o365-moodle
o365-moodle copied to clipboard
microsoft
Could not get app or system token
Hello All,
I was wondering if anyone had any pointers or insight to the "Could not get app or system token" error I am experiencing.
I've asked google and searched the issue bank, but most topics on this subject say that the error has been patched.
My setup is Moodle 4.5.1 O365 plugin version 4.5.0
My azure application registration is manually created due to the power shell script generating multiple errors. I've checked this setup against the instructions and what the script does so many times, that I'm fairly sure this is not an app registration issue, but I could be wrong.
The plugin works to authenticate users, and the Health Check displays 'Microsoft 365 API calls are executing at full speed.' Similarly OneDrive authenticates as expected.
However, on the setup screen both detect functions for Entra and OneDrive fail with 'Could not get app or system token.'
And the verify setup button results in a 'Could not check reply url.' for the Azure app registration and 'Could not get app or system token.' for the Microsoft graph API.
Finally the Cohort sync function fails on every attempt with the same token based error, which is also displayed when trying to view the Cohort sync function preferences.
The more info link leads to a page does not exist error on the moodle plugin site.
Any assistance even if direction to another source of info would be gratefully received.
Hi Josh @JMillwood-92, Confirm your Entra and OneDrive URLS do not contain the https:// protocol at the start - just the domain names. And also check the TLD of your domains matches the primary Entra/Tenant domain.
Hi thanks for your reply, yes, I can confirm neither of the addresses contain a protocol.
My entra address is set to point at my: 'myorganisation.sharepoint.com' address.
Changing this to 'mydomain.com' causes Moodle to crash and become unresponsive.
Similarly trying 'myorganisation.onmicrosoft.com' causes a similar crash and hang issue.
Hi thanks for your reply, yes, I can confirm neither of the addresses contain a protocol.
My entra address is set to point at my: 'myorganisation.sharepoint.com' address.
Changing this to 'mydomain.com' causes Moodle to crash and become unresponsive.
Similarly trying 'myorganisation.onmicrosoft.com' causes a similar crash and hang issue.
Hi again Josh,
I have not experienced the crashes you describe.
I have experienced my own issues, albeit I have the plugin configured now with no more errors displayed.
I suggest switching on debugging in Moodle and displaying all errors. The debug setting within the plugin never created any moodle logs that I could find - even when my configuration contained incorrect URLs (with protocol) etc.
I setup a separate local Moodle installation (fresh ddev moodle install + o365 plugins) so that I can use xdebug locally to investigate the various API calls. I have not resolved my own issues yet.
You could test outbound access from your Moodle server to the various Microsoft URLs - if you haven't already? I did this using a basic curl on the server to the Microsoft login page URL.
If I think of anything else, or make further discoveries I'll post here.
Good luck.
Hi @JMillwood-92
The integration uses the application token to make Graph API calls to get/set data in Microsoft 365, so without it, it's expected that no sync features work. The only thing that doesn't depend on the application token is SSO.
So, to solve the issue where you can't get the application token:
- One thing you can try is to create an Azure app using the new PowerShell script at https://github.com/microsoft/o365-moodle/blob/wip-110340-m405/local/o365/scripts/Moodle-EntraID-PowerShell.zip. This script has been tested locally, and is to be included in the next release.
- If you want to stick with the current app, here are a few things that may want to check in the app in the app registration section in Azure portal:
- The app has correct redirect URI settings. There should be two values set: https://url.to.moodle/auth/oidc/ and https://url.to.moodle/local/o365/sso_end.php. Note the tailing slash in the first URI is mandatory.
- The app has required API permissions - the app should have 30 permissions for full integration. You can remove the ones you don't need after the initial "verify setup" action is finished.
- All permissions have admin consent granted for your organisation. You should use the "Grant admin consent for [your organisation]" button for this action. After the action, the "Status" column of all permissions should contain "Granted for [your organisation]".
- Application ID URI and scope settings. Please refer to sub section 4 in the "Configure application" section at https://docs.moodle.org/405/en/Microsoft_365#Configure_application. After the Azure app configurations are confirmed, you will need to go to the local_o365 plugin configuration page in Moodle, and click the "Provide admin consent" button again. Providing the app has the required permissions, this action should create an application token.
You should be able to use the "Detect" button to fill "Microsoft Entra tenant" and "OneDrive for Business URL" settings automatically; but in case it fails, fill those values in manually. Make sure protocols (https://) are not included.
After it, the "Verify setup" button should work.
If you still see errors, please use your browser developer tool to see the raw response of the AJAX call when you click the button to "Verify setup", and see if you can find out anything from it.
Please feel free to post back your results.
Regards, Lai
If it helps anyone, we ran into this issue after a Moodle version upgrade/plugin update. The same "Could not get app or system token" message whenever anybody tried to log in. Ended up needing to get an administrator to re-run the "Provide admin consent" button on the local_o365 plugin configuration page again.
