[Reporting API v13] Error 105 (InvalidCredentials) when using OAuth 2.0 client credentials (daemon / server-to-server)

Question

[Reporting API v13] Error 105 (InvalidCredentials) when using OAuth 2.0 client credentials (daemon / server-to-server)

felipy c 0

[Reporting API v13] Error 105 (InvalidCredentials) when using OAuth 2.0 client credentials (daemon / server-to-server)

Summary

I’m building a server-to-server (daemon / machine-to-machine) integration to pull Microsoft Advertising reports via REST (Reporting API v13).
I can obtain an access token using OAuth 2.0 client credentials, but when I call GenerateReport/Submit I get the following error:

{ "Errors": [ { "Code": 105, "Message": "Authentication failed. Either supplied credentials are invalid or the account is inactive", "Detail": null, "ErrorCode": "InvalidCredentials" } ], "TrackingId": "fc4bb6a6-3797-4605-b640-6daec5cba888", "Type": "AdApiFaultDetail" }

I would like to confirm whether client_credentials is supported for Microsoft Advertising APIs, and if so, what configuration I may be missing.

Environment

Goal: daily Ad Performance (impressions, clicks, cost) for data ingestion
API: Reporting API v13
Report endpoint environment: sandbox
Flow: daemon (no interactive user)
Headers: Authorization, DeveloperToken, CustomerId (CID), CustomerAccountId (AID)

(IDs and secrets below are masked.)

Authentication (token) — client credentials

Token endpoint: POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token

Request body (x-www-form-urlencoded): client_id=XXX client_secret=XXX grant_type=client_credentials scope=https://ads.microsoft.com/.default

Response (truncated): { "token_type": "Bearer", "expires_in": 3599, "ext_expires_in": 3599, "access_token": "eyJhbGciOiJkaXIiLCJlbmMiOi ..." }

Report call — GenerateReport/Submit (sandbox)

Endpoint: POST https://reporting.api.sandbox.bingads.microsoft.com/Reporting/v13/GenerateReport/Submit

Headers: Authorization: Bearer {ACCESS_TOKEN} DeveloperToken: BBD37VB98 CustomerId: XXX CustomerAccountId: XXX Content-Type: application/json

Body (JSON): { "ReportRequest": { "Type": "AdPerformanceReportRequest", "ReportName": "XXX Ad Perf (7d)", "Format": "Csv", "FormatVersion": "2.0", "ReturnOnlyCompleteData": false, "Aggregation": "Daily", "Columns": [ "TimePeriod", "CampaignId", "CampaignName", "AdId", "Title", "Impressions", "Clicks", "Spend" ], "Scope": { "AccountIds": [XXXX] }, "Time": { "CustomDateRangeStart": { "Year": 2025, "Month": 10, "Day": 6 }, "CustomDateRangeEnd": { "Year": 2025, "Month": 10, "Day": 12 }, "ReportTimeZone": "SaoPaulo" } } }

Response: { "Errors": [ { "Code": 105, "Message": "Authentication failed. Either supplied credentials are invalid or the account is inactive", "Detail": null, "ErrorCode": "InvalidCredentials" } ], "TrackingId": "fc4bb6a6-3797-4605-b640-6daec5cba888", "Type": "AdApiFaultDetail" }

What I have already checked

✅ Authorization: Bearer {access_token} is present
✅ DeveloperToken, CustomerId (CID), and CustomerAccountId (AID) are included
✅ Report body is valid (includes TimePeriod for daily aggregation)
✅ Tried different resource/scope formats for the token (still failing)
❓ Environment: I’m calling sandbox — do I need sandbox-specific CID/AID (distinct from production)?
❓ Scopes/permissions: Is the msads.manage (delegated) scope required even for Reporting?
❓ Client credentials support: Does the Advertising API accept application permissions (app-only) for Reporting?
❓ Account status/access: Could this be caused by an inactive account or a user that lacks access to the specified CID/AID?

Specific questions for Microsoft / community

Does the Microsoft Advertising API (Reporting v13) support the OAuth 2.0 client_credentials flow (app-only)?
- If yes, what is the correct resource/scope and the prerequisites (app permissions, admin consent, etc.)?
- If no, what is the recommended flow for daemon scenarios? (e.g., authorization_code + offline_access, then use the refresh_token on a schedule)
Are there credential differences between production and sandbox (e.g., CID/AID and DeveloperToken) that could cause Code 105 when using a valid token?
Does the DeveloperToken need to be explicitly enabled for sandbox (or linked to a sandbox user) to avoid this error?
How can I diagnose whether the token issued via client_credentials includes the claims/audience required for Microsoft Advertising?
- Is there a specific aud expected in the JWT?
If client_credentials is not supported, could you please confirm officially that only user-delegated flows (e.g., authorization_code with msads.manage) are accepted for Reporting?

