a+The+application+%27PPUnitSandboxCDS%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+ee3bc53b-eb26-4972-a676-927649223c00%0d%0aCorrelation+ID%3a+c7aded2d-656e-43a0-81af-14844308ee92%0d%0aTimestamp%3a+2020-05-03+17%3a34%3a07Z&state=a89d884e30204443b2f32f08ae002826

 

 

 

Is there anything that is wrong in the authentication configuration? (I used the config from here: https://go.microsoft.com/fwlink/?linkid=2107230)

 

auth.png

Or something in the Azure AD config?

 

permissions.png

 

I also tried getting it to work with the same app registration in power automate with the HTTP action and there it works.

 

Hope someone can help me 🙂

 

Cheers,

Daniel

Categories:
  • AS133974 Profile Picture
    AS133974 6 on at
    Re: Authentication not working for Azure AD app with multiple resources

    everyone hi

     

  • HimanathD Profile Picture
    HimanathD on at
    Re: Authentication not working for Azure AD app with multiple resources

    Hi

     

    Here are  few things I would double check to make this flow work.

     

    1. when using multiple scopes in connection , though scopes delimiter is "," Please consider using space for AAD in scopes field.
    2. Looking in to the error description you provided, looks like user impersonation scope is being considered for graph resource which is not valid. If you look in AAD application manifest you can find the resource appid and validate it from the error description.
    3. Also if multiple scopes needs to be in connection including appid URI/resource URL like below might help to resolve the issue.

     

    https://graph.microsoft.com/User.Read https://admin.services.crm.dynamics.com/user_impersonation.

     

    By including resource URI  details in scope , you should be able to consent for multiple resources at a time on consent screen.

    After passing through consent, you may see bad request and I believe it can happen when we are trying fetch token for different resources at a time. AAD might not issue access token for multiple resources at a time.

     

    But it should work either connection having list of scopes related to single resource like either graph or dynamics.

    For example , You can give a try by only including graph resource specific scopes like "https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid” which should work

    Or you can give a try by only including scope like "https://admin.services.crm.dynamics.com/user_impersonation" , and you should be able to fetch token.

     

    If above statement is true, then you need to create respective connection for each resource and use them in your authoring content. This way every connection is limited to a resource and a single token will not have permissions to all resources.

     

    But since we have a limitation with PVA which is only allowing one connection for a bot, you may not be able to achieve it until PVA enables multiple connections which should be done in future releases.

     

    Thanks

    HimanathD

  • renatoromao Profile Picture
    renatoromao 6,459 on at
    Re: Authentication not working for Azure AD app with multiple resources

    Yes @Anonymous , but the idea is just to check if the issue persists.

     

    @ggupta / @Diganta  can you help him?

  • Re: Authentication not working for Azure AD app with multiple resources
    Why would I do that? Then I'm only requesting the openid scope. I want both scopes. That's the whole case...
  • renatoromao Profile Picture
    renatoromao 6,459 on at
    Re: Authentication not working for Azure AD app with multiple resources

    @Anonymous ,

     

    Try to remove the Scope "user_impersonation" to the Scopes field and try again. I insert this parameter inside my chatbot and I got the error.

     

    ---
    If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

    Thanks!
    Renato Romão
    https://www.linkedin.com/in/renatoromao/

  • Re: Authentication not working for Azure AD app with multiple resources
    I did create the app registration as a multi-tenant app. I also tried the scopes with space, but that gives the same error. The user.read.all permission doesn't make a difference as well.
  • renatoromao Profile Picture
    renatoromao 6,459 on at
    Re: Authentication not working for Azure AD app with multiple resources

    Hi @Anonymous ,

     

    Did you create your App Registration using the Multi-tenant?

    And inside the Scopes field, you need to replace the comma to space like "openid user_...".

    And to finish, I recommend that you allow more one permission inside your App Registration, that called "User.Read.All".

     

    ---
    If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

    Thanks!
    Renato Romão
    https://www.linkedin.com/in/renatoromao/

Helpful resources

Quick Links

Exciting News for Copilot Studio Communi…

Get ready to experience a whole new level of engagement with the Copilot Studio…

Celebrating the May Super User of the…

LaurensM is an exceptional contributor to the Power Platform Community…

Check out the Copilot Studio Cookbook…

We are excited to announce our new Copilot Cookbook Gallery in the Community…

Leaderboard

#1
renatoromao Profile Picture

renatoromao 6,459

#2
Pstork1 Profile Picture

Pstork1 1,954

#3
Expiscornovus Profile Picture

Expiscornovus 1,667

Featured topics