Azure-docs: AADSTS90002: Tenant token not found.

Created on 27 Nov 2018  Β·  24Comments  Β·  Source: MicrosoftDocs/azure-docs

I followed this example step by step but getting following error. Any Idea?

AADSTS90002: Tenant token not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri1 cxp doc-bug in-progress storagsvc triaged
Source
picture mangeshparanjape

Most helpful comment

@mangeshparanjape @hpsin

The issue is, indeed, in the code of the article: the constructor of AuthenticationContext requires an authority, whereas the code passed an endpoint (the token endpoint).
This is no longer accepted in ADAL.NET 4.x: See https://aka.ms/adalnet4-authority
Having said that the constructor should throw explicitly. I've raised a GitHub issue to improve the experience: ADAL.NET #1455

The following code will work with any version of ADAL.NET

string Instance = "https://login.microsoftonline.com/{0}";
string authority = string.Format(CultureInfo.InvariantCulture, Instance, TenantId);

I'll propose a pull request to fix this article.

picture jmprieur on 8 Dec 2018
👍4

All 24 comments

@mangeshparanjape Please help with the document on which this feedback is provided. Thanks.

MohitGargMSFT picture MohitGargMSFT on 27 Nov 2018

https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app

Thanks,
Mangesh

Sent from my iPhone

From: Mohit Garg notifications@github.com
Sent: Tuesday, November 27, 2018 4:54 PM
To: MicrosoftDocs/azure-docs
Cc: mangeshparanjape; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://github.com/mangeshparanjape Please help with the document on which this feedback is provided. Thanks.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-442231832, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG99YwhBEDVli7RhGRJ_ZX-Z0WU4NRPjks5uzbSpgaJpZM4Y2F4I.

mangeshparanjape picture mangeshparanjape on 28 Nov 2018

@mangeshparanjape This actually seems to be a possible bug on the AAD team. I will assign it to my colleague to follow up and close on this issue. @MohitGargMSFT

AdamS-MSFT picture AdamS-MSFT on 3 Dec 2018

Thanks Mohit. Please let me know when it’s fixed.

Thanks,
Mangesh

Sent from my iPhone

From: Adam-Smith-MSFT notifications@github.com
Sent: Monday, December 3, 2018 1:27 PM
To: MicrosoftDocs/azure-docs
Cc: mangeshparanjape; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://github.com/mangeshparanjape This actually seems to be a possible bug on the AAD team. I will assign it to my colleague to follow up and close on this issue. @MohitGargMSFThttps://github.com/MohitGargMSFT

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-443815589, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG99YyowXwLw9Wy3ndSmJDoy5gL1NaZIks5u1W0PgaJpZM4Y2F4I.

mangeshparanjape picture mangeshparanjape on 3 Dec 2018

@mangeshparanjape Please confirm if you provided RBAC permission to the Azure AD application (service principal) created as part of Register your application with an Azure AD tenant on Azure Storage Account using the steps mentioned here Assign a role scoped to the storage account in the Azure portal.

MohitGargMSFT picture MohitGargMSFT on 3 Dec 2018

Yes, rbac role is assigned as per documentation

Thanks,
Mangesh

Sent from my iPhone

From: Mohit Garg notifications@github.com
Sent: Monday, December 3, 2018 2:55 PM
To: MicrosoftDocs/azure-docs
Cc: mangeshparanjape; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://github.com/mangeshparanjape Please confirm if you provided RBAC permission to the Azure AD application (service principal) created as part of Register your application with an Azure AD tenanthttps://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app#register-your-application-with-an-azure-ad-tenant on Azure Storage Account using the steps mentioned here Assign a role scoped to the storage account in the Azure portalhttps://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac?toc=%2fazure%2fstorage%2fqueues%2ftoc.json#assign-a-role-scoped-to-the-storage-account-in-the-azure-portal.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-443847596, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG99Y8oCXnolPutofLBHLTY3k-itSwLeks5u1YGZgaJpZM4Y2F4I.

mangeshparanjape picture mangeshparanjape on 3 Dec 2018

@mangeshparanjape Based on the error please confirm if you are providing correct value to Tenant (directory) ID in GetUserOAuthToken() menthod implementation mentioned here - Get an OAuth token from Azure AD.