References

OAuth 2.0 — Client Credentials (Microsoft Entra ID):
https://free.blessedness.top/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#get-a-token
Reporting API v13 (GenerateReport):
https://free.blessedness.top/en-us/advertising/reporting-service/generatereport?view=bingads-13

Thanks!

Any official confirmation on client_credentials support for Advertising and guidance on sandbox vs. production prerequisites would be greatly appreciated.

felipy c 0 Reputation points

2025-10-15T16:11:52.9566667+00:00

And how do I get the developer token approved? Doesn’t the universal token replace the developer token? DeveloperToken • It must be explicitly approved for use in the sandbox 'BBD37VB98'.

Thanks for the initial response — where can I check the inbox that has your private message?
felipy c 0 Reputation points

2025-10-15T16:21:45.0933333+00:00

How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.
felipy c 0 Reputation points

2025-10-15T16:22:24.31+00:00

How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.

1 answer

Your answer

felipy c 0 Reputation points

2025-10-15T16:11:52.9566667+00:00

And how do I get the developer token approved? Doesn’t the universal token replace the developer token? DeveloperToken • It must be explicitly approved for use in the sandbox 'BBD37VB98'.

Thanks for the initial response — where can I check the inbox that has your private message?
felipy c 0 Reputation points

2025-10-15T16:21:45.0933333+00:00

How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.
felipy c 0 Reputation points

2025-10-15T16:22:24.31+00:00

How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.

Answer 1

MS Advertising - John Mark 150 Microsoft External Staff Moderator

Hi Felipy c,

Thank you for reaching out to the Microsoft Advertising Learn Q&A Platform!

It looks like you're running into the "Error 105 (InvalidCredentials)" while trying to pull Microsoft Advertising reports using OAuth 2.0 client credentials on the sandbox environment

When you see the error:

"Code": 105,
"Message": "Authentication failed. Either supplied credentials are invalid or the account is inactive",
"ErrorCode": "InvalidCredentials"

In the sandbox environment, it almost always boils down to one of two root causes:

Sandbox-Specific Credentials Mismatch DeveloperToken • Must be explicitly approved for sandbox use (production tokens won’t work).

CustomerId (CID) & CustomerAccountId (AID) • Sandbox has its own set of CIDs/AIDs—production IDs will be rejected.

Account Activation • Ensure your sandbox account is active and that the user who granted consent actually has access to those sandbox IDs.

Unsupported Client Credentials Flow The Reporting v13 REST endpoints do not accept the OAuth 2.0 client_credentials grant.

These APIs require a user context, so you must use the authorization_code flow with the offline_access scope.

Interactive sign-in once will yield a refresh token; exchange that for new access tokens on your schedule.

Client Credentials Flow Support Client credentials (app-only) are not supported for Microsoft Advertising Reporting v13. These endpoints require a user context obtained via a delegated flow. Code 105 often indicates an invalid or missing user credential. Handling Service Errors and Exceptions

Sandbox vs. Production Credentials Customer IDs (CID/AID) and DeveloperTokens are environment-specific. Sandbox accounts require a DeveloperToken explicitly enabled for sandbox use. Mixing production tokens with sandbox IDs will trigger Error 105 (InvalidCredentials)

More information on these resources: Microsoft Advertising Sandbox Bing Ads API Web Service Addresses

I hope the information provided here will at least partly answer your question. For us to make sure that we are able to address the issue, I'll be sending a private message on your inbox, please check your private message for further assistance.

Our support teams are happy to discuss your account in more detail via phone, chat or email to provide review assistance, please see our support page to reach out!

Kind regards,

John | Microsoft Advertising Support Specialist | 1-800-518-5689

felipy c 0 Reputation points

2025-10-15T16:12:04.31+00:00

And how do I get the developer token approved? Doesn’t the universal token replace the developer token? DeveloperToken • It must be explicitly approved for use in the sandbox 'BBD37VB98'.

Thanks for the initial response — where can I check the inbox that has your private message?
felipy c 0 Reputation points

2025-10-15T16:21:55.3333333+00:00

How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.
MS Advertising - John Mark 150 Reputation points Microsoft External Staff Moderator

2025-10-15T19:47:08.28+00:00
Hi felipy

Good day!

Please see below information about your follow up questions, I hope that it would be helpful

1.How do I get the developer token approved?

Apply for sandbox access

Sign in to your Microsoft Advertising account at https://ads.microsoft.com

In the top-right menu, go to Tools & Settings → Setup → Developer settings.

Under Developer token, click Request sandbox.

Fill out the brief form (reason for testing, etc.). Microsoft will toggle sandbox on for your token—this can take up to 24 hours.

If you don't have the option reach out to Microsoft Advertising Support and request sandbox access for your DeveloperToken.

Mention that you’re building or testing an API integration and need sandbox-specific CID/AID credentials.

