28-12-22 01:53 PM
Hi all,
We're currently trying to implement Microsoft Graph API to use in our workflows, however we can't seem to work out what exactly we're doing wrong.
Due to security reasons, we're not allowed to grant Blue Prism (V6.6) the Application Permission required to perform certain actions, so using Delegated Permission is the only way to go.
Things to consider for our use case:
- We work in a Citrix environment using VM's;
- For audit reasons, each process has its own robot user account which we use to log into the VM's via SSO;
- All robot user accounts (30+) have been exempt from MFA/2FA, so this shouldn't be an issue;
We've followed the documentation and set all prerequisites:
- Created an App Registration in our Azure AD;
- Set the API permissions (Files.ReadWrite.All and Sites.ReadWrite.All);
- Imported the Microsoft Graph – Authentication object release file
When using the action "Get Delegated Access Token" with mandatory parameters, we are unable to get a successful response back:
The only response we get is either a bad response ("The remote server returned an error: (400) Bad Request." or "(401) Unauthorized").
In the AD logs, we get a few more detailed exception details, but they don't really help us figuring out what the issue is. Without changing the credentials, we get a mix of errors varying from "admin consent required", "invalid credentials" and "account locked"... We're sure every parameter contains the right value (username/password/tenant_id/client_id/client_secret are valid).
I guess my question is, are we missing something in our setup? Or is the "Admin consent required" part the key issue here?
The funny thing is, when using the action "Get Application Access Token", we are able to retrieve a token, even though we have not given BP Application Permissions. So I'm guessing this is a token without any permissions? Because said token didn't allow us to use other API's (such as SharePoint), when we tested it just to be sure.
03-01-23 10:04 AM
03-01-23 04:00 PM
It seems we are indeed facing the same issues regarding security. We tried getting an access token via Postman using grant type 'Authorization Code', and were able to retrieve a token via the authentication route (approving SSO via the authenticator app), however when trying grant type 'Password Credentials' (thus mimicking what the MS Graph Authentication VBO does), it failed just like in BP.
We're going to try your route with the MSAL.NET library and hopefully see the same results as you. I'll mark your answer as the best answer/solution if this works. Thank you for your help so far!
03-01-23 04:11 PM
24-01-24 04:22 PM
Hi @ewilson, I am getting below error while trying to authenticate delegated access using action Get Delegated Access Token in Blue Prism. Any suggestions?
{"error":"invalid_grant","error_description":"AADSTS50034: The user account ***** does not exist in the 07bef031-67e8-4f56-a63c-10a9f0466774 directory. To sign into this application, the account must be added to the directory. Trace ID: f46e2ac3-0d81-4b75-a060-99ad72c76d00 Correlation ID: f892eba9-fa5d-4dcb-b7c4-cc0e05e9e78f Timestamp: 2024-01-23 13:58:35Z","error_codes":[50034],"timestamp":"2024-01-23 13:58:35Z","trace_id":"f46e2ac3-0d81-4b75-a060-99ad72c76d00","correlation_id":"f892eba9-fa5d-4dcb-b7c4-cc0e05e9e78f","error_uri":"https://login.microsoftonline.com/error?code=50034"}
24-01-24 06:24 PM
Hello @vinod ch,
It would be best to create a new thread for your question, but in the meantime it appears you either have the wrong tenant ID or the wrong user ID. In either case, the user ID you're referencing doesn't exist within the Azure AD of the tenant you've specified. You need to verify both ID's.
Cheers,
Eric
26-01-24 01:25 PM
Hi @ewilson
As suggested, Created separate Thread - https://community.blueprism.com/discussion/graph-api-delegated-access
And FYI I am using Correct User ID and Tenant ID and User ID is also existed within Azure AD because I am using same Tenant ID and User ID in Power Automate where its working and Its failing in Blue Prism and Postman. Can you please suggest on above NEW thread?
Also let me know, How can we verify whether User ID is under mentioned azure AD Tenant or not?