AADSTS7000218 error when trying to use Connect-PNPOnline with DeviceLogin option after new EntraID registration

[Somu76]

We created a new EntraID App after the deprecation of the global app and have given all the required permissions. When trying to login using the -DeviceLogin option that we have been using earlier, we now get an error message indicating that the request body requires the client_assertion or client_secret parameters. The documentation does not suggest that we need this for interactive login, and the error appears to come after the auth sequence is done (getting prompted for authentication from the device login page etc.,)

We cannot use the -interactive approach in our environment and have been depending on the -DeviceLogin approach for a while now...

Has anyone been able to leverage -DeviceLogin after the change from the global app successfully?

[gautamdsheth]

@Somu76 - most likely this should fix it. Toggling this Allow public client flows to yes.

https://learn.microsoft.com/en-us/answers/questions/1377450/how-to-fix-the-issue-im-getting-this-error-a-confi

[Somu76]

Thanks @gautamdsheth ... tried the same earlier and got it fixed but forgot to update here... This appears to be something that needs to be updated in the Documentation so others do not run into the same.

either here: https://pnp.github.io/powershell/articles/registerapplication.html OR
here: https://pnp.github.io/powershell/articles/authentication.html#authenticating-from-another-device-or-specific-browser

Thanks,

[OneUser1]

@gautamdsheth Hi, we receive the same error and were able to fix it with the toggle you metioned. Other blogposts for the same AAD error (like this) also mention the option to add the RedirectUri "http://localhost" for a Mobile or Desktop application under "Authentication" in the app registration. We were not able to make this work with Connect-PnPOnline but this would help us a lot as we do not allow public client flows... Please let us know whether there is any way to make this work with a RedirectUri PNP uses internally? Thank you very much!

[gautamdsheth]

Hi, just checked the code.

We also support RedirectUri as a parameter.
So, if you adjust the code, it should work :

Connect-PnPOnline -Url "https://contoso.sharepoint.com" -Credentials (Get-Credential) -RedirectUri "http://localhost"

[OneUser1]

Wow, you're fast! I will try it and let you know.

[OneUser1]

@gautamdsheth I receive the very same error when adding the -RedirectUri param with http://localhost as value. I found this article about no RedirectUri in the request headers with ROPC auth flow: https://blogs.aaddevsup.xyz/2019/08/receiving-error-aadsts7000218-the-request-body-must-contain-the-following-parameter-client_assertion-or-client_secret/

In certain OAuth2 authentication flows such as OAuth2 resource owner password credentials (ROPC) grant flow, OAuth2 device code flow, and Integrated Windows Authentication, there is no reply URL provided in the token request.

Or did the above shared cmdlet work in your environment? We use the PnP stored credentials and the -ClientId param but this should be no real difference, right?

Edit 2: From Fiddler I can see that no RedirectUri has been inserted in the auth request.

[gautamdsheth]

It needs to allow public client flow , no other way for using credentials flow. Another option would be to use Managed Identity with user assigned clientId.

[OneUser1]

As we do not run the script in Azure Automation we cannot use Managed Identity unfortunately. Therefore we only can enable public client flows. Thanks for your help.