Digital Exchange

 View Only
last person joined: 2 days ago 

This community is a place to discuss Blue Prism DX assets and development.

 Microsoft Graph/MSAL.net - delegated -device

Agustin Rodolfo Catalano's profile image
Agustin Rodolfo Catalano posted 03-13-2023 21:13

Hi, I read many threads about Microsoft Graph and MSAL.net, but I didn't find my problem.

I am trying to authenticate to azure with delegated permission but am getting these errors.

When I run Microsoft Graph - Authentication::Get Delegated Access Token (Blue Prism VBO), the response was:

"invalid_grant","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

When I run MSAL.NET::Get Auth Token - Username and Password (Blue Prism VBO), the response was:

System.AggregateException: Se han producido uno o varios errores. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access.

In the Azure logs we found that the device information was empty and Microsoft support informed us that we must add it in the code.

The device is already hybridized in azure. The user account too.

So we need to add the device data to the action, any idea how to do it?

Eric Wilson's profile image
Eric Wilson

Hello @Agustin Rodolfo Catalano

My guess is that both of your errors relate to the fact that 2-factor authentication is enabled in your environment. There are two options here:

  1. Ask you IT folks to disable 2FA for any accounts used by Digital Workers.
  2. If that's not an option, there are a couple 2FA solutions available on the the Digital Exchange. I don't think either one has been tested specifically with authentication in Graph, but they may work for you.

Cheers,

Eric 

Agustin Rodolfo Catalano's profile image
Agustin Rodolfo Catalano

Hi @Eric Wilson

The IT team that manages Azure told us that the problem is that the information device was empty in our call and we need to add it. The user was already excluded from MFA.

Eric Wilson's profile image
Eric Wilson

@Agustin Rodolfo Catalano

I assume the MFA exclusion was made after your tests, otherwise you never should have received an MFA error. Regarding the device info, can your IT folks expand on what exactly they expect to see? Is it just the Azure AD joined device ID?

Cheers,

Eric

Agustin Rodolfo Catalano's profile image
Agustin Rodolfo Catalano

@Eric Wilson we did test every day, including after MFA exclusion.

Yes, because one of the security policies is to report the device ID. And as you will have seen in the image that I shared with you previously, it arrives empty.

Konstantin Kazantsev's profile image
Konstantin Kazantsev

HI @Agustin Rodolfo Catalano ,

have you tried getting application access token without delegation?

Agustin Rodolfo Catalano's profile image
Agustin Rodolfo Catalano

@Konstantin Kazantsev Yes, we tried and we received the token ok, the problem with that comes later because due to security policies they cannot give us permission to the apis. We must use delegate to control access.

Mantas Padimanskas's profile image
Mantas Padimanskas

Hello. 

I have same issue as Agustin, we are currently searching for secure solution around this problem... And currently no clear answer that would be best in our situation.