Reputation: 61
Bypass MFA for App-Only authentication with Project Online (CSOM): Encountering 'User Not Found in Active Directory or Project DB' Error
Issue
We are attempting to access Project Online data in Project Permission mode using app-only authentication, specifically to bypass MFA for programmatic access, as we aim for continuous, automated access without any user-interaction. We are using CSOM, using Microsoft.ProjectServer.Client.ProjectContext in .NET 4.8 to connect to Project Online. Despite following several documented approaches with client certificates, client secrets, and OAuth configurations, we keep encountering errors like 401 Unauthorized and User not found in Active Directory or in project db. Below is a summary of our steps. Despite multiple attempts, we consistently receive errors blocking access. We have followed recommended documentation for client credentials, certificates, and permissions but still face access issues.
Technology
Project Online
CSOM in .NET 4.8
Microsoft.ProjectServer.Client.ProjectContext
Azure AD (Entra ID)
Solutions Attempted
Client Certificate Authentication:
Configuration: Registered an app in Azure AD (Entra) with a client certificate and set permissions including Sites.FullControl.All. NOTE: we could not select Project permissions (Project.Read, etc.) in the Application Permissions screen, only within the delegated permissions screen.
Token Acquisition: We acquired an access token using az account get-access-token --resource=https://.sharepoint.com.
Request Attempted:
URL: https://.sharepoint.com/sites//_api/ProjectData/Projects
Outcome: {"error":"invalid_request","error_description":"App is not allowed to call SPO with user_impersonation scope"}
Client Secret with Client Credentials:
App Registration: Configured client ID and client secret in Azure AD with permissions for Project.ReadWrite.All and Sites.Selected.
Token Acquisition: Called the token endpoint:
Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
Parameters: client_id, scope= https://.sharepoint.com/.default, client_secret, grant_type=client_credentials
Access Attempt:
URL: https://.sharepoint.com/sites//_api/ProjectData/Projects
Response: HTTP/1.1 401 Unauthorized Response Body: " Sign in to your account"
Outcome: Despite obtaining a valid token, the request returns a “Please sign in” page, rather than an access token.
SharePoint AppPermissionRequest Configuration using /sites/pwa/layouts/15/appinv.aspx:
- Configuration: Set up AppPermissionRequest XML in SharePoint for permissions like:
<AppPermissionRequest Scope="[http://sharepoint/content/sitecollection]" Right=" FullControl "/>- Outcome: This configuration did not make any differences, and did not grant the required permissions in Project Permission mode, as SharePoint app permissions do not seem to cover Project-specific access, it seems. Project Online access remains blocked.
Microsoft Graph API Exploration:
Goal: Investigated Graph API as an alternative.
Outcome: Microsoft Graph lacks Project Online-specific permissions, limiting access to SharePoint and directory data, which does not meet our need for project-specific data access.
Microsoft.Identity.Client and client certificate
- Configuration: CSOM using the following code to login:
- Outcome: Access fails with
User:<customercontent></customercontent> not found in Active Directory or in project db
public static void Login(this ProjectContext context)
{
var clientId = "xxx";
var clientSecret = "xxx";
var authority = "https://login.microsoftonline.com/xxx";
var scope = "https://xxx.sharepoint.com/.default";
var certificate = new X509Certificate2("c:\\temp\\cert.pfx", "xx");
var app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithCertificate(certificate)
.WithAuthority(new Uri(authority))
.Build();
AuthenticationResult result = TaskHelper.BlockingAwait(() => app.AcquireTokenForClient(new[] { scope }).ExecuteAsync());
string accessToken = result.AccessToken;
context.ExecutingWebRequest += (sender, e) =>
{
e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accessToken;
};
}
Key Questions:
Is there a method for app-only authentication in Project Online in Project Permission mode__ that bypasses MFA for automated access?
Has anyone succeeded in applying app-only credentials for Project Online access__, specifically in Project Permission mode?
Are there any alternative permission configurations__ (like Azure AD settings, conditional access policies, or app permissions) that could facilitate this access?
Thank you in advance!
Edit: Sorry for the bad formatting.
Upvotes: 0
Views: 64
Answers (0)
Related Questions
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Microsoft Graph API: 'Tenant does not have a SPO license' Error when Accessing SharePoint Site with valid business o365 account
- How to request an access token from OAuth using System.Net.Http? 401 Error
- Error AADSTS500011 accessing SharePoint Online site with Azure AD App-Only using Office365-REST-Python-Client
- SharePoint Online multi-tenant REST calls return 404 on resources that definitely exist
- "Unsupported app only token" SharePoint API error even after adding certificate
- How to access the Project Server REST API using Azure AD App permissions?
- Determine which list a provider hosted application has access to