Error: OAuth integration with O365 fails with error AADSTS65005

0 votes

We have a web site (built on a php framework) where we provide online educational tools for teachers/students. We have done an OAuth integration with google.com where users can 'sign up' and 'sign in' to our site using their google accounts (could be a personal gmail account, or a member of a google apps domain).

We are trying to do a similar integration with O365 where our website can ask O365 for user's email and first/last names so we can create an account for them on our site, and once the account is created, log them in. We have created an Application listing in Azure -> Active Directory, and have generated the client ID and secret, and plugged them into out PHP code. The OAuth workflow described here works up until the point where I try and request the access token using a POST request to https://login.windows.net/common/oauth2/token. It redirects back to my redirect_uri but instead of giving me the auth code, it gives me these params in the URL:

[error] => access_denied
[error_description] => AADSTS65005: The client application has requested access to resource 'https://outlook.office365.com/'. This request has failed because the client has not specified this resource in its requiredResourceAccess list.
Trace ID: xxxxxx
Correlation ID: xxxxxx
Timestamp: 2014-09-29 06:28:25Z
[state] => xxxxxx
All I need is for O365 to give me the user's email and f/l names. Surely there's a quick fix for this that I am missing?
Aug 9, 2018 in Azure by null_void
• 3,220 points
34 views

1 answer to this question.

0 votes

By default, a registered app is configured to request "Read the user's profile", which once consented to by the user, allows the app to get a user token (id token if using OpenID Connect) and read the signed in user's profile (including their mail address or addresses) when calling the Azure AD Graph API. Apps secured by Azure AD must currently configure the permission scopes they require up front (as part of the app registration experience, under the "Permissions to other applications" section). Here it looks like you've specified Outlook.com as the resource that you'd like a code and access token for, but your app is not configured to allow access to O365 Outlook.com/Exchange Online.

Please try setting the resource in your request to Azure AD - https://graph.windows.net/. That shouldwork for you. You can then swap the code for an access token to call the Azure AD Graph API.

Hope this helps

answered Aug 9, 2018 by club_seesharp
• 3,450 points

Related Questions In Azure

0 votes
1 answer

Getting an error when trying to authenticate using REST API Dynamics CRM with Azure AD.

Dynamics 365 has started to support Server-to-Server ...READ MORE

answered Apr 25 in Azure by Prerna
• 1,940 points
49 views
0 votes
1 answer

StackExchange.Redis with Azure Redis shows error

Hey, check out the Azure Redis Cache documentation This ...READ MORE

answered Jun 27 in Azure by Perry
• 17,010 points
22 views
0 votes
1 answer

I am getting a network related error saying "cannot connect to a server". need help here.

Actually i got the same error, it ...READ MORE

answered Apr 26, 2018 in Azure by null_void
• 3,220 points
54 views
0 votes
2 answers

In Azure powershell Select-AzureSubscription command fetching error: the subscription name doesn't exist

The problem you're having is that the ...READ MORE

answered Aug 16, 2018 in Azure by Priyaj
• 56,160 points
1,134 views
0 votes
1 answer

Not being able to get user consent - OAuth2 with AzureAD

The problem you are running in to ...READ MORE

answered Jun 8, 2018 in Azure by cloudie_crank
• 1,610 points
82 views
0 votes
1 answer

Error: Install-Module : The term 'Install-Module' is not recognized as the name of a cmdlet

Since you are using the lower version ...READ MORE

answered Jun 20, 2018 in Azure by null_void
• 3,220 points
1,193 views
0 votes
1 answer

How can I use “Azure File Storage” with Web App Service?

If you're looking for mapping a drive ...READ MORE

answered Aug 10, 2018 in Azure by null_void
• 3,220 points
1,002 views
0 votes
1 answer

Error: The subscription is not registered to use namespace 'Microsoft.DataFactory

In Azure, for each functionality there's a ...READ MORE

answered Aug 24, 2018 in Azure by null_void
• 3,220 points
46 views
0 votes
1 answer

Is there a way to get ERROR details on Azure website?

You have two options: First, you can turn ...READ MORE

answered May 25, 2018 in Azure by club_seesharp
• 3,450 points
80 views
0 votes
1 answer

How can i upload to Azure Blob storage with Shared Access key?

For GetBlobReferenceFromServer to work, the blob must be present ...READ MORE

answered Jun 12, 2018 in Azure by club_seesharp
• 3,450 points
610 views