MohitGargMSFT picture MohitGargMSFT on 5 Dec 2018

Yes, the tenant id is also correct

Thanks,
Mangesh

Sent from my iPhone

From: Mohit Garg notifications@github.com
Sent: Tuesday, December 4, 2018 6:47 PM
To: MicrosoftDocs/azure-docs
Cc: mangeshparanjape; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://github.com/mangeshparanjape Based on the error please confirm if you are providing correct value to Tenant (directory) ID in GetUserOAuthToken() menthod implementation mentioned here - Get an OAuth token from Azure ADhttps://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app#get-an-oauth-token-from-azure-ad.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-444303459, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG99YyffJ3vYdpp7u-28hIg8p5X1asJCks5u1wmbgaJpZM4Y2F4I.

mangeshparanjape picture mangeshparanjape on 5 Dec 2018

You've used "token" in place of a tenant ID (something.onmicrosoft.com or a GUID). Check your code to ensure you aren't making a request with an AuthenticationContext("token") or similar.

hpsin picture hpsin on 5 Dec 2018

I have used GUID from Azure Active directory properties under "Directory
ID" label.
Is that correct?

On Tue, Dec 4, 2018 at 8:24 PM Hirsch Singhal notifications@github.com
wrote:

You've used "token" in place of a tenant ID (something.onmicrosoft.com or
a GUID). Check your code to ensure you aren't making a request with an
AuthenticationContext("token") or similar.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-444322802,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AG99Y2SZeqMcrGqCyYU3IWIhs-6gZZXwks5u1yBggaJpZM4Y2F4I
.

--
--Mangesh Paranjape

mangeshparanjape picture mangeshparanjape on 5 Dec 2018

Can you share a snippet of code? This is indicating that a request was made to login.microsoftonline.com/token/oauth2/token instead of login.microsoftonline.com/guid/oauth2/token

From: mangeshparanjape notifications@github.com
Sent: Tuesday, December 4, 2018 6:34:56 PM
To: MicrosoftDocs/azure-docs
Cc: Hirsch Singhal; Comment
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

I have used GUID from Azure Active directory properties under "Directory
ID" label.
Is that correct?

On Tue, Dec 4, 2018 at 8:24 PM Hirsch Singhal notifications@github.com
wrote:

You've used "token" in place of a tenant ID (something.onmicrosoft.com or
a GUID). Check your code to ensure you aren't making a request with an
AuthenticationContext("token") or similar.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-444322802,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AG99Y2SZeqMcrGqCyYU3IWIhs-6gZZXwks5u1yBggaJpZM4Y2F4I
.

--
--Mangesh Paranjape

β€”
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F19593%23issuecomment-444336504&data=02%7C01%7Chirsin%40microsoft.com%7Cef6329c71aac497f2cb708d65a5a3ec9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636795740981699564&sdata=Hd%2BVYF6UlUWZry7g8211MthXENA2gSW%2FKR5rcmaS99U%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABltO-kG-qcMwDyCtcvdZ6mTWy_Ucz22ks5u1zDQgaJpZM4Y2F4I&data=02%7C01%7Chirsin%40microsoft.com%7Cef6329c71aac497f2cb708d65a5a3ec9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636795740981709569&sdata=oAnxWvEojx0xQBVvwGzyRm3RzvGN8Oo0gHszyk3hNoU%3D&reserved=0.

hpsin picture hpsin on 5 Dec 2018

@mangeshparanjape Please update on above.

