Microsoft/Azure OAuth failing, my organization lacks a service principal

Question

I've been trying to use the Bing Ads API, but can't even make it past the first step. I've followed these steps to the letter, but am getting stuck at the part where I need to ask for user consent.

I've created an app, and copied all the details down. I've created a URL that looks like this:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fads.microsoft.com%2Fmsads.manage
&state=1234

I've also tried adding in client_secret as a param, even if it's not mentioned in the docs, and that didn't work either.

However, I keep getting back this error message:

error = invalid_client
error_description = AADSTS650052: The app is trying to access a service 'd42ffc93-c136-491d-b4fd-6f18168c68fd'(Microsoft Advertising API Service) that your organization 'xxxxxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.

I've just created the Azure account for the first time (and this is my first experience with Azure, usually I work with GCP or rarely AWS), and I'm the only account that's created anything.

This error message is coming back as parameters appended to the redirect URL, I don't even make it to the Microsoft login page. (http://localhost:8080/?error=invalid_client&error_description=AADSTS650052%3a+The+app+is+trying+to+access+a+service+%27d42ffc93-c136-491d-b4fd-6f18168c68fd%27(Microsoft+Advertising+API+Service)+that+your+organization+%27xxxxxxx7+lacks+a+service+principal+for.+Contact+your+IT+Admin+to+review+the+configuration+of+your+service+subscriptions+or+consent+to+the+application+in+order+to+create+the+required+service+principal.%0d%0aTrace+ID%3a+387accd1-d7a4-4ec2-b739-6cba07e23702%0d%0aCorrelation+ID%3a+a7def78f-5c49-4ede-b7d4-fc65d5ac75bc%0d%0aTimestamp%3a+2022-11-10+16%3a15%3a03Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d650052&state=1234#)

The weird thing is I've done the same exact thing above for a client at the same time, and with them I managed to get to the consent page.

Answer 1

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and granted API permissions like below:

To get authorization code, I executed same request as you in the browser and got same error as below in address bar:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http://localhost:8080
&response_mode=query
&scope=openid offline_access https://ads.microsoft.com/msads.manage
&state=1234

Response:

To confirm whether it's the same error or not, I copied it in Notepad and checked the full error like below:

To resolve the error, you need to add msads.manage permission of Microsoft Advertising API Service.

Note that, you need to have Microsoft Advertising account to use Bing Ads API. If not, sign up for it in this Microsoft Advertising website with your Azure AD account like below:

After completing the sign-up, you can find Microsoft Advertising API Service here:

Now, you can add msads.manage permission to your application like below:

Now when I ran the authorization request again in browser, I got consent screen successfully like below:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize
?client_id={client_id}
&response_type=code
&redirect_uri=http://localhost:8080
&response_mode=query
&scope=openid offline_access https://ads.microsoft.com/msads.manage
&state=1234

Response:

After accepting the consent, I got authorization code in the address bar like below:

Using the above code, you can generate access tokens for your application.