Doesn’t the universal token replace the developer token? DeveloperToken • It must be explicitly approved for use in the sandbox 'BBD37VB98'.

No, the Universal Access Token Does Not Replace the DeveloperToken

Even though Microsoft Advertising now uses OAuth 2.0 access tokens (sometimes called "universal tokens") for authentication, the DeveloperToken is still required for all API calls — including in the sandbox.

Why You Still Need a DeveloperToken

The access token (OAuth 2.0) proves the identity and consent of the user or app.

The DeveloperToken identifies the application or developer making the request and is used for:

Rate limiting

Access control

Sandbox vs. production routing

Partner attribution

So even with a valid access token, if your DeveloperToken is not:

Enabled for sandbox, or

Linked to the correct environment (sandbox vs. production)

…you’ll get errors like Code 105 (InvalidCredentials).

2.How long does the access token last? Is it permanent? I’m able to use the refresh token, but for how long will it remain valid before I need to log in through the browser again? My system needs to automatically retrieve reports from Microsoft Advertising so I can build a dashboard with charts.

The default lifetime of an access token is variable. When issued, the Microsoft identity platform assigns a random value ranging between 60-90 minutes (75 minutes on average) as the default lifetime of an access token.

More information on this resource below:

https://free.blessedness.top/en-us/entra/identity-platform/access-tokens

https://free.blessedness.top/en-us/entra/identity-platform/refresh-tokens

Our support teams are happy to discuss your account in more detail via phone, chat or email to provide review assistance, please see our support page to reach out!

Kind regards,

John | Microsoft Advertising Support Specialist | 1-800-518-5689
felipy c 0 Reputation points

2025-10-15T21:54:52.9366667+00:00

Hello, I managed to implement the auth 2.0 authorization code, I tested it as tokens in production and in sandbox, but I have this error:

{"success": false,"message": "SubmitGenerateReport failed: {"Errors":[{"Code":105,"Message":"Authentication failed. The provided credentials are invalid or the account is inactive","Detail":null,"ErrorCode":"InvalidCredentials"}],"TrackingId":"f67bdf79-f0f0-4f8a-bc08-4961439848f3","Type":"AdApiFaultDetail"}"}

I can log in, generate the access_token, but when I call the report it says it is invalid.
felipy c 0 Reputation points

2025-10-15T21:56:09.01+00:00

I contacted support and they said my production and sandbox tokens are working, maybe I'm missing some specific permission in the azure app, credentials or header.
MS Advertising - John Mark 150 Reputation points Microsoft External Staff Moderator

2025-10-16T14:45:05.3966667+00:00
Hi felipy

I would suggest try revisiting the initial setup as you might be missing some steps

Here’s a step-by-step guide to building a server-to-server (daemon / machine-to-machine) integration for pulling Microsoft Advertising reports via the Reporting API v13 (REST) — including sandbox setup, authentication, and report retrieval.

Step 1: Register Your Application https://free.blessedness.top/en-us/advertising/guides/authentication-oauth-register?view=bingads-13

You must register your app in Microsoft Entra ID (Azure AD) to obtain credentials.

1.Go to Azure Portal

2.Navigate to Microsoft Entra ID → App registrations

3.Click: New registration

Name: e.g., MyAdReportingDaemon

Redirect URI: Required for initial authorization (can be http://localhost)

4.After registration, note:

Application (client) ID

Directory (tenant) ID

Step 2: Configure API Permissions

In your app registration, go to API permissions

Click Add a permission → APIs my organization uses

Search for Microsoft Advertising API

Add delegated permissions: msads.manage offline_access

Click Grant admin consent (if available)

Step 3: Create a Client Secret

Go to Certificates & secrets

Click New client secret

Save the generated secret securely — you’ll need it to exchange tokens

Step 4: Request Sandbox Access

If testing in sandbox:

Contact Microsoft Advertising Support

Request sandbox enablement for your DeveloperToken

Ask for sandbox-specific CustomerId (CID) and AccountId (AID)

Step 5: Perform Authorization Code Flow

This is required to obtain a refresh token for your daemon.

