We’re experiencing 401 Unauthorized errors when our RPA bot attempts to post journal entries via REST API to our financial system. The authentication works fine in Postman with the same credentials, but fails consistently through Power Automate.
The OAuth2 token validation seems to be the issue - we’ve configured the scope as api://finance-system/.default but I’m wondering if multi-tenant token validation requires additional configuration. Our API gateway setup might also need adjustment since we recently moved to a production environment.
Has anyone dealt with OAuth2 scope configuration for cross-tenant API calls in Power Platform? The financial sync failures are blocking our month-end close process.
I’ve seen this exact issue before. The problem is usually that Postman uses a different OAuth flow than Power Automate’s HTTP connector. When you authenticate in Postman, you’re likely using authorization code flow, but Power Automate might be using client credentials flow. Check your connector authentication settings - you may need to switch to a different authentication type or configure a custom connector with explicit OAuth settings.
Also verify that your API gateway has the correct CORS and authentication policies configured. In our setup, we had to explicitly whitelist the Power Platform service endpoints in the API Management inbound policy. The token validation middleware needs to be configured to accept tokens from both your Azure AD tenant and the Power Platform service principal. Without proper gateway configuration, even valid tokens get rejected at the API gateway level before reaching your backend service.
I’ve resolved this exact scenario multiple times. Your issue stems from three configuration gaps that need to be addressed systematically:
OAuth2 Scope Configuration:
The scope api://finance-system/.default is correct for app-only access, but you need to ensure your Azure AD app registration exposes this API with proper roles defined. In your app registration, go to “Expose an API” and verify that you have application roles (not delegated permissions) defined. Then in the client app registration (the one Power Automate uses), grant these application permissions under “API Permissions” with admin consent.
Multi-Tenant Token Validation:
Your API needs to validate tokens from the Power Platform service principal. Update your token validation logic:
The key difference from Postman is that Power Automate’s OAuth implementation requires explicit audience specification and uses the client credentials flow by default. Make sure all three components (OAuth scopes, token validation, and gateway policies) are aligned with this flow. After making these changes, test the connection - you should see successful 200 responses with proper journal entry creation in your financial system.
Quick question - are you using a service account for the RPA connection or user delegation? We had similar issues and it turned out our service account didn’t have the right delegated permissions in Azure AD.
Sara, that’s a good point about the gateway policies. I’ll check with our API team on the inbound policy configuration. We might be missing the Power Platform service principal in the allowed list.
The scope configuration looks suspicious. For multi-tenant scenarios, you need to ensure the API gateway is properly configured to accept tokens from your Azure AD tenant. Check if your app registration has the correct redirect URIs and API permissions granted with admin consent.
Thanks Mike. I verified the app registration and all permissions show as granted. The redirect URI is set to https://global.consent.azure-apim.net/redirect for Power Automate. Still getting the same 401 error though. Could this be related to token audience validation?