Overview:
A user receives the following error using Vault File Manager (VFM):
AADSTS700016: Application with identifier '*Your Application ID*' was not found in the directory '*Your Directory*'. This can happen if the application is not installed by the administrator of the tenant or consented to by any user in the tenant. The user may have sent the authentication request to the wrong tenant.
Root Cause:
This is due to configurations made on the Azure Active Directory side.
Solution:
The following setting should be verified on the Vault side before proceeding:
Under Settings --> OAuth 2.0 / OpenID Connect Profiles, the relevant profile needs to be checked. There is usually one profile using Azure, but there could also be designated profiles, such as a separate one for Vault File Manager.
After identifying the correct profile, be sure that the following values are populated accordingly:
- Application Label: Enter a name. For this profile, it is recommended to use Vault File Manager.
- Application Client ID: Enter VaultCheckOut.
- Authorization Server Client ID: Enter the Application ID. This can be found in the Application Overview of the VFM application in Microsoft Azure AD.
If any of this is incorrect and any modification is made, the user needs to exit Vault File Manager by selecting the Exit option from the menu within VFM. Do not click the X icon as it only minimizes VFM.
In the event it still does not work correctly, the following settings need to be verified on Azure Active Directory side:
- A VFM mobile app registration should be added in Azure (using the custom redirect uri - vaultfilemanager://authorize) in addition to the SAML Application
- The following API permissions must be granted to the VFM native application:
1. Veeva Vault Login application's user_impersonation scope
2. Microsoft Graph's User.Read scope (Default, should not be possible to remove and should be never removed)
Note:
login.veevavault.com remains the login and was formerly the URL in the manifest, which will work for old customers until they make a change to the manifest file, where they will get a save error. This is happening because Microsoft has updated Azure, the identifier URI has to be a trusted domain.
For new customers, and in case old customers want to update the manifest file, this value should be left/made blank. - The Authorization Server Client ID needs to be updated in the Vault OAuth mapping table using the Application Client ID of the new VFM mobile app, rather than the SAML app
- VFM needs to be restarted by selecting the Exit option from the menu
- It needs to be verified that the user is logging into the correct domain (i.e. Production rather than the Sandbox)
Additional settings to verify:
- The version of VFM, which should be the latest
- It is recommended to have a separate application defined in Azure for each Vault domain that the customer is using. Example: Production and Sandbox domains are added separately.
In case the root of the issue is still unclear, Event Logging should be enabled and an Authentication Attempt should be captured based on the article referenced below.
Related Documentation:
Vault KB Article:
Vault Help Documentation: Vault Help