# Authentication troubleshooting

> This page lists possible authentication issues you may encounter when using the Microsoft 365 activities.

This page lists possible authentication issues you may encounter when using the Microsoft 365 activities.

## Which authentication type should I use in the Microsoft 365 Scope activity?

First, make sure you check out the following resources:

1. Read the documentation related to the [Microsoft 365 Scope](https://docs.uipath.com/activities/other/latest/productivity/microsoft-office-365-scope) activity, which includes information about the available authentication types.
2. To learn how to register your custom application in Azure AD and set Graph API permissions, see the [Custom OAuth Application registration - Bring your own app (BYOA)](https://docs.uipath.com/activities/other/latest/productivity/oauth-application-setup#custom-oauth-application-registration---bring-your-own-app-(byoa)) guide.
3. The list of Graph API calls from Microsoft 365 activities is available on the [Technical References](https://docs.uipath.com/activities/other/latest/productivity/office365-technical-references) page.
4. To learn about using UiPathStudioO365App for InteractiveToken (i.e. `OAuthApplication`=`UiPath`), check:

   * [UiPathStudioO365App](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.uipathstudioo365app?tab=overview) on the Microsoft Azure Marketplace
   * [Configuring the Azure AD for Outlook 365 Automation](https://docs.uipath.com/activities/other/latest/productivity/configuring-the-azure-ad-for-outlook-365-automation).
5. Check the required API permissions for **Use application** cards on the [Microsoft 365 and Google Workspace Cards - API permissions and scopes](https://docs.uipath.com/activities/other/latest/productivity/google-workspace-and-office-365-cards-api-permissions-scopes) page.

Scope to specific mailboxes

When using this authentication type, the application has access to all mailboxes from your tenant. That's because the application API permission `Mail.Read` represents "Read mail in all mailboxes" and `Mail.ReadWrite` means "Read and write mail in all mailboxes".

It's possible to scope application permissions to specific mailboxes, so the application has access only to the specified mailboxes: [Scoping application permissions to specific Exchange Online mailboxes](https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access).

Scope to specific sites

Use the `Sites.Selected` application permission to allow the application access to just specific SharePoint site collections rather than all.

## Authenticating with username and password fails

Missing parameters: `client_assertion` or `client_secret`

Issue: Authentication with username and password fails. The error message displayed is: "A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'."

Solution: Make sure your registered application has the **Allow public client flows** configuration field enabled.

![docs image](https://dev-assets.cms.uipath.com/assets/images/activities/activities-docs-image-180948-54ec38c3.webp)

## The application isn't configured as a multi-tenant application

Issue: You receive the following error message: "Application [...] is not configured as a multi-tenant application. Usage of the `/common` endpoint is not supported for such applications created after 10/15/2018. Use a tenant-specific endpoint or configure the application to be multi-tenant."

Solutions:

* Set a value for the **Tenant** parameter.
* Configure the application to be multi-tenant.

## The authentication works, but the user can't read emails from a shared mailbox

Issue: When using a shared account on the Microsoft 365 activities, on the user's personal account, one can retrieve mail, but when trying to read emails from a shared account, an Access Denied error appears.

Solution: Check if the Application has the `Mail.Read.Shared` API permission (delegated) set. This permission allows the app to read mail a user can access, including their own and shared mail.

## Error: The user or administrator hasn't consented to use the application

Issue: You receive the following error message: "The user or administrator has not consented to use the application with ID [...] named [...]."

Solution: Make sure you follow these steps to [Grant tenant-wide admin consent to an application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal).

## IntegratedWindowsAuthentication (IWA) doesn't work in v1.4.0 and v1.5.0

Issue: IntegratedWindowsAuthentication (IWA) worked in **UiPath.MicrosoftOffice.365.Activities**v1.3.1, but doesn't work in **UiPath.MicrosoftOffice.365.Activities** v1.4.0 and v1.5.0.

Solution: Use **UiPath.MicrosoftOffice.365.Activities** version >= 1.6.0.

## ApplicationIdAndSecret authentication in v1.4.0 and v1.5.0

Issue: When using **UiPath.MicrosoftOffice.365.Activities** v1.4.0 or v1.5.0, the Scope activity fails, even though the mandatory parameters, **Application Id** and **Application Secret**, are set correctly.

If the **Tenant** parameter isn't set, you can get one of the following errors:

:::important
* "The token contains no permissions, or permissions can not be understood." (Multitenant)
* "Application with identifier [...] was not found in the directory 'microsoft.com'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant." (Single Tenant)
:::

Solution: Set a value for the **Tenant** parameter.

Another option is to upgrade to **UiPath.MicrosoftOffice.365.Activities** version >= 1.6.0. Starting with v1.6.0, **Tenant** is a mandatory parameter.

## Graph API requests within Microsoft 365 Scope

You can make Graph API requests within the Microsoft 365 Scope activity. This is possible when using a **ParentScope** object in an **Invoke Code** activity.

:::note
This is possible for Windows-Legacy .NET 4.6.1 projects. It fails for Windows .NET5 projects (error message "Could not load file or assembly 'Microsoft.Graph, Version=3.32.0.0'").
:::

See below an example with Studio v2021.10 (Windows-Legacy) and **UiPath.MicrosoftOffice.365.Activities** v1.11.1:

[Download example](https://documentationexamplerepo.blob.core.windows.net/examples/Studio_V2021.10/Office365_GraphAPIRequests.zip)

![docs image](https://dev-assets.cms.uipath.com/assets/images/activities/activities-docs-image-179088-bce6b52b.webp)

![docs image](https://dev-assets.cms.uipath.com/assets/images/activities/activities-docs-image-178840-1fcdc9db.webp)