cancel
Showing results for 
Search instead for 
Did you mean: 

MSAL.net can't generate an Authentication Token

algorithmadrock
Level 3

Hello,

For the past days I've been having problems with Microsoft Authentication, the action "Get Auth Token - Username and Password" simply don't work. I received many error messages regarding access and broken TenantID etc, but only in this and Integrated Windows Auth actions.

Now I have this excception:

"MSAL.Desktop.4.42.1.0.MsalUiRequiredException: 
    ErrorCode: invalid_grant
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access....."

I searched in many sites but coudn't find a solution. Can somebody help me?



------------------------------
Luiza Felix
------------------------------
7 REPLIES 7

Hi Luiza,

It sounds like the user you are signing in with is being asked to interactively perform multifactor authentication (entering a code or accepting a prompt on another device such as your phone) which is unsupported by Microsoft's Authentication Library that this Blue Prism object is using: https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/username-password-authentication#constraints - the only way the Username/Password method works is if there is no multifactor authentication step for that particular user account when attempting this sort of token retrieval.

I believe the solution is either:

  1. Continue using the Username/Password approach:
    1. Turn off Multifactor Authentication for the user you are signing in with
    2. There may be a Conditional Access policy that is triggering the multifactor step that could possibly be disabled: https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview (this page mentions that Azure-related sign-ins and legacy authentication methods (such as user/pass) can cause the MFA step to happen) - you will likely need to work with the person in your organization who administers your Microsoft 365 (cloud) environment as they should have access to see and change these sorts of policies for your account.
  2. Switch to Client Secret approach:
    1. The Get Auth Token - Client Secret method would not raise a multifactor authentication step and is the most reliable way to get tokens in my experience.


------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs

Oh, I didn't realized that Client Secret was the safest option for this connection. I change my code to your option 2, but when I execute Microsoft Graph WebAPI Sharepoint stage the process breaks down. Where can I set the scp or role claim this token needs? What are this things?
8454.png



------------------------------
Luiza Felix
Intern
------------------------------

Hi Luiza,

I believe that message is related to the permissions that have been granted in your app registration within the Azure portal. Make sure you have added the permissions you want and then click the Grant admin consent to apply them.

8455.png

Then when you retrieve an app token in your Blue Prism process from this app registration, it should have those permissions embedded.



------------------------------
Charlie Kovacs
Sr. Digital Exchange Engineer
Blue Prism
Austin, USA
------------------------------
Charlie Kovacs

Hi, Charlie

I talked to my IT team and according to them I don't need to grant admin consent for this permissions, is this correct? I have no clue on what could be causing this problems on BP. 
8461.png



------------------------------
Luiza Felix
Intern
------------------------------

@Luiza Felix,

For a digital worker to use a Delegated access token it is highly recommended that you have one of your IT administrations perform the admin consent. Otherwise, you will need to figure out a way to perform the user consent within your process. If you're not familiar with that, it's the process where a browser window is opened and you're prompted to grant an application to work on your behalf. You tend to see this sort of thing if you've ever granted a social media app access to other social media apps etc.

Cheers,



------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------

@ewilson

Even when the admin consent is optional (set to "No") I need to grant it? I was able to perform user consent for my account, but I am not sure if the robot will be able to perform this by its own.
I am running some tests and talking w/ the IT team already, the Sharepoint API would be a really good tool for me & my team. 🙂



------------------------------
Luiza Felix
Intern
------------------------------

@Luiza Felix,

Admin consent isn't required in the normal day-to-day sense because it would typically be a human user interacting with the system and being able to grant/deny the consent request via the browser. With a digital worker, it's an entirely different scenario. If you spend the time to capture the consent process using Application Modeler you could set it up such that digital workers could handle the consent request themselves, but most companies I've dealt with simply prefer to perform that admin consent via IT.

Cheers,  



------------------------------
Eric Wilson
Director, Integrations and Enablement
Blue Prism Digital Exchange
------------------------------