0

I am tasked with granting admin-consent to an Enterprise application in a long list of tenants.

Currently I have automated this task with JMeter with the following steps:

  1. GET /{TenantId}/oauth2/authorize
  2. POST /{TenantId}/login (login with tenant admin account)
  3. POST /{TenantId}/Consent/Set
  4. GET https://portal.azure.com/TokenAuthorize

And the process is working OK. However I would like to change it to MSAL for two reasons: 1) JMeter is really not the best tool for this job, 2) I would also learn to use some of MSAL, which I believe will come in handy in the future.

However I am not able to even get a token using MSAL. Using the following readily available example: https://github.com/Azure-Samples/ms-identity-msal-java-samples/blob/main/2.%20Client-Side%20Scenarios/Username-Password-Flow/src/main/java/UsernamePasswordFlow.java, the following exception appears:

Exception in thread "main" java.util.concurrent.CompletionException: com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

And I am not able to find the client_secret or the client_assertion for our Enterprise application.

Is there any other way to do it?

Thanks.

elgato
  • 506
  • 1
  • 5
  • 20

2 Answers2

0

Please note that, client_secret or the client_assertion are sometimes required in ROPC flow based on the scenario as mentioned in this MsDoc like below:

enter image description here

I created an Enterprise Application in my environment like below:

enter image description here

To resolve the error, try the below:

Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> Authentication

enter image description here

If still the issue persists, create a client secret like below:

Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> Certificates & secrets

enter image description here

Reference:

How do I resolve the error AADSTS7000218: The request body must contain the following parameter: 'client_secret' or 'client_assertion' by Jayendran

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • hi RukminiMr-MT, thanks for your input but I am not able to locate my Enterprise application in the App registrations view. It does not appear in Owned applications nor in All applications – elgato Jul 20 '22 at 07:50
  • AFAIK, the Enterprise application must be displayed in the Enterprise application. Could you please include how did you create Enterprise application? – Rukmini Jul 20 '22 at 08:24
  • Verify whether you have selected this [**option**](https://i.imgur.com/wxv2Zxd.png) while creating Azure Enterprise Application. – Rukmini Jul 20 '22 at 08:40
  • I will ask for this information as I don't know how the application was created. Thank you. – elgato Jul 20 '22 at 11:31
0

I would just generate the correct link, as specified here. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent

And click that several times. Going through MSAL will not help you because it only does the user consent and not the admin consent.

Stephan
  • 2,356
  • 16
  • 38