MohitGargMSFT picture MohitGargMSFT on 7 Dec 2018

public static string GetUserOAuthToken()
{
string ResourceId = "https://storage.azure.com/";
string AuthEndPoint = "https://login.microsoftonline.com/{0}/oauth2/token";
string TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
string ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
string ClientRedirectURI = "https://login.microsoftonline.com/common/oauth2/nativeclient";
string accessToken = string.Empty;

        try
        {   
            // Construct the authority string from the Azure AD OAuth endpoint and the tenant ID. 
            string authority = string.Format(CultureInfo.InvariantCulture, AuthEndPoint, TenantId);
            AuthenticationContext authContext = new AuthenticationContext(authority);

            // Acquire an access token from Azure AD. 
            AuthenticationResult result = authContext.AcquireTokenAsync(ResourceId,
                                                                        ClientId,
                                                                        new Uri(ClientRedirectURI),
                                                                        new PlatformParameters(PromptBehavior.Auto)).Result;

            accessToken = result.AccessToken;
        }
        catch (Exception ex)
        {
            Console.WriteLine("Error: " + ex.Message);
            //throw;
        }

        return accessToken;
    }
mangeshparanjape picture mangeshparanjape on 7 Dec 2018

Thanks @mangeshparanjape . Can you capture a correlation ID or request ID as well as a timestamp that comes with the error? That will help us check our logs to determine what's occurring on the backend.

@jmprieur - could you take a look at the code above and also verify that it's accurate? I believe it is but would like a library team member to also verify.

hpsin picture hpsin on 7 Dec 2018

@mangeshparanjape @hpsin

The issue is, indeed, in the code of the article: the constructor of AuthenticationContext requires an authority, whereas the code passed an endpoint (the token endpoint).
This is no longer accepted in ADAL.NET 4.x: See https://aka.ms/adalnet4-authority
Having said that the constructor should throw explicitly. I've raised a GitHub issue to improve the experience: ADAL.NET #1455

The following code will work with any version of ADAL.NET

string Instance = "https://login.microsoftonline.com/{0}";
string authority = string.Format(CultureInfo.InvariantCulture, Instance, TenantId);

I'll propose a pull request to fix this article.

jmprieur picture jmprieur on 8 Dec 2018
👍4

Thanks Jean-Marc!

From: Jean-Marc Prieur notifications@github.com
Sent: Friday, December 7, 2018 7:27:35 PM
To: MicrosoftDocs/azure-docs
Cc: Hirsch Singhal; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmangeshparanjape&data=02%7C01%7Chirsin%40microsoft.com%7C1ff82ef8f4074ad4f1a608d65cbd19a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636798364586925082&sdata=qHSbewe1X3NAx4i%2FgiIybV2EJW84xSb37rloJNMDwO4%3D&reserved=0 @hpsinhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fhpsin&data=02%7C01%7Chirsin%40microsoft.com%7C1ff82ef8f4074ad4f1a608d65cbd19a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636798364586935082&sdata=yfsxjBrcojLAY5GDUddH0qeTgpC317JcAWieQfvjWu0%3D&reserved=0

The issue is, indeed, in the code of the article: the constructor of AuthenticationContext requires an authority, whereas the code passed an endpoint (the token endpoint).
This is no longer accepted in ADAL.NET 4.x: See https://aka.ms/adalnet4-authority
Having said that the constructor should throw explicitly. I've raised a GitHub issue to improve the experience: ADAL.NET #1455https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzureAD%2Fazure-activedirectory-library-for-dotnet%2Fissues%2F1455&data=02%7C01%7Chirsin%40microsoft.com%7C1ff82ef8f4074ad4f1a608d65cbd19a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636798364586945095&sdata=iENvOM1i8NorEPN6NOljj%2F%2Bowt0THrWXS1CDpWkzdcU%3D&reserved=0

The following code will work with any version of ADAL.NET

string Instance = "https://login.microsoftonline.com/{0}";
string authority = string.Format(CultureInfo.InvariantCulture, Instance, TenantId);

