search cancel

PAM-CMN-5360: Failed to get Azure API access token

book

Article ID: 188221

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Following the procedure outlined in the documentation, in

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/deploying/deploy-a-vhd-on-azure/configure-an-azure-connection.html

The application is created in Azure Active Directory.

The target application and account are created as well in Azure, but when trying to configure the connection to Azure in Configuration --> 3rd Party --> Azure, it throws the following error:

PAM-CMN-5360: Failed to get Azure API access token. unauthorized_client - AADSTS700016: Application with identifier '821e1a1c-0fdf-498c-a6a9-85103d7e4d62' was not found in the directory 'c7d1a8f7-0546-4a0c-8cf5-3ddaebf97d51'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 79ac161a-995a-4731-b413-2b04cc160e00 Correlation ID: 1b48d8e1-1e37-4d35-adfa-5fc29347b5d5 Timestamp: 2020-03-31 10:28:15Z


Environment

CA PRIVILEGED ACCESS MANAGEMENT, all versions

Cause

If everything is set up correctly in Azure, this problem may come from an incorrectly configured Target Application in PAM. One of the possible causes for this is having an Azure Target account which is marked as "unverified"  in the Credential Management Accounts screen in CA PAM.

The Azure target account key does not require verification because it utilizes the Shared Secret provided by Azure when configuring the Azure Active Directory application. By definition the Shared Secret cannot be updated or modified and therefore verification is not possible for the Azure target Account

Resolution

Uncheck the "Update both the Password Authority Server and the target system" under the Key tab of the Target Account Configuration and leave just the "Update only the Password Authority Server" radius button selected, then retry setting up the Azure connection