1.Redirect user to:

https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize? client_id={client_id} &response_type=code &redirect_uri={redirect_uri} &scope=https://ads.microsoft.com/msads.manage offline_access

2.After user signs in, capture the code from the redirect

3.Exchange code for tokens:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token Content-Type: application/x-www-form-urlencoded client_id={client_id} client_secret={client_secret} grant_type=authorization_code code={authorization_code} redirect_uri={redirect_uri}

Save:

access_token (valid for 1 hour)

refresh_token (long-lived)

Step 6: Refresh Access Token on Schedule

Use the refresh token to get new access tokens without user interaction:

POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token client_id={client_id} client_secret={client_secret} grant_type=refresh_token refresh_token={refresh_token} scope=https://ads.microsoft.com/msads.manage offline_access

Step 7: Submit Report Request

Use the Reporting API v13 endpoint:

POST https://reporting.api.bingads.microsoft.com/Reporting/v13/GenerateReport/Submit

Headers:

Authorization: Bearer {access_token} DeveloperToken: {your_developer_token} CustomerId: {CID} CustomerAccountId: {AID} Content-Type: application/json

Body:

{ "ReportRequest": { "Type": "AdPerformanceReportRequest", "ReportName": "Ad Perf (7d)", "Format": "Csv", "FormatVersion": "2.0", "ReturnOnlyCompleteData": false, "Aggregation": "Daily", "Columns": [ "TimePeriod", "CampaignId", "CampaignName", "AdId", "Title", "Impressions", "Clicks", "Spend" ], "Scope": { "AccountIds": [12345678] }, "Time": { "CustomDateRangeStart": { "Year": 2025, "Month": 10, "Day": 6 }, "CustomDateRangeEnd": { "Year": 2025, "Month": 10, "Day": 12 }, "ReportTimeZone": "SaoPaulo" } } }

Step 8: Poll for Report Completion

Use the GetReportStatus endpoint with the returned ReportRequestId. Once ready, download the report using DownloadReport.

Final Notes

Client credentials flow is NOT supported — you must use delegated user tokens.

Sandbox and production credentials are NOT interchangeable

Always decode your token at jwt.ms to verify aud and scp claims

Issue and troubleshooting: What Error 105 means?

{ "Code": 105, "Message": "Authentication failed. The provided credentials are invalid or the account is inactive", "ErrorCode": "InvalidCredentials" }

This error occurs when:

The access token is invalid or missing required claims

The DeveloperToken is not enabled for the environment (sandbox vs production)

The CustomerId (CID) or AccountId (AID) is incorrect or inactive

You're using the wrong authentication flow (e.g., client_credentials instead of authorization_code)

✅ Fix Checklist

1.Use the Correct OAuth Flow

Only the authorization_code flow is supported for Reporting API v13

You must use a user-delegated token with scopes:

https://ads.microsoft.com/msads.manage

offline_access

2.Verify Access Token Claims

Decode your token at jwt.ms

Confirm:

aud = https://ads.microsoft.com

scp includes msads.manage

Token is not expired

3.Use the Right DeveloperToken

Must be approved for sandbox if you're using sandbox endpoints

Production tokens will not work in sandbox

Contact Microsoft Advertising Support to confirm

4.Use Sandbox-Specific CID and AID

Production CustomerId and AccountId will not work in sandbox

Retrieve sandbox IDs using:

GetCustomersInfo

GetAccountsInfo

Ensure the account is active

5.Correct Headers in API Call

Authorization: Bearer {access_token} DeveloperToken: {sandbox_or_production_token} CustomerId: {sandbox_or_production_CID} CustomerAccountId: {sandbox_or_production_AID} Content-Type: application/json

6.Check Account Status

Use GetAccountsInfo to confirm the account is active

Inactive or disabled accounts will trigger Error 105

🧪 Common Pitfalls

Using client_credentials flow (not supported)

Mixing production and sandbox credentials

Missing msads.manage scope

Using expired or malformed access tokens

I hope this helps, if you’ve confirmed all of the above and still get Error 105, submit a ticket request to support for further assistance

Kind regards,

John | Microsoft Advertising Support Specialist | 1-800-518-5689
felipy c 0 Reputation points

2025-10-16T16:30:12.01+00:00
I'm looking for this Microsoft Advertising API option, but it doesn't appear for me. Do you know how I can display it?**

"Personal information deleted by the moderator."

Step 2: Configure API Permissions**

In your app registration, go to API permissions

Click Add a permission → APIs my organization uses

Search for Microsoft Advertising API

Add delegated permissions: msads.manage offline_access

Click Grant admin consent (if available)
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
MS Advertising - John Mark 150 Reputation points Microsoft External Staff Moderator

2025-10-16T17:29:50.5566667+00:00

Hi felipy

Please don't display any personal identifiable information on public post you may respond to private message or contact support for account specific concerns.

Our support teams are happy to discuss your account in more detail via phone, chat or email to provide review assistance, please see our support page to reach out!

Kind regards,

John | Microsoft Advertising Support Specialist | 1-800-518-5689

Share via

[Reporting API v13] Error 105 (InvalidCredentials) when using OAuth 2.0 client credentials (daemon / server-to-server)

[Reporting API v13] Error 105 (InvalidCredentials) when using OAuth 2.0 client credentials (daemon / server-to-server)

Summary

Environment

Authentication (token) — client credentials

Report call — GenerateReport/Submit (sandbox)

What I have already checked

Specific questions for Microsoft / community

References

Thanks!

1 answer

Your answer