I am tasked with granting admin-consent to an Enterprise application in a long list of tenants.
Currently I have automated this task with JMeter
with the following steps:
GET /{TenantId}/oauth2/authorize
POST /{TenantId}/login
(login with tenant admin account)POST /{TenantId}/Consent/Set
GET https://portal.azure.com/TokenAuthorize
And the process is working OK. However I would like to change it to MSAL
for two reasons: 1) JMeter is really not the best tool for this job, 2) I would also learn to use some of MSAL
, which I believe will come in handy in the future.
However I am not able to even get a token using MSAL
. Using the following readily available example: https://github.com/Azure-Samples/ms-identity-msal-java-samples/blob/main/2.%20Client-Side%20Scenarios/Username-Password-Flow/src/main/java/UsernamePasswordFlow.java, the following exception appears:
Exception in thread "main" java.util.concurrent.CompletionException: com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.
And I am not able to find the client_secret
or the client_assertion
for our Enterprise application.
Is there any other way to do it?
Thanks.
2
Answers
Please note that,
client_secret
or theclient_assertion
are sometimes required in ROPC flow based on the scenario as mentioned in this MsDoc like below:I created an Enterprise Application in my environment like below:
To resolve the error, try the below:
Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> Authentication
If still the issue persists, create a client secret like below:
Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> Certificates & secrets
Reference:
How do I resolve the error AADSTS7000218: The request body must contain the following parameter: ‘client_secret’ or ‘client_assertion’ by Jayendran
I would just generate the correct link, as specified here. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent
And click that several times.
Going through MSAL will not help you because it only does the user consent and not the admin consent.