The “Unauthorized Request” error in Power Automate occurs when a flow action or trigger is unauthorized, usually due to missing or invalid OAuth tokens, API keys, or user authentication issues.
Error Message:
"Unauthorized request – Flow action or trigger is unauthorized, often due to missing OAuth tokens."
This error can prevent a flow from executing successfully, typically arising when:
- The user’s authentication token has expired.
- The flow lacks permissions to access a connected service.
- The connection to a data source is invalid or requires re-authentication.
- The OAuth consent or API key is missing for an external service.
2. Common Causes and Fixes
| Cause | Description | Fix |
|---|---|---|
| Expired OAuth Token | The flow’s authentication token expired, preventing access to the service. | Reauthenticate the connection in Power Automate > Data > Connections. |
| Invalid or Expired API Key | API requests fail due to an invalid or expired API key. | Update the API key in the custom connector or request a new one. |
| User Not Authorized to Access Service | The user lacks permissions to access a specific API or data source. | Ensure the user has correct roles or permissions in the connected service. |
| Connector Requires Admin Approval | Some services (e.g., Azure AD, SQL, Salesforce) require admin approval. | Request an admin to approve the connector in the Microsoft Admin Center. |
| Incorrect OAuth Scopes | The flow lacks the correct permissions (scopes) for an API. | Verify the OAuth scopes in API settings and ensure read/write permissions are granted. |
| DLP Policy Restriction | Organization policies block unauthorized access to external services. | Check DLP policies in Power Automate Admin Center and request updates if needed. |
| Service Account Password Changed | The account used for authentication has a new password, invalidating the token. | Reauthenticate the connection with the updated credentials. |
3. Step-by-Step Troubleshooting Guide
Step 1: Reauthenticate the Connection
If the error is due to an expired OAuth token, reauthenticating the connection should resolve it.
Steps to fix:
- Open Power Automate.
- Go to Data → Connections.
- Locate the affected service (e.g., SharePoint, Dataverse, SQL Server).
- If it shows “Needs Reauthentication”, click Fix Connection and re-enter your credentials.
- Save and test the flow again.
Example Fix:
- If a SharePoint connection expired, re-enter your Microsoft 365 credentials.
Step 2: Verify API Key or OAuth Consent for Custom Connectors
For flows using custom APIs, the issue might be an expired API key or missing OAuth consent.
Steps to check:
- Open Power Automate → Custom Connectors.
- Select the affected API connection.
- Verify if the API key or OAuth token is still valid.
- If expired, update with a new API key or re-authenticate the OAuth connection.
Example Fix:
- If a Salesforce API key expired, generate a new key and update the connector settings.
Step 3: Check User Permissions for the Connected Service
Some flows require specific user roles or permissions to access a service.
Steps to fix:
- Identify the service that the flow is trying to access (e.g., SharePoint, Dataverse, SQL).
- Check the user’s role in the service (Admin, Contributor, Read-only).
- If needed, request access from an administrator.
Example Fix:
- If a flow updates Dataverse records, ensure the user has the Dataverse Maker role.
Step 4: Ensure the Connector is Approved by an Admin
Some connectors require administrator approval before they can be used in flows.
Steps to check:
- Open Power Automate → Data → Connections.
- Look for “Admin Approval Required” messages.
- Contact an IT administrator to approve the connector in Microsoft Admin Center.
Example Fix:
- If a SQL Server Connector is blocked, request Azure AD admin approval.
Step 5: Verify OAuth Scopes in API Permissions
If the flow interacts with external APIs, it must have the correct OAuth scopes.
Steps to check:
- Open the API documentation for the service.
- Verify that the flow has read/write permissions.
- If the scope is missing, update the OAuth token settings and reauthenticate.
Example Fix:
- If a Microsoft Graph API request fails, ensure it has User.Read and Mail.Send permissions.
Step 6: Check Data Loss Prevention (DLP) Policies
Some DLP policies restrict unauthorized access to services.
Steps to check:
- Open Power Automate Admin Center.
- Navigate to Data Policies.
- Check if the affected connector or action is blocked.
- If needed, request an admin to update the DLP policy.
Example Fix:
- If a Dropbox action is blocked, request the admin to allow it in the “Business” category.
Step 7: Reset the Service Account Password
If the flow runs under a service account and its password was recently changed, the authentication token may be invalid.
Steps to fix:
- Identify the service account used in the connection.
- Update the password in Azure AD or Microsoft 365 Admin Center.
- Reauthenticate the connection in Power Automate.
Example Fix:
- If a Power Automate flow fails after a password change, re-enter the new password.