Search Engine: Elastic

Article ID: 131960, created on Dec 23, 2017, last review on Sep 3, 2018

  • Applies to:
  • Operations Automation

Symptoms

Office 365 Sales Order/Synchronization attempt fails with the following error:

"error":"invalid_request","error_description":
"AADSTS50178: User account 'user@resellerDomainCSP.onmicrosoft.com' from identity provider 'https://sts.windows.net/a3831efe-...-8128a3717143/' does not exist in tenant 'End-customer organization' and cannot access the application 'cde22860-...-08622a196d0c' in that tenant. 
The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.'

The same error can be faced on attempt to use the readCSPAccounts.py script.

The following error can be seen in sitelog:

2018-09-03 00:03:40,604 [  65] ERROR aps_endpoint: Azure AD Graph API server returned an web exception 'The remote server returned an error: (400) Bad Request.'.
System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Parallels.Office365.Gateway.Graph.AzureAdGraphHttpWebRequest.ExecuteAndHandleResponse[T](HttpWebRequest webRequest, String requestBodyForPrint) in c:\inetpub\wwwroot\O365App\App_Code\Graph\AzureAdGraphHttpWebRequest.cs:line 200
2018-09-03 00:03:40,619 [  65] DEBUG aps_endpoint: Azure AD Graph API request POST url: 'https://login.windows.net/5ff865a3-ed94-4d0b-b93e-1da92ac1b79b/oauth2/token',

Customer has enabled Multi-Factor authorization for tenant.

Cause

Software-related issue #APSA-20169 "MFA on Microsoft side breaks the O365 integration".

Resolution

Please contact your Technical Account Manager or Pooled Technical Associate in order to clarify current status of request.

As a workaround, it is required to manually disable the Baseline Security Policy on Microsoft side:

  1. Sign-in to the Azure portal of a customer's tenant with a global administrator, security administrator, or conditional access administrator account.
  2. Navigate to the Conditional access blade.
  3. Click on the baseline policy
  4. Choose option Do not use policy

caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae

Email subscription for changes to this article
Save as PDF