0

Exchange Online App-Only Authentication Error AADSTS70011 Invalid Scope

As more people are starting to use the Exchange Online V2 module (yay!), there are some new and different issues appearing.

In this case, the command to connect to the tenant was failing when App-Only authentication was used.  A certificate was installed onto the machine where PowerShell was running.

The command used is shown followed by a glorious error.

Connect-ExchangeOnline -CertificateThumbPrint "49A1BDEE242DEAD77ED55DD7BEA36FFE4D792E62" -AppID "36ee4c6c-0812-40a2-b820-b22ebd02bce3" –Organization "TailspintoysCanada.onmicrosoft.com"

 

Exchange Online App-Only Authentication Error AADSTS70011 Invalid Scope

Error Acquiring Token:
System.Exception: Case when Message contains:AADSTS70011 Invalid scope. The scope has to be of the form "https://resourceUrl/.default"Mitigation:   change the scope to be as expectedAADSTS700016: Application with identifier '36ee4c6c-0812-40a2-b820-b22ebd02bce3' was not found in the director
y 'tailspintoyscanada.onmicrosoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented  to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Trace ID: 42971466-4353-4882-925a-fe2557da2301
Correlation ID: af1e5152-c7fc-42e8-91d9-0b22619eb7ed
Timestamp: 2021-04-27 23:32:27Z ---> Microsoft.Identity.Client.MsalServiceException: AADSTS700016: Application with identifier '36ee4c6c-0812-40a
2-b820-b22ebd02bce3' was not found in the directory 'tailspintoyscanada.onmicrosoft.com'.

This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

 

 

Solution

The first thing to check is something obvious.  In the command above, the wrong GUID was used for the App Registration which is created as part of the setup process.

To verify these details let's go the Azure AD portal.  Navigate to App Registrations and then select the app which was created to map the certificate.

In the image below, you can see the Application ID which is indicated by the arrow.

When you mouse over the GUID, a convenient copy button appears to the right.

Verify App Registration Details in Azure AD Portal

Copy the App Registration GUID and update the command.

This is what is should have been, note that the correct App ID is highlighted.  The rest of the command remains the same.

 

Connect-ExchangeOnline -CertificateThumbPrint "49A1BDEE242DEAD77ED55DD7BEA36FFE4D792E62" -AppID "b6ae4fc4-78ab-4ca6-ac3e-82c6cdbf2548" –Organization "TailspintoysCanada.onmicrosoft.com"

 

Able To Connect Using Correct App Registration ID

 

Note that we are successfully connected to Exchange Online, and are able to run commands.

 

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *