Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
I have had a new app registered in my Azure tenant. It has been configured with the following API permissions, which have been granted admin consent:
If I make a call to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the following request body:
grant_type=password
&username={username}
&password={password}
&client_id={clientId}
&scope=user.read
Then I get back an HTTP 200.
However, if I change the scope to files.readwrite, then I get back an HTTP 400 with the following exception:
AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.
Presumably this is either seeking MFA, or some additional consent. However the app will have no UI, so I can't follow a consent process with the user. We need to be able to pre-consent a small number of users to this app.
I'm running this from our office, which I understand to be a trusted location - so would not expect an MFA challenge (if that's what it is).
I also had my Azure admin add this particular account as a user under Microsoft Entra ID > Enterprise applications > {appName} > Manage > Users and groups, but I'm not sure if that was a necessary step, but I read that it would pre-consent the user to the app.
The error "The user or administrator has not consented to use the application with ID '{clientId}' named '{appName}'. Send an interactive authorization request for this user and resource." usually occurs if you are passing wrong scope to generate the token.
To resolve the error, you need to pass scope as Files.ReadWrite
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:clientID
scope:Files.ReadWrite
grant_type:password
username:username
password:password
Note that: ROPC flow do not support MFA enabled accounts, If tried to generate token using ROPC flow then you might get errors. Refer this MsDoc
The error "External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges." usually occurs if you are trying to generate token using ROPC flow.
Hence to resolve the error switch to any other flow to generate the token.
- How to set up a Low Disk Space alert with the new Azure Monitor agent to trigger when a specific disk drive is low on free space?
- Azure Cosmos DB - Understanding Partition Key
- Get the permissions of users with respect to the repositories via the API of ADO
- Azure graph api to search groups whose displayName contains a specific term
- Azure Functions with VS Code and Python: ModuleNotFoundError: No module named 'azure.storage'
- Azure APIM - VNET injection vs inbound private endpoint, what is a difference?
- My mern project is not running in azure web app
- Split multiple tables from a single sheet in excel using data flows
- How to reduce your outbound ip address list for azure web app to add ip address to Flexible PostregSQL server firewall
- Not able to send localized push notification from Azure Notification Hub after migrating to FCMv1 from FCM Legacy API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Azure monitor open telemetry python package raising exception when python app deployed on Azure
- Azure Document Intelligence - RequestFailedException: 'Resource not found Status: 404 (Not Found)
- Parameterize runOnStartup in function.json
- Trouble Passing Boolean Values in Azure Data Factory JSON Template
- Managed Identity for Cosmos DB: "Local Authorization is disabled. Use an AAD token to authorize all requests"
- SFTP connectivity via Jsch fails with "Auth fail for methods 'publickey'"
- How can I add email recipients to a Graph API request programmatically?
- Getting an UnsupportedClassVersionError after updating Java 17 to Java 21
- Issue during update azure vmss trough rest api using curl
- How can I define compile time constants in bicep configuration language?
- How to redact Indian Aadhaar Number, Brazilian CPF number or any other such PII using azure language service
- Timezone error creating SQL instance in Azure using Terraform
- Does Azure's EntraID support dynamic custom claims?
- Can't provide NuGet package source credentials to Azure Function
- How can I use Terraform to run a script to initialise the database on a newly-created Azure mssql_virtual_machine?
- Creating External table in Azure SQL Database using ADLS2 Datasource
- Issue uploading files to S3 from Django in Docker
- Azure DevOps pipeline continues to run despite removing schedule
- Azure Active Directory App service Principal create new client secret