I'll propose a pull request to fix this article.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F19593%23issuecomment-445426385&data=02%7C01%7Chirsin%40microsoft.com%7C1ff82ef8f4074ad4f1a608d65cbd19a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636798364586955108&sdata=qmrw5olHpD1pxPRu%2FZXyfxrMsIWohY8jVSaHT3Ww2OM%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FABltO3iIHnShx9qMucGAdUUpUbLzeWedks5u2zGngaJpZM4Y2F4I&data=02%7C01%7Chirsin%40microsoft.com%7C1ff82ef8f4074ad4f1a608d65cbd19a6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636798364586955108&sdata=aZtOXKr4iA6e45LSn18swrPhnVY4qQCSTrIwPznc82M%3D&reserved=0.

hpsin picture hpsin on 8 Dec 2018

I'll also scrub through all the Azure docs to see if there are other code snippets that need to be fixed.

jmprieur picture jmprieur on 8 Dec 2018

@mangeshparanjape Please confirm if your issue is now resolved.

MohitGargMSFT picture MohitGargMSFT on 10 Dec 2018

Issue is partially resolved.
Now when trying to get token

  1. This code is giving Microsoft Sign-in message for login instead of giving token directly. I think, it is missing to specify actual user under which access token will be specified under the hood.
  1. Using this token We tried updating existing object in a blob which does not work. No errors but then blob is not updated.

Thanks,
Mangesh

Thanks,
Mangesh

Sent from my iPhone

From: Mohit Garg notifications@github.com
Sent: Monday, December 10, 2018 4:36 PM
To: MicrosoftDocs/azure-docs
Cc: mangeshparanjape; Mention
Subject: Re: [MicrosoftDocs/azure-docs] AADSTS90002: Tenant token not found. (#19593)

@mangeshparanjapehttps://github.com/mangeshparanjape Please confirm if your issue is now resolved.

β€”
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/19593#issuecomment-445982795, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AG99Y47ZVcBcO_Y5fiOd7ywNtUwJ9m6jks5u3tPugaJpZM4Y2F4I.

mangeshparanjape picture mangeshparanjape on 11 Dec 2018

@cbrooksmsft - FYI

tamram picture tamram on 11 Dec 2018

Hi Mangesh,
I don't quite follow your report - "This code is giving Microsoft Sign-in message for login instead of giving token directly. I think, it is missing to specify actual user under which access token will be specified under the hood"

It's expected that the behavior here is to show a prompt to the user asking them to sign in. Are you trying to use SSO or some other silent sign in mechanism so that the user isn't asked to sign in?

hpsin picture hpsin on 11 Dec 2018

@mangeshparanjape Please update on above else we will move ahead and close this thread. Thanks.

MohitGargMSFT picture MohitGargMSFT on 13 Dec 2018

@mangeshparanjape We will now proceed to close this thread. Thanks.

MohitGargMSFT picture MohitGargMSFT on 16 Dec 2018

@mangeshparanjape @hpsin

The issue is, indeed, in the code of the article: the constructor of AuthenticationContext requires an authority, whereas the code passed an endpoint (the token endpoint).
This is no longer accepted in ADAL.NET 4.x: See https://aka.ms/adalnet4-authority
Having said that the constructor should throw explicitly. I've raised a GitHub issue to improve the experience: ADAL.NET #1455

The following code will work with any version of ADAL.NET

string Instance = "https://login.microsoftonline.com/{0}";
string authority = string.Format(CultureInfo.InvariantCulture, Instance, TenantId);

I'll propose a pull request to fix this article.

Yes changing the way to give the authority instead of endpoint fixed the issue for me. the ADAL document needs to be improved specially for authentication improvements, or else i see lots of code breakage.

weslyin picture weslyin on 19 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JamesDLD picture JamesDLD  Β·  3Comments
mrdfuse picture mrdfuse  Β·  3Comments
bdcoder2 picture bdcoder2  Β·  3Comments
JeffLoo-ong picture JeffLoo-ong  Β·  3Comments
jharbieh picture jharbieh  Β·  3Comments