0
  1. I am creating an application in Azure tenant with Microsoft graph API. At the same time, I am also uploading a self-signed certificate/ Client secret for an application.
  2. The OAuth client can request an access token by providing the user assertion. User assertion is self-signed x509 certificate.

I am observing different behaviors when trying to get access token using user assertion:

  • When tried to get access token for an application after 7-8 hrs of registration process, I am able to successfully get the access token.

  • When tried to get access token for an immediately registered application, it fails with following "Invalid_client" error.

I am observing same behavior with client secret or self signed certificate. No Microsoft documentation is available around this.

Could anyone help me with the same? Attaching the error screenshot. enter image description here

Pooja_2304
  • 53
  • 6

1 Answers1

0

There is some delay for the client secret and self-signed certificate to take effect, it is normal.

The specific delay time depends on the specific tenant, let's say big tenant and small tenant here. The big tenant has many directory objects, e.g. users, applications, etc, and the small tenant just has several objects.

Pey my test, the delay time of the big tenant is much longer than the time of the small tenant, the bigger the tenant, the longer the time, from several minutes to several hours.

So in your case, I suppose your tenant should belong to the big tenant, you can also test it in a small tenant by yourself, you will find the client secret and self-signed certificate will take effect soon.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thanks @Joy for your answer. Our requirement is to immediately activate Azure AD application. Is that possible by performing any step? – Pooja_2304 Jan 12 '21 at 13:31
  • @Pooja_2304 I’m afraid it’s not possible. – Joy Wang Jan 12 '21 at 14:40
  • @Pooja_2304 Any other concerns? – Joy Wang Jan 14 '21 at 01:21
  • we want Azure AD app to get activated immediately, else it will be problematic for our customers as they won't accept this delay. Are you sure there is no way to do this? One more thing, is it possible to know when the app get activated? Is there any API or field or something using which we can know? Thanks. – Pooja_2304 Jan 14 '21 at 03:02
  • @Pooja_2304 I am sure, to see when the app gets activated, you could try to use MS Graph - https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http, `keyCredentials` represents certificate, `passwordCredentials` represents secret, if they exist in the response, the app should get active. And could you make sure the tenant of your customer belongs to the big tenant? If in the small tenant, the delay will not be too long. – Joy Wang Jan 14 '21 at 05:41
  • When i tried MS graph API using graph explorer to get properties for recently created app, I can see keyCredentials array having all the values representing certificate. But, could not fetch access token programmatically which means app is not active. I also tried creating application in small newly created tenant, it does not get active within 15-20 minutes. – Pooja_2304 Jan 14 '21 at 13:34
  • @Pooja_2304 It's so weird, I used to test with a small tenant, it should get active in 5 mins. For this case, you may need to raise a support ticket to Microsoft, I have no idea here. – Joy Wang Jan 14 '21 at 14:24
  • i have 1 query, does the timezone of machine matters? As x509 certificate have time zone UTC. I have created tenant in region "AzurePublic", and time zone of Azure portal is also UTC. – Pooja_2304 Jan 17 '21 at 03:53
  • @Pooja_2304 Maybe, you can try to use a certificate with the correct time. – Joy Wang Jan 18 '21 at 02:29