AADSTS90023: Invalid STS request

Farsami · January 8, 2021, 7:01pm

Hi,

I am using Plumsail Actions to Grant access to a subsite
I get this error "AADSTS90023: Invalid STS request." and the following is the error on the Action.
Please let me know how can I solve that, I need that ASAP.

Thank you,
Faramarz

{

statusCode: 400,
headers: {
- transfer-encoding: "chunked",
- Date: "Fri, 08 Jan 2021 18:52:35 GMT",
- Server: "Kestrel",
- X-Powered-By: "ASP.NET",
- Content-Type: "application/json; charset=utf-8",
- Content-Length: "191"},
body: {
- request: {
  - url: null,
  - traceId: "0HM5J7BG95716122df49e8a3"},
- error: {
  - code: "ApplicationResultException",
  - message: "AADSTS90023: Invalid STS request.",
  - date: "2021-01-08T18:52:35.3916419Z"}}

}

e.evseychik · January 10, 2021, 10:25pm

Hello Faramarz. It is an authorization issue. As I understand, you use a custom credentials API key. Please follow these steps:

ensure that your Microsoft 365 account's password contains only letters and numbers, if necessary, change the password;
for the account, you should either disable multi-factor authentication or create an app password, the latter should contain only letters and numbers;
create a new API key for Actions in a Plumsail account using the full login in format [email protected] and the password;
in the failed flow, create a new connection for Plumsail Actions using the newly created API key, ensure that it is selected for the action;
save and test the flow by clicking the Test button, before running the flow, ensure that the proper connection is selected.

Please let me know whether it helps.

Farsami · January 12, 2021, 4:15pm

Hi,

Thank you very much for your time and support.
That seems a weird solution.
I should check with our IT.
For a big company like ours, some changes like this might not be possible and this is not good for Plumsail.
I keep you updated.

Thanks again,
Faramarz

e.evseychik · January 13, 2021, 12:24am

Just to clarify, the requirement to include in the password only numbers and letters will guarantee that there is no character which breaks the authorization process. This issue can occur with any custom code referring to Microsoft services and doesn't bound exactly with our product. If the suggested steps solved the issue, we will be able to localize it. So it doesn't mean that you have to keep such an account password always. It is an investigation step.

Farsami · January 18, 2021, 5:28pm

Hi,

Thank you for explaining that,
I tried your solution and our IT created a password something like this: [h7g4qUv]k<hBnS and created a new API key.
I created a simple Flow only with Plumsail action.
I tested that but it gave the same error.
Please let me know if you have any other suggestions.

e.evseychik · January 18, 2021, 10:58pm

Hello! Could you confirm that when generating the new API key, you used your login in format [email protected]? Also, please specify whether the MFA was enabled and you used an app password. I will turn to developers with the provided information.

Farsami · January 19, 2021, 5:41pm

Hi,

I did not have access to do that myself.
But I sent your suggestion as my request for the update of the account.
I will reach out to them to confirm that.

Thank you,
Faramarz

Farsami · January 21, 2021, 5:41pm

Hello,

I checked with our IT and they confirmed that the login format that you mentioned was used and MFA is not enabled for the account. I did not get what you mean about App password, but I think it is out of the question when we don't use MFA, am I right?
Please keep me updated on this, we have this case open for a while.

Thank you indeed for your support,
Faramarz

e.evseychik · January 22, 2021, 12:03am

Yes, the app password is not relevant since the MFA is disabled. Thank you for the confirmation, I will discuss the issue with developers.

e.evseychik · January 26, 2021, 9:14am

Could you test the credentials used for creating the API key and login to the site using them? The described issue can also occur when there is an error in the used login or password.

e.evseychik · February 1, 2021, 2:14am

Hello! Did you have a chance to ensure in the correctness of the used credential?

Farsami · February 25, 2021, 9:08pm

Hi again,

Sorry, our IT administrators are not fast enough.
A simpler password was created and the same login as you said was used and the Key generated.
Now there's a new error:
AADSTS50034: The user account {EmailHidden} does not exist in the teckresources.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.
I checked with our IT and the account is visible.
Any suggestion,

Thank you,
Faramarz

e.evseychik · February 26, 2021, 2:43am

Hello! Yes, such an error occurred recently for some users. Please check the e-mail of the account that was used for creating an API key. Most likely, it will look like [email protected]. In this case (sorry for asking you this so many times), recreate the API key using this e-mail in the shortened form and the same password. Edit the existing connection. It should solve the issue (at least it solved for some other users).

Farsami · February 26, 2021, 11:03pm

Hi,

Thanks for your prompt responses.
To be sure, previously you said we should use "[email protected]", now you say we can use "[email protected]".
Am I right?

Faramarz