Hi,
I'm trying to authenticate to an Azure AD app with both delegated permissions on Graph API (openid) as on Dynamics 365 (user_impersonation). I get the following error when I try to authenticate:
error=invalid_client
error_description=AADSTS650053%3a+The+application+%27PPUnitSandboxCDS%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+ee3bc53b-eb26-4972-a676-927649223c00%0d%0aCorrelation+ID%3a+c7aded2d-656e-43a0-81af-14844308ee92%0d%0aTimestamp%3a+2020-05-03+17%3a34%3a07Z&state=a89d884e30204443b2f32f08ae002826
Is there anything that is wrong in the authentication configuration? (I used the config from here: https://go.microsoft.com/fwlink/?linkid=2107230)
Or something in the Azure AD config?
I also tried getting it to work with the same app registration in power automate with the HTTP action and there it works.
Hope someone can help me 🙂
Cheers,
Daniel
everyone hi
Hi
Here are few things I would double check to make this flow work.
https://graph.microsoft.com/User.Read https://admin.services.crm.dynamics.com/user_impersonation.
By including resource URI details in scope , you should be able to consent for multiple resources at a time on consent screen.
After passing through consent, you may see bad request and I believe it can happen when we are trying fetch token for different resources at a time. AAD might not issue access token for multiple resources at a time.
But it should work either connection having list of scopes related to single resource like either graph or dynamics.
For example , You can give a try by only including graph resource specific scopes like "https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid” which should work
Or you can give a try by only including scope like "https://admin.services.crm.dynamics.com/user_impersonation" , and you should be able to fetch token.
If above statement is true, then you need to create respective connection for each resource and use them in your authoring content. This way every connection is limited to a resource and a single token will not have permissions to all resources.
But since we have a limitation with PVA which is only allowing one connection for a bot, you may not be able to achieve it until PVA enables multiple connections which should be done in future releases.
Thanks
HimanathD
@Anonymous ,
Try to remove the Scope "user_impersonation" to the Scopes field and try again. I insert this parameter inside my chatbot and I got the error.
---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.
Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/
Hi @Anonymous ,
Did you create your App Registration using the Multi-tenant?
And inside the Scopes field, you need to replace the comma to space like "openid user_...".
And to finish, I recommend that you allow more one permission inside your App Registration, that called "User.Read.All".
---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.
Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/