none
AAD Auth Failures - using POSTMAN - obtaining token

    Question

  • Getting error: The application asked for scope 'read' that dosen't exist on the resource .

    Investigating Web API for dynamics365.

    Request Id: 84822875-7fbd-4290-999b-61c311b51300
    Correlation Id: fbde05de-78a9-4a27-b88d-791353b32d2b
    Timestamp: 2019-05-21T12:13:55Z
    Message: AADSTS650053: The application 'restricted-scopes-v2' asked for scope 'read' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
    Advanced diagnostics: Disable
    If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.
    Tuesday, May 21, 2019 4:18 PM

Answers

  • A few traps:

    1. Register app (azure ad --> app regist)

    Accounts in any organizational directory - select

    https://localhost/ - redirect url

    obtain clientid

    2. API permissions

    App itself as above ie User.Read.all Delegated all

    Dynamics CRM - user_impersonation Delegated

    MS Graph - you need this, otherwise obtain error message.  Selected 111 options.  Was not sure which ones.  Admin granted.

    3. Expose API    

    Create scope --> 'User.read.all'

    Create Client app ie clientid as above

    4. Change Manifest file for app

    "oauth2AllowImplicitFlow": true

    5. Dynamics portal, by default you don't see 'settings' tab.

    Goto MS 365 admin center, select admin center

    change instance to sandbox, from production.

    6. User you are using, changed to 'Global administrator'.

    MS 365 admin center

    7. Postman

    Create envir

    url - https://ABC.api.crm11.dynamics.com

    clientid - ID

    version - 9.1

    webapiurl - {{url}}/api/data/v{{version}}/

    callback - https://localhost/

    authurl - https://login.microsoftonline.com/common/oauth2/authorize?resource={{url}}

    Next

    Add

    GET --> https://ABC.api.crm11.dynamics.com/api/data/v9.1/contacts?$select=contactid,firstname,lastname

    Next

    Use 2 auth options

    Basic Auth - enter user& pwd (same user with correct security role)

    OAuth2 - Implicit (use variables defined) ie {{}}

    Hard copy scope --> User.read.all

    ***Get token, then Preview Request***'

    Last step

    Send


    User.read.all
    Friday, May 24, 2019 10:55 AM

All replies

  • Hello, 

    Can you include the API call you are making when you receive this error ? 

    Also from your application "restricted-scopes-v2" have you granted permissions to access to the Dynamics 365 from the app registration blade ?

    Wednesday, May 22, 2019 3:57 AM
    Moderator
  • Hi

    1.

    Not making any API calls at this point.  Just trying to obtain a token.

    For Reference, see

    'https://medium.com/capgemini-dynamics-365-team/dynamics-365-web-api-postman-collection-abfb259f9eae'

    2.

    Yes - granted permissions.  I think from error, thats cause of the issue.

    Wednesday, May 22, 2019 7:10 AM
  • Hi

    '00000003-0000-0000-c000-000000000000' identified this as MS graph.  I need to provide correct permission for application to use this resource.  Not sure what that his.

    Wednesday, May 22, 2019 8:53 AM
  • Hello,

    I went through the guide and noticed a couple of things that I wanted to clarify, 

    1) Did you enable your application for implicit authentication?

    2) Which user account are you using? Does this account have Global Administrator privileges?

    3) Are you passing a scope parameter in your request?

     
    Wednesday, May 22, 2019 10:06 AM
    Moderator
  • Hi

    1) Did you enable your application for implicit authentication? - Yes ie 

    "oauth2AllowImplicitFlow": true,

    2) Which user account are you using? Does this account have Global Administrator privileges?

    only 2 accounts created at this stage.  Using account I created dynamics account from.  Checked, I do belong to the one you specified.  Other account belongs to 'Dynamics 365 service administrator'.

    3) Are you passing a scope parameter in your request?

    read

    Wednesday, May 22, 2019 11:23 AM
  • Can you pass user.read as your scope and try once?


