Sharepoint: Error from token exchange: Runtime call was blocked because connection has error status

Question

I created one flow when any sharepoint list items add or modified then I trigger on power automate flow, but sometimes its giving me the unauthorize error and flow is not trigger successfully. I got the below error from "Flow Checker" in Power Automate.

Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and sharepointonline is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthorized, Message: 'Failed to refresh access token for service: sharepointonlinecertificatev2. Correlation Id=b432bd04-0487-4654-ad92-5bf4fc02968a, UTC TimeStamp=5/13/2021 4:45:42 PM, Error: Failed to acquire token from AAD: {"error":"invalid_grant","error_description":"AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-05-12T06:23:56.0000000Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-05-12T22:00:06.0000000Z'.\r\nTrace ID: 271904ff-f200-4ab3-8cd3-e86d01532400\r\nCorrelation ID: e92855d2-cc58-42f1-9685-b152d0011481\r\nTimestamp: 2021-05-13 16:45:42Z","error_codes":[50173],"timestamp":"2021-05-13 16:45:42Z","trace_id":"271904ff-f200-4ab3-8cd3-e86d01532400","correlation_id":"e92855d2-cc58-42f1-9685-b152d0011481","error_uri":"https://login.windows.net/error?code=50173"}']

Answer 1

My scenario:

I have deployed the SPO connector using bicep IaaC, then i authenticated the api connector to SPO.

I initially used managed identity and it was not working then i setup as both Managed and System Assigned Identity. They gave it some time to sit and woola it all started working perfectly:

I had the below error:

{
    "statusCode": 401,
    "headers": {
        "x-ms-failure-cause": "apihub-token-exchange",
        "x-ms-apihub-obo": "false",
        "x-ms-apihub-cached-response": "true",
        "Date": "Mon, 25 Nov 2024 22:45:30 GMT",
        "Content-Length": "483",
        "Content-Type": "application/json"
    },
    "body": {
        "status": 401,
        "source": "https://logic-apis-australiasoutheast.token.azure-apim.net:443/tokens/logic-apis-australiasoutheast/132431/sharepointonline/234234/exchange",
        "message": "Error from token exchange: Runtime call was blocked because connection has error status: Enabled| Error, and sharepointonline is in the block list. Connection errors: [ParameterName: token, Error: Code: Unauthenticated, Message: 'This connection is not authenticated.']"
    }
}

My Bicep code:

/*
------------------------------------------------
Connectors
------------------------------------------------
*/
// Suppress warning BCP081: Resource type does not have types available
#disable-next-line BCP081
resource spoConnector 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: spoConnectorName
  location: location
  kind: 'V2'
  properties: {
    displayName: spoConnectorName
    api: {
      name: 'sharepointonline'
      displayName: 'SharePoint'
      description: 'SharePoint Online Connector'
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'sharepointonline')
      type: 'Microsoft.Web/locations/managedApis'
    }
  }
}

/*
------------------------------------------------
SPO Connector Access Policy
------------------------------------------------
*/
// Suppress warning BCP081: Resource type does not have types available
// Access policy for Managed Identity
#disable-next-line BCP081
resource lacMidAccessPolicy 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
  name: 'lacaccesspolicy-managedIdentity-${managedIdentity.name}'
  location: location
  parent: spoConnector
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        objectId: managedIdentity.properties.principalId
        tenantId: tenant().tenantId
      }
    }
  }
}

// Access policy for SystemAssigned Identity of the Logic App
#disable-next-line BCP081
resource lacSysAssignedAccessPolicy 'Microsoft.Web/connections/accessPolicies@2016-06-01' = {
  name: 'lacaccesspolicy-systemAssigned-${logicApp.name}'
  location: location
  parent: spoConnector
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        objectId: logicApp.identity.principalId
        tenantId: tenant().tenantId
      }
    }
  }
}

Logic app connections (Json):

    "managedApiConnections": {
        "sharepointonline": {
            "api": {
                "id": "/subscriptions/@{appsetting('WORKFLOWS_SUBSCRIPTION_ID')}/providers/Microsoft.Web/locations/@{appsetting('WORKFLOWS_LOCATION_NAME')}/managedApis/sharepointonline"
            },
            "authentication": {
                "type": "ManagedServiceIdentity"
            },
            "connection": {
                "id": "/subscriptions/@{appsetting('WORKFLOWS_SUBSCRIPTION_ID')}/resourceGroups/@{appsetting('WORKFLOWS_RESOURCE_GROUP_NAME')}/providers/Microsoft.Web/connections/@appsetting('SPOConnectionname')"
            },
            "connectionRuntimeUrl": "@appsetting('SPOConnectionRuntimeUrl')"
        }
    }
}