Search code examples
azureazure-active-directorymicrosoft-graph-api

Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?

I have had a new app registered in my Azure tenant. It has been configured with the following API permissions, which have been granted admin consent:

Screenshot from Azure portal showing API permissions File.Read, Files.ReadWrite and User.Read granted by admin

If I make a call to https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with the following request body:

grant_type=password
&username={username}
&password={password}
&client_id={clientId}
&scope=user.read

Then I get back an HTTP 200.

However, if I change the scope to files.readwrite, then I get back an HTTP 400 with the following exception:

AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges.

Presumably this is either seeking MFA, or some additional consent. However the app will have no UI, so I can't follow a consent process with the user. We need to be able to pre-consent a small number of users to this app.

I'm running this from our office, which I understand to be a trusted location - so would not expect an MFA challenge (if that's what it is).

I also had my Azure admin add this particular account as a user under Microsoft Entra ID > Enterprise applications > {appName} > Manage > Users and groups, but I'm not sure if that was a necessary step, but I read that it would pre-consent the user to the app.

Solution

  • The error "The user or administrator has not consented to use the application with ID '{clientId}' named '{appName}'. Send an interactive authorization request for this user and resource." usually occurs if you are passing wrong scope to generate the token.

    To resolve the error, you need to pass scope as Files.ReadWrite

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:clientID
scope:Files.ReadWrite
grant_type:password
username:username
password:password

    Note that: ROPC flow do not support MFA enabled accounts, If tried to generate token using ROPC flow then you might get errors. Refer this MsDoc

    The error "External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges." usually occurs if you are trying to generate token using ROPC flow.

    enter image description here

    Hence to resolve the error switch to any other flow to generate the token.