question

EricChen-8890 avatar image
0 Votes"
EricChen-8890 asked ·

"invalid username or password" 'AADSTS50126' in Microsoft Graph API password authentication

I'm doing some Data retrieving work by using Graph API,
I have done some of scripts to get data via Graph API with [Applicaion] permission.
but I also need some API with [delegated] permission only, so I have to change authentication method from "client_credentials" to "password"

When I tried to sign in from authentication form with the user I was using, I got the below error:

'AADSTS50126' "invalid_grant" Error validating credentials due to invalid username or password

I have searched below another thread, seems same problem happened recently.
https://docs.microsoft.com/en-us/answers/questions/38035/aadsts50126-invalid-grant-error-validating-credent.html

I might try to follow the suggestion from that thread, to create a new account without Federated Authentication,
In a big organization, I can't do it by myself, but may I know if we create new account for this, what other requirement I need to know?
Like, what roles does the new account need?

My requirement is: Login for using delegated permission API to get Teams Chats list by using PowerShell.

Thank you
Eric Chen



azure-ad-graphazure-ad-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @EricChen-8890


I have posted another solution to this problem at below link:


https://medium.com/@amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d


If you choose to go with this solution, you would not need to create new cloud-only user account and you can use the already existing federated account as well.


@Faraha-6803 Hopefully, this would be helpful for you as well.




Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.


· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT
Thank you for the quick response and explaining, it helps when we trying for this.


@amanpreetsingh-msft
Thanks for the solution,
just one place to clarify:


for the
Get-AzureADServicePrincipal -SearchString < display_name_of_the_app >


what is the < display_name_of_the_app > ? the application we registered in Azure AD?



0 Votes 0 ·

@EricChen-8890 Yes, < display_name_of_the_app > is the display name of the application registered in Azure AD.

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@EricChen-8890, Thank you for reaching out. The reason a federated user fails with the Resource Owner Password Grant flow is because for a federated user Azure AD has to redirect the user to the specific federation Server that belongs to the user's on-prem domain so that the ADFS server can get the auth down with the local domain controller. In Resource Owner Password grant flow this redirect is not possible hence it is not able to validate the username and password and hence that error.

As a suggestion, you can create a new cloud only user whose username and password should reside in Azure AD, so that when using Resource Owner password Grant flow you submit the user's credentials, AAD can authenticate the user without any redirections.

This user can be a normal user in AAD and the respective delegated permissions should be present in the app registration. Now one more thing to make sure is, if the delegated permission that you are providing needs admin consent then before the user logs in to the application, the admin has to provide the admin consent to this delegated permission. If you want to the user to provide his/her own consent (if the delegated permission needs user consent) when you would have to somehow provide the user consent before going ahead with the Resource Owner Password Grant Flow.


Hope this helps.


Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

UPDATE:

Rather than trying to get access token by using grant_type = "password" for delegated user login,
We created a new cloud only user whose username and password reside in Azure AD,
I tried to get Auth Code successfully with the cloud only user's login, and then got access token for further API calling.

0 Votes 0 ·
soumi-MSFT avatar image
1 Vote"
soumi-MSFT answered ·

@EricChen-8890,


In this command "Get-AzureADServicePrincipal -SearchString < display_name_of_the_app >", the <display_name_of_the_app > section would contain the display name of the app registered in Azure AD.


To giv eyou more context on this, when you register an application in Azure AD, it creates two major objects in Azure AD, one is called the application object (visible under App Registration section) and the other object is called the Service Principal Object (visible under Enterprise Registration section). Now both these objects are internally connected with each other using the App ID, but since both are separate objects in AAD, hence both has there own object IDs and name of both the application object and the service principal object remains same in AAD.


Hence for this command Get-AzureADServicePrincipal -SearchString < display_name_of_the_app >", here we are searching for that Service Principal Object with the Application Name.


Hope this helps.



Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricChen-8890 avatar image
0 Votes"
EricChen-8890 answered ·

@amanpreetsingh-msft @soumi-MSFT


Thank you for making this super clear, I will let you know if we get chance to try this.


· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In
Run Get-AzureADServicePrincipal -SearchString < display_name_of_the_app > and copy the object ID of the service principal from the output.

there are many lines output which service principal should I choose? will it be the Sharepoint online client extensibility web application Principal?

0 Votes 0 ·