Hi all,
We're currently trying to implement Microsoft Graph API to use in our workflows, however we can't seem to work out what exactly we're doing wrong.
Due to security reasons, we're not allowed to grant Blue Prism (V6.6) the Application Permission required to perform certain actions, so using Delegated Permission is the only way to go.
Things to consider for our use case:
- We work in a Citrix environment using VM's;
- For audit reasons, each process has its own robot user account which we use to log into the VM's via SSO;
- All robot user accounts (30+) have been exempt from MFA/2FA, so this shouldn't be an issue;
We've followed the documentation and set all prerequisites:
- Created an App Registration in our Azure AD;
- Set the API permissions (Files.ReadWrite.All and Sites.ReadWrite.All);
When using the action "Get Delegated Access Token" with mandatory parameters, we are unable to get a successful response back:
The only response we get is either a bad response ("The remote server returned an error: (400) Bad Request." or "(401) Unauthorized").
In the AD logs, we get a few more detailed exception details, but they don't really help us figuring out what the issue is. Without changing the credentials, we get a mix of errors varying from "admin consent required", "invalid credentials" and "account locked"... We're sure every parameter contains the right value (username/password/tenant_id/client_id/client_secret are valid).
I guess my question is, are we missing something in our setup? Or is the "Admin consent required" part the key issue here?
The funny thing is, when using the action "Get Application Access Token", we are able to retrieve a token, even though we have not given BP Application Permissions. So I'm guessing this is a token without any permissions? Because said token didn't allow us to use other API's (such as SharePoint), when we tested it just to be sure.
Admin consent is the key here. When trying to use delegated permissions the typical process is for the human user to receive a pop-up in a browser advising them that an application is requesting permission to work on their behalf. In this case, you're not going to have a human sitting around waiting to grant the delegated permission, so you have to take care of it up front. To do that, you need to have your admin go into the Application Registration definition and then API Permissions within the Azure Console. There, they need to select the Grant admin consent for [YOUR AZURE TENANT NAME] option (see below screenshot).
Cheers,
Eric
We have already granted consent as you've suggested, however this hasn't changed anything unfortunately... It's still giving us the same error responses.
When using the user consent URL (same contents of GET request, but as a URL), we get the following message ("admin consent required") for that particular user account?
Cheers,
Eric
Thanks for the suggestion! How did you find out that this was what was causing problems?
Correct me if I'm wrong please:
So after retrieving an access token, it sounds a bit like the action "Get Delegated Access Token" in the Microsoft Graph - Authentication VBO is either no longer needed (meaning we can pass the token we retrived using MSAL to the Sharepoint VBO for example to perform any action the user is allowed to do), or that its request body needs to be modified since it uses username, password en 'password' type grant?
