cancel
Showing results for 
Search instead for 
Did you mean: 

Microsoft Graph/MSAL.net - delegated -device

acatalano
Level 4

Hi, I read many threads about Microsoft Graph and MSAL.net, but I didn't find my problem.

I am trying to authenticate to azure with delegated permission but am getting these errors.

When I run Microsoft Graph - Authentication::Get Delegated Access Token (Blue Prism VBO), the response was:

"invalid_grant","error_description":"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.

When I run MSAL.NET::Get Auth Token - Username and Password (Blue Prism VBO), the response was:

System.AggregateException: Se han producido uno o varios errores. ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access.

In the Azure logs we found that the device information was empty and Microsoft support informed us that we must add it in the code.

The device is already hybridized in azure. The user account too.

So we need to add the device data to the action, any idea how to do it?

11 REPLIES 11

ewilson
Staff
Staff

Hello @acatalano

My guess is that both of your errors relate to the fact that 2-factor authentication is enabled in your environment. There are two options here:

  1. Ask you IT folks to disable 2FA for any accounts used by Digital Workers.
  2. If that's not an option, there are a couple 2FA solutions available on the the Digital Exchange. I don't think either one has been tested specifically with authentication in Graph, but they may work for you.

Cheers,

Eric 

acatalano
Level 4

Hi @ewilson

The IT team that manages Azure told us that the problem is that the information device was empty in our call and we need to add it. The user was already excluded from MFA.

35400.png

ewilson
Staff
Staff

@acatalano

I assume the MFA exclusion was made after your tests, otherwise you never should have received an MFA error. Regarding the device info, can your IT folks expand on what exactly they expect to see? Is it just the Azure AD joined device ID?

Cheers,

Eric

acatalano
Level 4

@ewilson we did test every day, including after MFA exclusion.

Yes, because one of the security policies is to report the device ID. And as you will have seen in the image that I shared with you previously, it arrives empty.

kkazantsev
Level 5

HI @acatalano ,

have you tried getting application access token without delegation?

acatalano
Level 4

@kkazantsev Yes, we tried and we received the token ok, the problem with that comes later because due to security policies they cannot give us permission to the apis. We must use delegate to control access.

MantasPadimansk
Level 4

Hello. 

I have same issue as Agustin, we are currently searching for secure solution around this problem... And currently no clear answer that would be best in our situation. 

acatalano
Level 4

@MantasPadimansk Did you solve that problem?

sarthak_86
Level 5

Hi,

Any solution to the issue, I am also using Delegated access, can't use application permissions due to policies, I am able to get the access token using client secret, but it is failing while sending mail: "Error: Access Denied", and when using username password to get the access token it is failing in getting it: Error:"The user or administrator has not consented to use the application with ID:".

@ewilson