Non-interactive authentication fails with WsTrust server issue MSIS7068

Question

Setup:

• Users are created on On-Prem AD and synced to Azure AD via Azure AD Connect
• I have a single-tenant app set up on Azure AD
• I created a user (On-Prem, synced to AAD) that can authenticate without MFA (we need to use username-password authentication due to an internal limitation).

Here is the non-interactive authentication code:

import msal

# create a public client app
authority_url = f"https://login.microsoftonline.com/{TENANT_ID}"
msal_app = msal.PublicClientApplication(client_id=CLIENT_ID, authority=authority_url)

# acquire token
token = msal_app.acquire_token_by_username_password(username=USERNAME, password=PASSWORD, scopes=SCOPES)

I'm getting the following error:

Traceback (most recent call last):
  File "/./scripts/aad.py", line 8, in <module>
    token = msal_app.acquire_token_by_username_password(
  File "/usr/local/lib/python3.10/site-packages/msal/application.py", line 1420, in acquire_token_by_username_password
    response = _clean_up(self._acquire_token_by_username_password_federated(
  File "/usr/local/lib/python3.10/site-packages/msal/application.py", line 1447, in _acquire_token_by_username_password_federated
    wstrust_result = wst_send_request(
  File "/usr/local/lib/python3.10/site-packages/msal/wstrust_request.py", line 60, in send_request
    return parse_response(resp.text)
  File "/usr/local/lib/python3.10/site-packages/msal/wstrust_response.py", line 49, in parse_response
    raise RuntimeError("WsTrust server returned error in RSTR: %s" % (error or body))
RuntimeError: WsTrust server returned error in RSTR: {'reason': 'MSIS7068: Access denied.', 'code': 'a:FailedAuthentication'}

Searching through Google I found that this can be caused by MFA, but the user is excluded from MFA. I've also verified that there are no Conditional Access policies in place to block the user accessing the app. Using Interactive auth works as expected. Any ideas on how to get non-interactive auth to work or what might be the issue here?

Answer 1

First, no guesswork! You would need to login to Azure AD with elevated privilege (Security Reader at the least if not Global Administrator).

1. Go to Enterprise Applications and locate your application by client id.
2. One you are at the application, go to Sign-in tab/pane.
3. Review the sign-in activities. You should see the reason authentication failed in overview tab. Look at the Conditional Access tab and you will know if there is any policy that blocked the sign-in.

Take action based on what you identified in sign-in activity.

Okay, I am going to make an educated guess! When you login as non-interactive, you have two authentication choices - ROPC and Client Credential- both requires client_secret to be passed in the request but you have not! Since you are using username and password, it implies that msal is using ROPC and you must include client secret.