0

We are using compulsory two factor authentication for our email addresses under our Active Directory.

I have an app that requires a service account, so we created app password for that service account. We acquire access token using following end point -

https://login.windows.net/{tenant_id}/oauth2/token

It works perfectly fine for credentials without two factor authentication and normal password but not for accounts with two factor auth and app password

If we enter app password it returns this error -

AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password enter image description here

How can I get it working?

Arun Vinoth-Precog Tech - MVP
  • 22,364
  • 14
  • 59
  • 168
Rahul Patil
  • 5,656
  • 6
  • 37
  • 65

1 Answers1

1

It looks like you are trying to use the Resource Owner Password Credentials Grant, which is in general not recommended (it doesn't support MFA among other things) Instead of using that flow, see if the client credential flow (where you can use an application ID + secret or certificate) fits your needs

In the case of CRM Online, it does support the concept of “application user”. You declare the application in AAD with a secret or a certificate. Then you go to CRM Online and add that “application user” with a custom security role.

enter image description here

Then you can use code like this to access CRM web services. 

add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
add-type -path "Microsoft.Xrm.Sdk.dll"
$resourceAppIdURI = "https://ORG.crm2.dynamics.com"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com" 
$credential=New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential("b1d83e4e-bc77-4919-8791-5408746265c1","<SECRET>")
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$authResult = $authContext.AcquireToken($resourceAppIdURI, $credential)
$sdkService=new-object Microsoft.Xrm.Sdk.WebServiceClient.OrganizationWebProxyClient("https://ORG.crm2.dynamics.com/xrmservices/2011/organization.svc/web?SdkClientVersion=8.2",$false)
$sdkService.HeaderToken=$authResult.accesstoken
$OrganizationRequest=new-object Microsoft.Xrm.Sdk.OrganizationRequest
$OrganizationRequest.RequestName="WhoAmI"
$sdkService.Execute($OrganizationRequest)
andresm53
  • 1,913
  • 6
  • 15
  • I can get access token using certificate flow but if I use the access token to consume Dynamics API, it throws 401 unauthorized error.. Why? Back to my old question - https://stackoverflow.com/a/39994073/1635060. Dynamics API do not support app-token acquired by client creds. – Rahul Patil May 24 '17 at 06:29
  • 1
    I just added info to my original post about CRM Online and the concept of "Application User". – andresm53 May 24 '17 at 11:28
  • I am not able to edit Application ID URI.. any reason? – Rahul Patil May 24 '17 at 15:24
  • According to https://msdn.microsoft.com/en-us/library/mt790170.aspx#bkmk_ManuallyCreateUser, "The User Name, Application ID URI and Azure AD Object ID fields are locked and you cannot set values for these fields." – andresm53 May 24 '17 at 15:42
  • One more thing, can I use this access token for webapi (odata) requests? – Rahul Patil May 24 '17 at 15:42
  • I beleive so, see https://msdn.microsoft.com/en-us/library/mt595798.aspx – andresm53 May 24 '17 at 15:46