    Wednesday, May 22, 2019 11:40 AM
    Moderator
  • ok, give me 5 
    Wednesday, May 22, 2019 12:07 PM
  • Good news, I can now get token.

    Next step,

    GET https://XXX.api.crm11.dynamics.com/api/data/v9.1/contacts?$select=contactid,firstname,lastname

    401 - error 

    Wednesday, May 22, 2019 12:16 PM
  • Hi

    I can get the token but when I use it, GET API Call, I get 401- unauthorised error.  Don't get that ?

    Wednesday, May 22, 2019 1:51 PM
  • Hello,

    The scope I sent will just give the permissions to read the data of the user. User.read.all is the scope for entire org user data. 

    However, those are scopes for Microsoft Graph calls and I am not able to find the required scope for the dynamics API call. 

    Try after giving the permissions to your app by following the steps listed here.

    Wednesday, May 22, 2019 2:16 PM
    Moderator
  • Hi 

    Seen this:

    https://community.dynamics.com/crm/f/117/t/253670

    Exactly same issue.  Scope for dynamics API thats needed.

    I have a look.

    Wednesday, May 22, 2019 3:04 PM
  • Hi 

    Tried giving the permissions to the app again, same issue.

    Googled, found this --> https://stackoverflow.com/questions/53512372/dynamics-365-api-using-aad-v2

    Tried changing scope ie User.Read.all to user_impersonation , can't get a token.  User.Read.all

    Changed the resource, I assume, to below format:

    https://{organization}.crm.dynamics.com//user_impersonation

    No change.

     

    Thursday, May 23, 2019 8:09 AM
  • Hi 

    Got this working now.  Very long struggle.

    Using Token and getting GET post, requires a good understanding of dynamics admin.

    Solved Token by your suggestion and fixing 401 error, one of permissions. ie user.

    Thanks for your assistance.

    Friday, May 24, 2019 8:00 AM
  • Hi,

    That's great news. I was researching about this and couldn't find anything useful. What value did you pass for the scope parameter to get it working?


    Friday, May 24, 2019 8:45 AM
    Moderator
  • Give me 10,, I post details
    Friday, May 24, 2019 10:20 AM
  • A few traps:

    1. Register app (azure ad --> app regist)

    Accounts in any organizational directory - select

    https://localhost/ - redirect url

    obtain clientid

    2. API permissions

    App itself as above ie User.Read.all Delegated all

    Dynamics CRM - user_impersonation Delegated

    MS Graph - you need this, otherwise obtain error message.  Selected 111 options.  Was not sure which ones.  Admin granted.

    3. Expose API    

    Create scope --> 'User.read.all'

    Create Client app ie clientid as above

    4. Change Manifest file for app

    "oauth2AllowImplicitFlow": true

    5. Dynamics portal, by default you don't see 'settings' tab.

    Goto MS 365 admin center, select admin center

    change instance to sandbox, from production.

    6. User you are using, changed to 'Global administrator'.

    MS 365 admin center

    7. Postman

    Create envir

    url - https://ABC.api.crm11.dynamics.com

    clientid - ID

    version - 9.1

    webapiurl - {{url}}/api/data/v{{version}}/

    callback - https://localhost/

    authurl - https://login.microsoftonline.com/common/oauth2/authorize?resource={{url}}

    Next

    Add

    GET --> https://ABC.api.crm11.dynamics.com/api/data/v9.1/contacts?$select=contactid,firstname,lastname

    Next

    Use 2 auth options

    Basic Auth - enter user& pwd (same user with correct security role)

    OAuth2 - Implicit (use variables defined) ie {{}}

    Hard copy scope --> User.read.all

    ***Get token, then Preview Request***'

    Last step

    Send


    User.read.all
    Friday, May 24, 2019 10:55 AM
  • Hello, 

    Thanks a lot for sharing the details. I appreaciate it. 

    Friday, May 24, 2019 3:18 PM
    Moderator