Splaxi
commented
1 year ago As late as yesterday, I was working with the Get-D365LcsApiToken myself. My version is: 0.6.77
If you receive ANY error codes starting with "AADSTS" - I would trust the error message, as this comes directly from the Azure AD, that the cmdlet is trying to authenticate against. The authentication request goes towards: https://login.microsoftonline.com/common/oauth2/token
With that said, we have seen that 3. party identity tools like OKTA has been implemented, which would break the tools - or the expected authentication flow. The community has seen things like this: https://www.yammer.com/dynamicsaxfeedbackprograms/threads/1174941179609088
Extracted comment from the yammer thread:
Yes. I have made sure a number of times the user name and password are correct. These are the same details I am using to upload the package from ADO to LCS. Yes, we have full-blown Azure AD synced with Okta. When we log in manually, it redirects to the Okta authentication screen.
- Are you sure that your project still runs in the original LCS region, and no one from your company has done a Geo-2-Geo migration?
I know that the username password are good because I am login into LCS Web Portal and it works ClientID is also Good because We are using Upload Package using LCS in DEVOPS and everything works ...
Regarding that statement, I'm guessing that you are running the official Microsoft task, that can be installed into the Azure DevOps organization - right?
We don't quiet know what requirements that the Microsoft task has in terms of specific settings for the Application Registration (ClientId), but personally I have seen different things that needed adjustments of the settings "inside" the Application Registration (manifest). This varies very much, based on what the Azure AD administrators in your organization has configured.
I know that I had to set this to true once, with a customer: oauth2AllowIdTokenImplicitFlow
Here is a valid manifest file from my own Azure AD, that you can compare to your own manifest file.
{
"id": "{GUID1}",
"acceptMappedClaims": null,
"accessTokenAcceptedVersion": null,
"addIns": [],
"allowPublicClient": true,
"appId": "{GUID2}",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2021-12-02T10:11:11Z",
"description": null,
"certification": null,
"disabledByMicrosoftStatus": null,
"groupMembershipClaims": null,
"identifierUris": [],
"informationalUrls": {
"termsOfService": null,
"support": null,
"privacy": null,
"marketing": null
},
"keyCredentials": [],
"knownClientApplications": [],
"logoUrl": null,
"logoutUrl": null,
"name": "LCS-D365-Automation",
"notes": null,
"oauth2AllowIdTokenImplicitFlow": false,
"oauth2AllowImplicitFlow": false,
"oauth2Permissions": [],
"oauth2RequirePostResponse": false,
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": [],
"publisherDomain": "{DomainName}",
"replyUrlsWithType": [],
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{GUID3}",
"type": "Scope"
}
]
},
{
"resourceAppId": "{GUID4}",
"resourceAccess": [
{
"id": "{GUID5}",
"type": "Scope"
}
]
}
],
"samlMetadataUrl": null,
"signInUrl": null,
"signInAudience": "AzureADMyOrg",
"tags": [],
"tokenEncryptionKeyId": null
}
FH-Inway
kblacquiere
Hello, I'm trying to call Get-D365LcsApiToken with -ClientId XXXX -UserName uuuuu -Password pppp -LcsApiUri https://lcsapi.lcs.dynamics.com .
But we are receiving : "invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.
I know that the username password are good because I am login into LCS Web Portal and it works ClientID is also Good because We are using Upload Package using LCS in DEVOPS and everything works ...
But we had to change or script few months ago to use MSAL for authentication.
So, I suspect that we have the problem trying to authenticate with d365fo.tools becaue of MSAL ...
Am I right ?
Do you have an idea how to fix this ?
Thanks in advance for you help !