Skip to main content

Hello,
we are trying to configure an OAuth connection between Automation Anywhere Control Room (on-prem) and SharePoint Online in our tenant, but we are stuck with the following error:

Unable to retrieve OAuth tokens. Code: cv.oauth.cannot.retrieve.tokens

Here is what we have already set up:

Azure AD App registration

  • Created a new App Registration called Automation Anywhere.

  • Redirect URI set to our AA Control Room DEV environment callback URL.

  • Generated a client secret (Value stored securely, not the ID).

  • Added Microsoft Graph API permission: Sites.Selected (Application).

  • Global admin granted consent for this permission.

SharePoint Online

  • We have a dedicated site.

  • Site Collection Admin granted the app Write permission.

Automation Anywhere Control Room (OAuth configuration)

  • Grant type: Client Credentials Flow.

  • Token URL: https://login.microsoftonline.com/<TenantID>/oauth2/v2.0/token.

  • Scope: https://graph.microsoft.com/.default.

  • Client ID and client secret from the Azure AD app filled in.

 

Does anyone know what could be the problem? 

Could this error be caused by firewall/proxy restrictions (e.g. AA server not reaching some required MS endpoints)?

If so, could you please confirm the full list of required endpoints?

Currently, we have whitelisted these domains through our proxy: 

  • *.microsoft.com
  • *.microsoftonline.com
  • *.sharepoint.com

Hi ​@Soky,

 

The error "Unable to retrieve OAuth tokens. Code: cv.oauth.cannot.retrieve.tokens" in your Automation Anywhere Control Room to SharePoint Online OAuth setup typically indicates a failure in the token acquisition step during the Client Credentials flow.

Based on your setup and question, here are key points and possible causes:

  1. Azure AD App Permissions and Consent

    • You have assigned Sites.Selected permission (Application type) and granted admin consent, which is correct.
    • Ensure the app has been granted Microsoft Graph API permissions properly and the consent is reflected.

  2. SharePoint Online App Permissions

    • You mentioned Site Collection Admin granted the app Write permission. For Sites.Selected permission, you also need to explicitly assign the app permissions to the specific SharePoint site via PowerShell:
      • Use 

        Grant-SPOSiteDesignRights

         or the newer 

        Set-PnPAzureADAppSitePermission

         cmdlet to assign the app permissions on the site.
      • Sites.Selected permission requires explicit site-level permission assignment; just being Site Collection Admin is not enough.

  3. OAuth Configuration

    • The Token URL, Scope, Client ID, and Client Secret look correct for Client Credentials flow.
    • Confirm that the Redirect URI is not required for Client Credentials flow (usually it’s not, but it does not harm if set).

  4. Network / Firewall / Proxy

    • Yes, network restrictions can cause token retrieval failures.
    • Your whitelist covers main Microsoft domains, but to be sure, the Control Room server must be able to reach all required Azure AD and Microsoft Graph endpoints.
    • Required endpoints to whitelist (allow outbound HTTPS traffic):

      • login.microsoftonline.com(for OAuth token requests)

      • graph.microsoft.com (for API calls)

      • *.microsoft.com and *.microsoftonline.com(general Microsoft services)

      • *.sharepoint.com (SharePoint Online)

    • Additionally, sometimes specific IP ranges or additional URLs may be required depending on your tenant and region—check Microsoft documentation on Office 365 URLs and IP address ranges.
    • Test connectivity from the Control Room server to these endpoints(e.g., using curl or Invoke-WebRequest).

  5. Additional Troubleshooting Suggestions

    • Check Control Room logs for more detailed error messages or stack traces.
    • Use tools like Postman to manually request tokens using the same client credentials and token URL to isolate whether the issue is AA or Azure AD related.
    • Check that the client secret is correctly copied (no extra spaces or hidden characters).
    • Confirm that the Azure AD app is not subject to conditional access policies blocking token issuance.

Reply


Terms & ConditionsCookie settings