Get-MsalToken error AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

Question

Here is my PowerShell script

$connectionDetails = @{
    'TenantId'    = '****-****'
    'ClientId'    = '****-****'
    'Interactive' = $true
    'Scopes' = '****-****'
    'RedirectUri' = '****-****'
}

$token = Get-MsalToken @connectionDetails

$accessToken = $token.AccessToken

write-output $accessToken

It errors out as follows:

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

Why am I getting this error? How can I fix it?

Does this answer your question? [How do I resolve the error "AADSTS70002: The request body must contain the following parameter: 'client\_secret or client\_assertion'"](https://stackoverflow.com/questions/45609432/how-do-i-resolve-the-error-aadsts70002-the-request-body-must-contain-the-follo) — TylerH, Mar 10 '22 at 17:49

score 15 · Answer 1 · answered May 18 '21 at 00:59

Please see the differences between public client and confidential client applications.

Confidential client applications are safe to keep application secrets while public clients not.

So the error you encountered means that your app registration is Confidential client application (when you create it, you select Web) which requires you to provide ClientSecret, but you didn't specify it.

So you have 2 options to resolve it.

The first one is providing ClientSecret in your script (don't modify anything on Azure portal):

$connectionDetails = @{
    'TenantId'    = '****-****'
    'ClientId'    = '****-****'
    'ClientSecret'= '****-****'
    'Interactive' = $true
    'Scopes' = '****-****'
    'RedirectUri' = '****-****'
}

The second one is changing your app registration from Confidential client application to Public client app on Azure portal -> your app registration -> manifest. (don't modify your script)

The Get-MsalToken.ps1 also includes the 2 examples:

.EXAMPLE
    PS C:\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -TenantId '00000000-0000-0000-0000-000000000000' -Interactive -Scope 'https://graph.microsoft.com/User.Read' -LoginHint user@domain.com
    Force interactive authentication to get AccessToken (with MS Graph permissions User.Read) and IdToken for specific Azure AD tenant and UPN using client id from application registration (public client).

.EXAMPLE
    PS C:\>Get-MsalToken -ClientId '00000000-0000-0000-0000-000000000000' -ClientSecret (ConvertTo-SecureString 'SuperSecretString' -AsPlainText -Force) -TenantId '00000000-0000-0000-0000-000000000000' -Scope 'https://graph.microsoft.com/.default'
    Get AccessToken (with MS Graph permissions .Default) and IdToken for specific Azure AD tenant using client id and secret from application registration (confidential client).

I am curious why you recommend changing this in the Manifest section rather than through the UI in the Authentication section? Why risk making a typo or transcription error when Microsoft provides a button/toggle option you can click to set this to true? — TylerH, Mar 03 '22 at 22:11

Get-MsalToken error AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'

1 Answers1

Linked