Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Graph/MSAL.net - delegated -device

acatalano
Level 4

‎13-03-23 07:46 PM

Hi, I read many threads about Microsoft Graph and MSAL.net, but I didn't find my problem.

I am trying to authenticate to azure with delegated permission but am getting these errors.

When I run Microsoft Graph - Authentication::Get Delegated Access Token (Blue Prism VBO), the response was:

"invalid_grant","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

When I run MSAL.NET::Get Auth Token - Username and Password (Blue Prism VBO), the response was:

System.AggregateException: Se han producido uno o varios errores. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access.

In the Azure logs we found that the device information was empty and Microsoft support informed us that we must add it in the code.

The device is already hybridized in azure. The user account too.

So we need to add the device data to the action, any idea how to do it?

8 REPLIES 8

ewilson
Staff
Staff

‎15-03-23 03:44 PM

Hello @acatalano

My guess is that both of your errors relate to the fact that 2-factor authentication is enabled in your environment. There are two options here:

  1. Ask you IT folks to disable 2FA for any accounts used by Digital Workers.
  2. If that's not an option, there are a couple 2FA solutions available on the the Digital Exchange. I don't think either one has been tested specifically with authentication in Graph, but they may work for you.

Cheers,

Eric 

0 Likes

acatalano
Level 4

‎15-03-23 05:55 PM

Hi @ewilson

The IT team that manages Azure told us that the problem is that the information device was empty in our call and we need to add it. The user was already excluded from MFA.

35400.png
0 Likes

ewilson
Staff
Staff

‎15-03-23 10:25 PM

@acatalano

I assume the MFA exclusion was made after your tests, otherwise you never should have received an MFA error. Regarding the device info, can your IT folks expand on what exactly they expect to see? Is it just the Azure AD joined device ID?

Cheers,

Eric

0 Likes

acatalano
Level 4

‎16-03-23 02:54 AM

@ewilson we did test every day, including after MFA exclusion.

Yes, because one of the security policies is to report the device ID. And as you will have seen in the image that I shared with you previously, it arrives empty.

0 Likes

kkazantsev
Level 5

‎17-03-23 05:47 PM

HI @acatalano ,

have you tried getting application access token without delegation?

0 Likes

acatalano
Level 4

‎17-03-23 08:26 PM

@kkazantsev Yes, we tried and we received the token ok, the problem with that comes later because due to security policies they cannot give us permission to the apis. We must use delegate to control access.

0 Likes

MantasPadimansk
Level 4

‎16-05-23 10:07 AM

Hello. 

I have same issue as Agustin, we are currently searching for secure solution around this problem... And currently no clear answer that would be best in our situation. 

0 Likes

acatalano
Level 4

‎14-03-24 02:11 PM

@MantasPadimansk Did you solve that problem?

0 Likes