Forum Discussion
Project Online (CSOM): Encountering 'User Not Found in Active Directory or Project DB'
Issue
We are attempting to access Project Online data in Project Permission mode using app-only authentication, specifically to bypass MFA for programmatic access, as we aim for continuous, automated access without any user-interaction. We are using CSOM, using Microsoft.ProjectServer.Client.ProjectContext in .NET 4.8 to connect to Project Online. Despite following several documented approaches with client certificates, client secrets, and OAuth configurations, we keep encountering errors like 401 Unauthorized and User not found in Active Directory or in project db. Below is a summary of our steps. Despite multiple attempts, we consistently receive errors blocking access. We have followed recommended documentation for client credentials, certificates, and permissions but still face access issues.
Technology
- Project Online
- CSOM in .NET 4.8
- Microsoft.ProjectServer.Client.ProjectContext
- Azure AD (Entra ID)
Solutions Attempted
- Client Certificate Authentication:
- Configuration: Registered an app in Azure AD (Entra) with a client certificate and set permissions including Sites.FullControl.All. NOTE: we could not select Project permissions (Project.Read, etc.) in the Application Permissions screen, only within the delegated permissions screen.
- Token Acquisition: We acquired an access token using az account get-access-token --resource=https://.sharepoint.com.
- Request Attempted:
- URL: https://.sharepoint.com/sites//_api/ProjectData/Projects
- Outcome: {"error":"invalid_request","error_description":"App is not allowed to call SPO with user_impersonation scope"}
- Client Secret with Client Credentials:
- App Registration: Configured client ID and client secret in Azure AD with permissions for Project.ReadWrite.All and Sites.Selected.
- Token Acquisition: Called the token endpoint:
- Endpoint: https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
- Parameters: client_id, scope= https://.sharepoint.com/.default, client_secret, grant_type=client_credentials
- Access Attempt:
- URL: https://.sharepoint.com/sites//_api/ProjectData/Projects
- Response: HTTP/1.1 401 Unauthorized Response Body: " "
- Outcome: Despite obtaining a valid token, the request returns a “Please sign in” page, rather than an access token.
- SharePoint AppPermissionRequest Configuration using /sites/pwa/layouts/15/appinv.aspx:
- Configuration: Set up AppPermissionRequest XML in SharePoint for permissions like:
- Outcome: This configuration did not make any differences, and did not grant the required permissions in Project Permission mode, as SharePoint app permissions do not seem to cover Project-specific access, it seems. Project Online access remains blocked.
- <AppPermissionRequest Scope="[http://sharepoint/content/sitecollection]" Right="FullControl"/>
- Microsoft Graph API Exploration:
- Goal: Investigated Graph API as an alternative.
- Outcome: Microsoft Graph lacks Project Online-specific permissions, limiting access to SharePoint and directory data, which does not meet our need for project-specific data access.
- Microsoft.Identity.Client and client certificate
- Configuration: CSOM using the following code to login:
- Outcome: Access fails with User:<customercontent></customercontent> not found in Active Directory or in project db
public static void Login(this ProjectContext context)
{
var clientId = "xxx";
var clientSecret = "xxx";
var authority = "https://login.microsoftonline.com/xxx";
var scope = "https://xxx.sharepoint.com/.default";
var certificate = new X509Certificate2("c:\\temp\\cert.pfx", "xx");
var app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithCertificate(certificate)
.WithAuthority(new Uri(authority))
.Build();
AuthenticationResult result = TaskHelper.BlockingAwait(() => app.AcquireTokenForClient(new[] { scope }).ExecuteAsync());
string accessToken = result.AccessToken;
context.ExecutingWebRequest += (sender, e) =>
{
e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accessToken;
};
}
Key Questions:
- Is there a method for app-only authentication in Project Online in Project Permission mode__ that bypasses MFA for automated access?
- Has anyone succeeded in applying app-only credentials for Project Online access__, specifically in Project Permission mode?
- Are there any alternative permission configurations__ (like Azure AD settings, conditional access policies, or app permissions) that could facilitate this access?
Thank you in advance!
Edit: Sorry for the bad formatting.