无法使用Azure Active Directory验证用户

Question

我正在尝试在链接上使用Java代码提及： http : //www.nexttutorial.com/faq/azureAD/1/Azure-active-directory-graph-api-user-authentication-in-java-但出现以下错误：

java.util.concurrent.ExecutionException: com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS50055: Force Change Password.\r\nTrace ID: 7596cf92-f3d6-4baf-a0c9-d166a92d1500\r\nCorrelation ID: 8cccb074-4ae4-4c9b-932b-1f4ddcb514cb\r\nTimestamp: 2017-05-05 08:20:28Z","error":"user_password_expired"}

Answer 1

I haven't used the Java APIs, but I can tell you two things that are the core of the problem:

1. The user's password has expired
2. You are using Resource Owner Password Grant flow

You need to change the application to instead show a browser window so the user can reset their password. If you just want to test the code as is, you can open a new Incognito/private/InPrivate window and sign in to eg portal.azure.com with the user. That will allow you to make sure they have a working password.

But I would advise against using that sign in flow because of potential problems like this one.

The reason you get the error is that the user needs to set a new password, but the flow you are using cannot support that scenario. It also cannot support the scenario where the user account has MFA enabled/is a Microsoft account etc.

And by the way, if this app is intended not to be used by a user, but just run as is, I would suggest making it a daemon with application permissions on the necessary APIs and then use client credentials flow for authentication. No user account needed then, since the app has the needed rights.