cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Super User
Super User

Authentication not working for Azure AD app with multiple resources

Hi,

 

I'm trying to authenticate to an Azure AD app with both delegated permissions on Graph API (openid) as on Dynamics 365 (user_impersonation). I get the following error when I try to authenticate: 

 

 

 

error=invalid_client
error_description=AADSTS650053%3a+The+application+%27PPUnitSandboxCDS%27+asked+for+scope+%27user_impersonation%27+that+doesn%27t+exist+on+the+resource+%2700000003-0000-0000-c000-000000000000%27.+Contact+the+app+vendor.%0d%0aTrace+ID%3a+ee3bc53b-eb26-4972-a676-927649223c00%0d%0aCorrelation+ID%3a+c7aded2d-656e-43a0-81af-14844308ee92%0d%0aTimestamp%3a+2020-05-03+17%3a34%3a07Z&state=a89d884e30204443b2f32f08ae002826

 

 

 

Is there anything that is wrong in the authentication configuration? (I used the config from here: https://go.microsoft.com/fwlink/?linkid=2107230)

 

auth.png

Or something in the Azure AD config?

 

permissions.png

 

I also tried getting it to work with the same app registration in power automate with the HTTP action and there it works.

 

Hope someone can help me 🙂

 

Cheers,

Daniel







Did I answer your question? Mark my post as a solution!


Proud to be a Flownaut!






6 REPLIES 6
Highlighted
Super User
Super User

Re: Authentication not working for Azure AD app with multiple resources

Hi @Laskewitz ,

 

Did you create your App Registration using the Multi-tenant?

And inside the Scopes field, you need to replace the comma to space like "openid user_...".

And to finish, I recommend that you allow more one permission inside your App Registration, that called "User.Read.All".

 

---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Power Virtual Agents Course: https://udemy.com/pva-beginners
Highlighted
Super User
Super User

Re: Authentication not working for Azure AD app with multiple resources

I did create the app registration as a multi-tenant app. I also tried the scopes with space, but that gives the same error. The user.read.all permission doesn't make a difference as well.






Did I answer your question? Mark my post as a solution!


Proud to be a Flownaut!






Highlighted
Super User
Super User

Re: Authentication not working for Azure AD app with multiple resources

@Laskewitz ,

 

Try to remove the Scope "user_impersonation" to the Scopes field and try again. I insert this parameter inside my chatbot and I got the error.

 

---
If you like this reply, please give kudos. And if this solves your problem, please accept this reply as the solution.

Thanks!
Renato Romão
https://www.linkedin.com/in/renatoromao/


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Power Virtual Agents Course: https://udemy.com/pva-beginners
Highlighted
Super User
Super User

Re: Authentication not working for Azure AD app with multiple resources

Why would I do that? Then I'm only requesting the openid scope. I want both scopes. That's the whole case...






Did I answer your question? Mark my post as a solution!


Proud to be a Flownaut!






Highlighted
Super User
Super User

Re: Authentication not working for Azure AD app with multiple resources

Yes @Laskewitz , but the idea is just to check if the issue persists.

 

@ggupta / @Diganta  can you help him?


Did I answer your question? Mark my post as a solution!
Thanks!

Renato Romão,

Power Virtual Agents Course: https://udemy.com/pva-beginners
Highlighted

Re: Authentication not working for Azure AD app with multiple resources

Hi

 

Here are  few things I would double check to make this flow work.

 

  1. when using multiple scopes in connection , though scopes delimiter is "," Please consider using space for AAD in scopes field.
  2. Looking in to the error description you provided, looks like user impersonation scope is being considered for graph resource which is not valid. If you look in AAD application manifest you can find the resource appid and validate it from the error description.
  3. Also if multiple scopes needs to be in connection including appid URI/resource URL like below might help to resolve the issue.

 

https://graph.microsoft.com/User.Read https://admin.services.crm.dynamics.com/user_impersonation.

 

By including resource URI  details in scope , you should be able to consent for multiple resources at a time on consent screen.

After passing through consent, you may see bad request and I believe it can happen when we are trying fetch token for different resources at a time. AAD might not issue access token for multiple resources at a time.

 

But it should work either connection having list of scopes related to single resource like either graph or dynamics.

For example , You can give a try by only including graph resource specific scopes like "https://graph.microsoft.com/User.Read https://graph.microsoft.com/openid” which should work

Or you can give a try by only including scope like "https://admin.services.crm.dynamics.com/user_impersonation" , and you should be able to fetch token.

 

If above statement is true, then you need to create respective connection for each resource and use them in your authoring content. This way every connection is limited to a resource and a single token will not have permissions to all resources.

 

But since we have a limitation with PVA which is only allowing one connection for a bot, you may not be able to achieve it until PVA enables multiple connections which should be done in future releases.

 

Thanks

HimanathD

Helpful resources

Announcements
PVA Multi Language

Power Virtual Agents Gaining Traction

Power Virtual Agents is now available in more languages.

PVA Bot Variables

Power Virtual Agents Bot Variables

Reusing variables across topics, and setting variable values from external sources.

BOT Sharing Gallery

BOT Sharing Gallery is now LIVE!

Want to Share a ChatBot? Post it in our Bot Sharing Gallery!

PVA Thumb

Video of the Week

Travel Approval Bot

PVA Thumb

Video of the Week

Returning an image as a message

Top Solution Authors
Top Kudoed Authors
Users online (6,993)