PAM-CMN-5360: Failed to get Azure API access token
search cancel

PAM-CMN-5360: Failed to get Azure API access token


Article ID: 188221


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)


Following the procedure outlined in the documentation, in

The application is created in Azure Active Directory.

The target application and account are created as well in Azure, but when trying to configure the connection to Azure in Configuration --> 3rd Party --> Azure, it throws the following error:

PAM-CMN-5360: Failed to get Azure API access token. unauthorized_client - AADSTS700016: Application with identifier '821e1a1c-0fdf-498c-a6a9-85103d7e4d62' was not found in the directory 'c7d1a8f7-0546-4a0c-8cf5-3ddaebf97d51'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: 79ac161a-995a-4731-b413-2b04cc160e00 Correlation ID: 1b48d8e1-1e37-4d35-adfa-5fc29347b5d5 Timestamp: 2020-03-31 10:28:15Z




If everything is set up correctly in Azure, this problem may come from an incorrectly configured Target Application in PAM. One of the possible causes for this is having an Azure Target account which is marked as "unverified"  in the Credential Management Accounts screen in CA PAM.

The Azure target account key does not require verification because it utilizes the Shared Secret provided by Azure when configuring the Azure Active Directory application. By definition the Shared Secret cannot be updated or modified and therefore verification is not possible for the Azure target Account


Uncheck the "Update both the Password Authority Server and the target system" under the Key tab of the Target Account Configuration and leave just the "Update only the Password Authority Server" radius button selected, then retry setting up the Azure connection