PAM-CMN-5360: Failed to get Azure API access token. unauthorized_client -
search cancel

PAM-CMN-5360: Failed to get Azure API access token. unauthorized_client -

book

Article ID: 188221

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Following the procedure outlined in documentation page Configure an Azure Connection, the application is created in Azure Active Directory.

The target application and account are created as well in Azure, but when trying to configure the connection to Azure in Configuration --> 3rd Party --> Azure, it throws the following error:

PAM-CMN-5360: Failed to get Azure API access token. unauthorized_client - <Client Name>: Application with identifier '<identifier>' was not found in the directory '<directory id>'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: <trace id> Correlation ID: <correlation id> Timestamp: 2020-03-31 10:28:15Z


Cause

If everything is set up correctly in Azure, this problem may come from an incorrectly configured Target Application in PAM. One of the possible causes for this is having an Azure Target account which is marked as "unverified"  in the Credential Management Accounts screen in CA PAM.

The Azure target account key does not require verification because it utilizes the Shared Secret provided by Azure when configuring the Azure Active Directory application. By definition the Shared Secret cannot be updated or modified and therefore verification is not possible for the Azure target Account

Resolution

Uncheck the "Update both the Password Authority Server and the target system" under the Key tab of the Target Account Configuration and leave just the "Update only the Password Authority Server" radius button selected, then retry setting up the Azure connection