0

I am struggling to get a token from "https://login.microsoftonline.com/common/oauth2/token" with an Azure function by a post-request. The token will give permissions to access SharePoint though CSOM. Here is my code snippet with the post request:

var clientId = defaultAADAppId;
var body = $"resource={resource}&client_id={clientId}&grant_type=password&username={HttpUtility.UrlEncode(username)}&password={HttpUtility.UrlEncode(password)}";
using (var stringContent = new StringContent(body, Encoding.UTF8, "application/x-www-form-urlencoded"))
{
    var result = await httpClient.PostAsync(tokenEndpoint, stringContent);
    var tokenResult = JsonSerializer.Deserialize<JsonElement>(result);
    var token = tokenResult.GetProperty("access_token").GetString();
}

When testing locally, both when running the function in Visual studio and when I try with Postman, I am able to achieve an access token. However, as soon as I publish the function to my Function app in Azure I receive the following error message:

"AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance"

I have enabled an app registration in the portal and as mentioned, it all works fine until I publish everything to Azure.

Any ideas on how to solve this?

Casey Crookston
  • 13,016
  • 24
  • 107
  • 193
FinneVirta
  • 374
  • 1
  • 4
  • 14
  • check here:https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes. Suggested resolution: `Check the security policies that are defined on the tenant level to determine if your request meets the policy requirements.` – Casey Crookston Jan 18 '21 at 18:59
  • also check here: https://login.microsoftonline.com/error. Paste in the error number, `AADSTS53003`. Result: `If this is unexpected, see the conditional access policy that applied to this request in the Azure Portal.` – Casey Crookston Jan 18 '21 at 19:00

2 Answers2

0

As the error message says, your app is blocked by CA policy. Possible causes can be unknown client app, blocking external IP addresses, etc.

You can perform one of the below workarounds:

  • Add your Client app to your CA policy.
  • I wouldn’t recommend this because this affects your security - if you take the risk you could exclude the “Microsoft Azure Management” from your CA policy which blocks unknown clients / requires device state and still protect the sign-in with MFA.
  • A better approach is to use another OAuth 2.0 and OpenID connect flow like the delegated flow where you sign-in directly within the app, if possible.
Nimantha
  • 6,405
  • 6
  • 28
  • 69
Harshita Singh
  • 4,590
  • 1
  • 10
  • 13
  • Do you have any documentation regarding the other approach? I am currently using the AuthenticationManager class as suggested by the following documentation [AuthenticationManager sample class](https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/using-csom-for-dotnet-standard#authenticationmanager-sample-class) – FinneVirta Jan 19 '21 at 10:11
  • Refer these three links: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/troubleshoot-conditional-access, https://tech.nicolonsky.ch/device-code-auth-ca/, https://learn.microsoft.com/en-us/answers/questions/78500/azure-automation-connect-azuread-blocked-by-condit.html – Harshita Singh Jan 19 '21 at 10:12
  • This is most probably config related issue and not coding approach related. Pls try those steps and let me know if it works. – Harshita Singh Jan 19 '21 at 10:14
  • Does this help? – Harshita Singh Jan 20 '21 at 18:04
  • Thanks for the help @singhh-msft, got it to work now. Added the solution in my answer. – FinneVirta Jan 27 '21 at 19:27
0

I got it to work now. First of all I reviewed the CA policies as @CaseyCrookston suggested. What I found out was that our CA policies blocked calls outside the country we operate from. However, the calls from the App registration/Azure function were registered from the Azure data centre location and thus, blocked by our CA policies. When running them locally the calls where registered in my country and therefore no errors were showing while debugging.

My first step was trying to add my Client app to the CA policy, which was not possible. The client/secret authentication that I used based on the suggestions in this CSOM guide by Microsoft prevented the App registration to be whitelisted from the CA policies (Github issue).

Based on this I had to change the authentication to a Certificate-based authentication as suggested here: Access token request with a certificate and here: SO answer. With this I was able to whitelist the App registration in the CA policies and successfully authenticate to the Sharepoint CSOM.

FinneVirta
  • 374
  • 1
  • 4
  • 14