https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97423#M3016 <P>Hi <a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/833">@ewilson</a></P> <P>The IT team that manages Azure told us that the problem is that the information device was empty in our call and we need to add it. The user was already excluded from MFA.</P> <DIV class="media" style="overflow: hidden; zoom: 1;"><span class="lia-inline-image-display-wrapper" image-alt="35400.png"><img src="https://community.blueprism.com/t5/image/serverpage/image-id/35460i5F74317B805D94FD/image-size/large?v=v2&amp;px=999" role="button" title="35400.png" alt="35400.png" /></span></DIV> Wed, 15 Mar 2023 17:55:00 GMT acatalano 2023-03-15T17:55:00Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97421#M3014 <P>Hi, I read many threads about Microsoft Graph and MSAL.net, but I didn't find my problem.</P> <P>I am trying to authenticate to azure with delegated permission but am getting these errors.</P> <P> </P><P>When I run Microsoft Graph - Authentication::Get Delegated Access Token (Blue Prism VBO), the response was:</P> <P><STRONG><SPAN class="ui-provider vp b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr"><SPAN class="cm-string">"invalid_grant"</SPAN>,<SPAN class="cm-string cm-property">"error_description"</SPAN>:<SPAN class="cm-string">"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.</SPAN></SPAN></STRONG></P> <P> </P><P>When I run MSAL.NET::Get Auth Token - Username and Password (Blue Prism VBO), the response was:</P> <P><STRONG><SPAN class="ui-provider vp b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak" dir="ltr">System.AggregateException: Se han producido uno o varios errores. ---&gt; Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access.</SPAN></STRONG></P> <P> </P><P>In the Azure logs we found that the device information was empty and Microsoft support informed us that we must add it in the code.</P> <P>The device is already hybridized in azure. The user account too.</P> <P>So we need to add the device data to the action, any idea how to do it?</P> Mon, 13 Mar 2023 19:46:03 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97421#M3014 acatalano 2023-03-13T19:46:03Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97422#M3015 <P>Hello <a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/27919">@acatalano</a></P> <P>My guess is that both of your errors relate to the fact that 2-factor authentication is enabled in your environment. There are two options here:</P> <OL> <LI>Ask you IT folks to disable 2FA for any accounts used by Digital Workers.</LI> <LI>If that's not an option, there are a couple <A href="https://digitalexchange.blueprism.com/dx/search?keyword=two%20factor&amp;page=1" target="_blank" rel="noopener">2FA solutions</A> available on the the Digital Exchange. I don't think either one has been tested specifically with authentication in Graph, but they may work for you.</LI> </OL> <P>Cheers,</P> <P>Eric&nbsp;</P> Wed, 15 Mar 2023 15:44:12 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97422#M3015 ewilson 2023-03-15T15:44:12Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97423#M3016 <P>Hi <a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/833">@ewilson</a></P> <P>The IT team that manages Azure told us that the problem is that the information device was empty in our call and we need to add it. The user was already excluded from MFA.</P> <DIV class="media" style="overflow: hidden; zoom: 1;"><span class="lia-inline-image-display-wrapper" image-alt="35400.png"><img src="https://community.blueprism.com/t5/image/serverpage/image-id/35460i5F74317B805D94FD/image-size/large?v=v2&amp;px=999" role="button" title="35400.png" alt="35400.png" /></span></DIV> Wed, 15 Mar 2023 17:55:00 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97423#M3016 acatalano 2023-03-15T17:55:00Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97424#M3017 <P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/27919">@acatalano</a></P> <P>I assume the MFA exclusion was made after your tests, otherwise you never should have received an MFA error. Regarding the device info, can your IT folks expand on what exactly they expect to see? Is it just the Azure AD joined device ID?</P> <P>Cheers,</P> <P>Eric</P> Wed, 15 Mar 2023 22:25:54 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97424#M3017 ewilson 2023-03-15T22:25:54Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97425#M3018 <P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/833">@ewilson</a> we did test every day, including after MFA exclusion.</P> <P>Yes, because one of the security policies is to report the device ID. And as you will have seen in the image that I shared with you previously, it arrives empty.</P> Thu, 16 Mar 2023 02:54:26 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97425#M3018 acatalano 2023-03-16T02:54:26Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97426#M3019 <P>HI <a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/27919">@acatalano</a> ,</P> <P>have you tried getting application access token without delegation?</P> <P> </P><P></P> Fri, 17 Mar 2023 17:47:23 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97426#M3019 kkazantsev 2023-03-17T17:47:23Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97427#M3020 <P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/1343">@kkazantsev</a> Yes, we tried and we received the token ok, the problem with that comes later because due to security policies they cannot give us permission to the apis. We must use delegate to control access.</P> Fri, 17 Mar 2023 20:26:58 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97427#M3020 acatalano 2023-03-17T20:26:58Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97428#M3021 <P>Hello.&nbsp;<BR /><BR />I have same issue as Agustin, we are currently searching for secure solution around this problem... And currently no clear answer that would be best in our situation.&nbsp;</P> Tue, 16 May 2023 09:07:28 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97428#M3021 MantasPadimansk 2023-05-16T09:07:28Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97429#M3022 <P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/46455">@MantasPadimansk</a>&nbsp;Did you solve that problem?</P> Thu, 14 Mar 2024 14:11:36 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/97429#M3022 acatalano 2024-03-14T14:11:36Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112423#M3662 <P>Hi,</P><P>Any solution to the issue, I am also using Delegated access, can't use application permissions due to policies, I am able to get the access token using client secret, but it is failing while sending mail: "Error: Access Denied", and when using username password to get the access token it is failing in getting it: Error:"The user or administrator has not consented to use the application with ID:".</P><P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/833">@ewilson</a>&nbsp;</P> Wed, 17 Jul 2024 08:47:23 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112423#M3662 sarthak_86 2024-07-17T08:47:23Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112428#M3663 <P><a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/41274">@sarthak_86</a>&nbsp;based on the error message your administrator hasn't consented to the use of the Graph API for the application ID you're using. I believe it's called out in the documentation as a necessary step for a DW to use delegated permissions.</P><P>Cheers,<BR />Eric</P> Wed, 17 Jul 2024 13:34:43 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112428#M3663 ewilson 2024-07-17T13:34:43Z https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112429#M3664 <P>Thanks&nbsp;<a href="https://community.blueprism.com/t5/user/viewprofilepage/user-id/833">@ewilson</a>, I was confused with the permissions, I will request the administrator for this and will see if it works or not.</P> Wed, 17 Jul 2024 13:41:00 GMT https://community.blueprism.com/t5/Digital-Exchange/Microsoft-Graph-MSAL-net-delegated-device/m-p/112429#M3664 sarthak_86 2024-07-17T13:41:00Z