Description
Core Library
MSAL.js (@azure/msal-node)
Core Library Version
3.1.0
Wrapper Library
Not Applicable
Wrapper Library Version
2.0.0
Public or Confidential Client?
Public
Description
here i describe that in c# the same flow correctly works for MSAL with the same username and password for the same tenant for federated credentials: pnp/cli-microsoft365#6582
$securePsw = ($env:password | ConvertTo-SecureString -AsPlainText -Force)
Add-PowerAppsAccount -Endpoint prod -tenantId $env:TENANTID -Username $env:USERNAME -Password $securePswthis works but requires Microsoft.PowerApps.Administration.PowerShell module that is windows-specific.
if i use the pac cli that is cross platform, the login perfectly works and i can do whatever i want with the cli but it doesn't have the option to "enable" or "disable" cloud flow for a specific power platform environment.
pac auth create -un $username -p $password --tenant $tenantId --accept-cleartext-cachingand that is precisely why i stumbled upon the m365 cli.
but only with your cli, with the same username and password and using the same appId for the same tenant(specifying the tenant or not doesn't change the result):
m365 login --authType password --userName $env:USERNAME --password $env:passwordfails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.
this is also the actual c# code i used for a different use case, and it still works fine:
var authBuilder = PublicClientApplicationBuilder.Create(clientId)
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.Build();
var scope = "https://service.powerapps.com//.default";
string[] scopes = [scope];
AuthenticationResult token =
await authBuilder.AcquireTokenByUsernamePassword(scopes, usernameSecret.Value, passwordSecret.Value).ExecuteAsync();
// here we call https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01 using the auth token
// because it's what the pac cli does and we want to use the same api in the same way for other purposes
HttpClient client = new();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.AccessToken);
client.DefaultRequestHeaders.Add("Accept", "application/json");
var response = await client.GetAsync("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01");
var responseObj= await response.Content.ReadFromJsonAsync<EnvironmentsResponse>();Error Message
fails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.
MSAL Logs
fails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.
Network Trace (Preferrably Fiddler)
- Sent
- Pending
MSAL Configuration
const axios = require('axios');
const msal = require('@azure/msal-node');
const PublicClientApplication = msal.PublicClientApplication;
const clientId = "51f81489-12ee-4a9e-aaae-a2591f45987d";
const username = "rofl";
const password = "yay";
const scope = "https://service.powerapps.com//.default";
const config = {
auth: {
clientId: clientId,
authority: "https://login.microsoftonline.com/organizations"
}
};
const pca = new PublicClientApplication(config);
const tokenRequest = {
scopes: [scope],
username: username,
password: password,
};
pca.acquireTokenByUsernamePassword(tokenRequest)
.then((response) => {
const token = response.accessToken;
console.log("Token acquired successfully:", token);
const client = axios.create({
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
client.get("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01")
.then(response => {
const responseObj = response.data;
console.log("API Response:", responseObj);
})
.catch(error => {
console.error("API Request Error:", error.response ? error.response.data : error.message);
});
})
.catch(error => {
console.error("Token Acquisition Error:", error);
});Relevant Code Snippets
const axios = require('axios');
const msal = require('@azure/msal-node');
const PublicClientApplication = msal.PublicClientApplication;
const clientId = "51f81489-12ee-4a9e-aaae-a2591f45987d";
const username = "rofl";
const password = "yay";
const scope = "https://service.powerapps.com//.default";
const config = {
auth: {
clientId: clientId,
authority: "https://login.microsoftonline.com/organizations"
}
};
const pca = new PublicClientApplication(config);
const tokenRequest = {
scopes: [scope],
username: username,
password: password,
};
pca.acquireTokenByUsernamePassword(tokenRequest)
.then((response) => {
const token = response.accessToken;
console.log("Token acquired successfully:", token);
const client = axios.create({
headers: {
'Authorization': `Bearer ${token}`,
'Accept': 'application/json'
}
});
client.get("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01")
.then(response => {
const responseObj = response.data;
console.log("API Response:", responseObj);
})
.catch(error => {
console.error("API Request Error:", error.response ? error.response.data : error.message);
});
})
.catch(error => {
console.error("Token Acquisition Error:", error);
});Reproduction Steps
execute the provided code for a federated adfs saml user of a valid organization for which you want a jwt from an azure tenant
Expected Behavior
i should be able to login and obtain a valid jwt as it happens for the c# library with the same setup and username/password.
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
No response