search

OfficeDev / microsoft-teams-apps-requestateam

Power Platform based solution that allows users to request teams and automates team creation. NO LONGER MAINTAINED. Please use 'Provision Assist' - https://github.com/pnp/provision-assist-m365/ instead.
MIT License
234 stars 66 forks source link

Get Access Token for Service Account: Error AADSTS50126: Error validating credentials #369

Closed dav1dbailey closed 1 year ago

dav1dbailey commented 2 years ago

Description

When the Logic App runs the process completes (the Team is built) however no Sensitivity Label is applied to the team. Checking the Run it has an error on 'Get access token for service account':

{ "statusCode": 400, "headers": { "Pragma": "no-cache", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "X-Content-Type-Options": "nosniff", "x-ms-request-id": "6b94c72a-ffa6-4020-a447-ba7d303a4f00", "x-ms-ests-server": "2.1.13315.8 - NEULR1 ProdSlices", "X-XSS-Protection": "0", "Cache-Control": "no-store, no-cache", "P3P": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"", "Set-Cookie": "fpc=Aux22KyFavtGtvlkp7satYe_kuEMAQAAAKdgc9oOAAAA; expires=Fri, 26-Aug-2022 16:36:55 GMT; path=/; secure; HttpOnly; SameSite=None,x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly,stsservicecookie=estsfd; path=/; secure; samesite=none; httponly", "Date": "Wed, 27 Jul 2022 16:36:55 GMT", "Content-Length": "495", "Content-Type": "application/json; charset=utf-8", "Expires": "-1" }, "body": { "error": "invalid_grant", "error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: 6b94c72a-ffa6-4020-a447-ba7d303a4f00\r\nCorrelation ID: 5bd05ce5-20ad-48b2-a509-dabfed573562\r\nTimestamp: 2022-07-27 16:36:55Z", "error_codes": [ 50126 ], "timestamp": "2022-07-27 16:36:55Z", "trace_id": "6b94c72a-ffa6-4020-a447-ba7d303a4f00", "correlation_id": "5bd05ce5-20ad-48b2-a509-dabfed573562", "error_uri": "https://login.microsoftonline.com/error?code=50126" } }

Steps to reproduce

  1. Use App to create a Team. 2.Team is created but missing the sensitivity label

Expected results

Expect to see sensitivity label applied to Team

Actual Results

Team is created with no sensitivity label.

Solution component

Logic Apps

Operating system (environment)

Windows

Additional Info

I have manually recreated new key vault with sapassword and sausername and amend the flow to use it however the same issue occurs.

BTW. The username and password for this service account is used throughout the App config and is correct.

In addition FYI: https://docs.microsoft.com/en-us/answers/questions/385629/aadsts50126-error-validating-credentials-due-to-in-1.html this article explains that for this to work we need to:

  1. Sync users' passwords to Azure AD. If you don't want to sync password for entire organization, you may consider using Selective Password Hash Sync.
  2. Create a policy to allow credentials validation of federated users from within Azure AD.
  3. Link the policy to the application, for which you want to use ROPC flow with federated accounts.

We have Password Hash Sync already enabled do we need to also do steps 2 & 3 so that will allow federated user to authenticate directly from AzureAD without requiring to redirect to the federated Identity Provider (IDP)? (https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d)