Office 365 scope - fresh auth token required after password reset

Just checking if there is an update on the issue of when the robots Windows password is changed and the Office 365 scope is used, the following error is thrown:

Microsoft Office 365 Scope: AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on ‘2020-05-27T03:10:47.0240000Z’ and the TokensValidFrom date (before which tokens are not valid) for this user is ‘2020-05-29T07:00:23.0000000Z’.
Trace ID: 513f6eac-996d-4ff7-98f2-135f92915100
Correlation ID: 39366c71-9912-4106-9c4c-7aefbe346e17
Timestamp: 2020-06-22 00:27:43Z

Currently each time the password changes we are still manually deleting the cached auth token from C:\Users\robot\AppData\Local\DataStore.Office365\IntegratedWindowsAuthentication-msalcache.bin in order to manually force a resync to obtain the current token. Has this been included in an updated version of MS Graph or will it be scheduled shortly?

Do you have any updates on this? Would like to know as i also encounter the same as yours and just follow your solution to delete it manually and it will generate a new one cache and work on my end. btw, Thanks it work now for me.

1 Like

Hi Rome, unfortunately no updates on this. I think this issue still hasn’t been rectified in the O365 activities. I’ve built a robot that runs every night and deletes the cache. It would be good though if this bug could be rectified at source in the O365 activity.

Hi, you’re right as this also might we encounter on production. keep us posted and also i will keep you posted if the uipath support will see this once we got an error on production. Thanks

Are you using the latest version of UiPath.MicrosoftOffice365.Activities, version 1.5.0 ?

Hi Mihai, no I’m not. We have been using the 1.3 version. Has 1.5 had the remediation applied?

Hi,

We have updated the Microsoft SDK used in version 1.5, and have not been able to reproduce the issue when changing the password. It’s likely that the issue was solved by Microsoft in the subsequent release of the SDK. It would be great if you could test on your environment and inform us if it indeed solved your problem.

Environment: Office 365 - Okta - On-premise Active Directory.

Error message:
The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on ‘{authTime}’ and the TokensValidFrom date (before which tokens are not valid) for this user is ‘{validDate}’.
Workaround:
All you need to do is temporarily change the user’s UserPrincipalName to that of a managed domain, update the password and then change the UserPrincipalName back to the federated domain.
First step is you will need to get the users ObjectId and UserPrincipalName.

  1. Run this command to get the ObjectId and the users UserPrincipalName.
    Get-AzureADUser -SearchString pat.doe

  2. Now, run the following command to Change UPN to managed domain
    • Set-AzureADUser -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3 -UserPrincipalName pat.doe@onmicrosoft.com

  3. Next, Update the password with the following command:
    Set-AzureADUserPassword -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3

  4. Change UPN back to the federated domain. Run the following command:
    Set-AzureADUser -ObjectId 11bb4111-11a0-1114-8501-111180bf51d3 -UserPrincipalName pat.doe@contoso.com

That’s it. Now, reset the password in Okta or the Authoritative source (Active Directory)