AADSTS90023: Invalid STS request

Hi,

I am using Plumsail Actions to Grant access to a subsite
I get this error "AADSTS90023: Invalid STS request." and the following is the error on the Action.
Please let me know how can I solve that, I need that ASAP.

Thank you,
Faramarz

{

  • statusCode: 400,

  • headers: {

    • transfer-encoding: "chunked",

    • Date: "Fri, 08 Jan 2021 18:52:35 GMT",

    • Server: "Kestrel",

    • X-Powered-By: "ASP.NET",

    • Content-Type: "application/json; charset=utf-8",

    • Content-Length: "191"},

  • body: {

    • request: {

      • url: null,

      • traceId: "0HM5J7BG95716122df49e8a3"},

    • error: {

      • code: "ApplicationResultException",

      • message: "AADSTS90023: Invalid STS request.",

      • date: "2021-01-08T18:52:35.3916419Z"}}

}

Hello Faramarz. It is an authorization issue. As I understand, you use a custom credentials API key. Please follow these steps:

  • ensure that your Microsoft 365 account's password contains only letters and numbers, if necessary, change the password;
  • for the account, you should either disable multi-factor authentication or create an app password, the latter should contain only letters and numbers;
  • create a new API key for Actions in a Plumsail account using the full login in format user@tenant.onmicrosoft.com and the password;
  • in the failed flow, create a new connection for Plumsail Actions using the newly created API key, ensure that it is selected for the action;
  • save and test the flow by clicking the Test button, before running the flow, ensure that the proper connection is selected.

Please let me know whether it helps.

Hi,

Thank you very much for your time and support.
That seems a weird solution.
I should check with our IT.
For a big company like ours, some changes like this might not be possible and this is not good for Plumsail.
I keep you updated.

Thanks again,
Faramarz

Just to clarify, the requirement to include in the password only numbers and letters will guarantee that there is no character which breaks the authorization process. This issue can occur with any custom code referring to Microsoft services and doesn't bound exactly with our product. If the suggested steps solved the issue, we will be able to localize it. So it doesn't mean that you have to keep such an account password always. It is an investigation step.

Hi,

Thank you for explaining that,
I tried your solution and our IT created a password something like this: [h7g4qUv]k<hBnS and created a new API key.
I created a simple Flow only with Plumsail action.
I tested that but it gave the same error.
Please let me know if you have any other suggestions.

image

Hello! Could you confirm that when generating the new API key, you used your login in format user@tenant.onmicrosoft.com? Also, please specify whether the MFA was enabled and you used an app password. I will turn to developers with the provided information.

Hi,

I did not have access to do that myself.
But I sent your suggestion as my request for the update of the account.
I will reach out to them to confirm that.

Thank you,
Faramarz

Hello,

I checked with our IT and they confirmed that the login format that you mentioned was used and MFA is not enabled for the account. I did not get what you mean about App password, but I think it is out of the question when we don't use MFA, am I right?
Please keep me updated on this, we have this case open for a while.

Thank you indeed for your support,
Faramarz

Yes, the app password is not relevant since the MFA is disabled. Thank you for the confirmation, I will discuss the issue with developers.

Could you test the credentials used for creating the API key and login to the site using them? The described issue can also occur when there is an error in the used login or password.

Hello! Did you have a chance to ensure in the correctness of the used credential?

Hi again,

Sorry, our IT administrators are not fast enough.
A simpler password was created and the same login as you said was used and the Key generated.
Now there's a new error:
AADSTS50034: The user account {EmailHidden} does not exist in the teckresources.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.
I checked with our IT and the account is visible.
Any suggestion,

Thank you,
Faramarz

Hello! Yes, such an error occurred recently for some users. Please check the e-mail of the account that was used for creating an API key. Most likely, it will look like user@tenant.com. In this case (sorry for asking you this so many times), recreate the API key using this e-mail in the shortened form and the same password. Edit the existing connection. It should solve the issue (at least it solved for some other users).

1 Like

Hi,

Thanks for your prompt responses.
To be sure, previously you said we should use "user@tenant.onmicrosoft.com", now you say we can use "user@tenant.com".
Am I right?

Faramarz

That is right. Some Azure AD preferences of your tenant may require the short e-mail address instead of the long account name for signing in.

Hi,

I got another error.
It seems we should find another solution for this other than Plumsail.
Any suggestion?

Thank you,
Faramarz

Request to Azure Resource Manager failed with error: '{"error":{"code":"InvokerConnectionOverrideFailed","message":"Could not find any valid connection for connection reference name 'shared_plumsailsp_1' in APIM tokens header."}}'.

Hello! It is a Power Automate error.

  1. Ensure that you used the proper API key in your Plumsail Actions connection.
  2. Create a new primitive flow with Actions (any action) and choose the proper connection.
  3. Test this flow manually.
  4. If it works, get back to the initial flow and test it too. Ensure that you selected a proper connection before running it.
    image
    image
    image
  5. If it fails, try to recreate the flow from scratch. Test it in the initial primitive state to ensure that the connection works and then continue configuring the flow.

Sorry for not responding to you a while.
After working on this for a while, the client was disappointed and the Flow cancelled for now.

Thank you for your support,
Faramarz

Thank you for informing, Farsami. I am sorry that I couldn't help with solving the issue...

No worries,
You were very responsive and tried to help.
The problem is now I feel a bit disappointed of Plumsail.
Especially now, I have problem Document actions which I have used a lot.
I put another topic on this in the community.

Thank you,
Faramarz