web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Authentication not wor...
Copilot Studio
Unanswered

Authentication not working for Azure AD app with multiple resources

(1) ShareShare
ReportReport
Posted on by Community Power Pla...

Hi,

 

I'm trying to authenticate to an Azure AD app with both delegated permissions on Graph API (openid) as on Dynamics 365 (user_impersonation). I get the following error when I try to authenticate: 

 

 

 

error=invalid_client
error_description=AADSTS650053%3a+The+application+%27PPUnitSandboxCDS%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+ee3bc53b-eb26-4972-a676-927649223c00%0d%0aCorrelation+ID%3a+c7aded2d-656e-43a0-81af-14844308ee92%0d%0aTimestamp%3a+2020-05-03+17%3a34%3a07Z&state=a89d884e30204443b2f32f08ae002826

 

 

 

Is there anything that is wrong in the authentication configuration? (I used the config from here: https://go.microsoft.com/fwlink/?linkid=2107230)

 

auth.png

Or something in the Azure AD config?

 

permissions.png

 

I also tried getting it to work with the same app registration in power automate with the HTTP action and there it works.

 

Hope someone can help me 🙂

 

Cheers,

Daniel

Categories:
Calling actions from Copilot Studio
I have the same question (0)
  • CU22081450-0 Profile Picture
    CU22081450-0 Most Valuable Professional on at

    Hi @Anonymous ,

     

    Did you create your App Registration using the Multi-tenant?

    And inside the Scopes field, you need to replace the comma to space like "openid user_...".

    And to finish, I recommend that you allow more one permission inside your App Registration, that called "User.Read.All".

     

    ---
    If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

    Thanks!
    Renato Romão
    https://www.linkedin.com/in/renatoromao/

  • Community Power Platform Member Profile Picture
    Community Power Pla... on at
    I did create the app registration as a multi-tenant app. I also tried the scopes with space, but that gives the same error. The user.read.all permission doesn't make a difference as well.
  • CU22081450-0 Profile Picture
    CU22081450-0 Most Valuable Professional on at

    @Anonymous ,

     

    Try to remove the Scope "user_impersonation" to the Scopes field and try again. I insert this parameter inside my chatbot and I got the error.

     

    ---
    If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

    Thanks!
    Renato Romão
    https://www.linkedin.com/in/renatoromao/

  • Community Power Platform Member Profile Picture
    Community Power Pla... on at
    Why would I do that? Then I'm only requesting the openid scope. I want both scopes. That's the whole case...
  • CU22081450-0 Profile Picture
    CU22081450-0 Most Valuable Professional on at

    Yes @Anonymous , but the idea is just to check if the issue persists.

     

    @ggupta / @Diganta  can you help him?

  • HimanathD Profile Picture
    HimanathD on at

    Hi

     

    Here are  few things I would double check to make this flow work.

     

    1. when using multiple scopes in connection , though scopes delimiter is "," Please consider using space for AAD in scopes field.
    2. Looking in to the error description you provided, looks like user impersonation scope is being considered for graph resource which is not valid. If you look in AAD application manifest you can find the resource appid and validate it from the error description.
    3. Also if multiple scopes needs to be in connection including appid URI/resource URL like below might help to resolve the issue.

     

    https://graph.microsoft.com/User.Read https://admin.services.crm.dynamics.com/user_impersonation.

     

    By including resource URI  details in scope , you should be able to consent for multiple resources at a time on consent screen.

    After passing through consent, you may see bad request and I believe it can happen when we are trying fetch token for different resources at a time. AAD might not issue access token for multiple resources at a time.

     

    But it should work either connection having list of scopes related to single resource like either graph or dynamics.

    For example , You can give a try by only including graph resource specific scopes like "https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid” which should work

    Or you can give a try by only including scope like "https://admin.services.crm.dynamics.com/user_impersonation" , and you should be able to fetch token.

     

    If above statement is true, then you need to create respective connection for each resource and use them in your authoring content. This way every connection is limited to a resource and a single token will not have permissions to all resources.

     

    But since we have a limitation with PVA which is only allowing one connection for a bot, you may not be able to achieve it until PVA enables multiple connections which should be done in future releases.

     

    Thanks

    HimanathD

  • AS133974 Profile Picture
    AS133974 6 on at

    everyone hi

     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Michael E. Gernaey Profile Picture

Michael E. Gernaey 251 Super User 2025 Season 2

#2
Romain The Low-Code Bearded Bear Profile Picture

Romain The Low-Code... 201 Super User 2025 Season 2

#3
S-Venkadesh Profile Picture

S-Venkadesh 93 Moderator

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Welcome to the Copilot Studio forum!

Product updates

Microsoft Power Platform Community release plans