Skip to content

Request Power Automate flow with OAuth from SPFx: AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization #10286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 of 9 tasks
vlad-nvs opened this issue May 26, 2025 · 5 comments
Open
2 of 9 tasks

Request Power Automate flow with OAuth from SPFx: AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization #10286

vlad-nvs opened this issue May 26, 2025 · 5 comments
Assignees
@Ashlesha-MSFT
Labels
area:auth Category: Authentication (Azure AD / etc) area:powerautomate Category: Power Automate / Flow sharepoint-developer-support sharepoint-developer-support type:bug-suspected Suspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs. type:uservoice-request Enhancements & feature requests should be posted: http://aka.ms/sp-dev-uservoice

Comments

@vlad-nvs
Copy link

Target SharePoint environment

SharePoint Online

What SharePoint development model, framework, SDK or API is this about?

💥 SharePoint Framework

Developer environment

None

What browser(s) / client(s) have you tested

  • 💥 Internet Explorer
  • 💥 Microsoft Edge
  • 💥 Google Chrome
  • 💥 FireFox
  • 💥 Safari
  • mobile (iOS/iPadOS)
  • mobile (Android)
  • not applicable
  • other (enter in the "Additional environment details" area below)

Additional environment details

  • SPFx version 1.18.2
  • Node version 18.17.1

Describe the bug / error

We have Power Automate flow with HTTP trigger and configured option 'Who can trigger the flow' with value 'Any user in my tenant'.
If we try to call flow via URL we need to pass Authorization header with valid token.
We used aadTokenProviderFactory.getTokenProvider and provider.getToken("https://service.flow.microsoft.com/", true) but it throws next error:

Image

AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization

Steps to reproduce

  1. Create SPFx application
  2. Add Power Automate -> User permissions for SharePoint Online Client Extensibility Web Application Principal
  3. Use SPFx context to get token provider, e.g. context.aadTokenProviderFactory.getTokenProvider.then((provider)=>{.....})
  4. Use getToken method from the provider with URL https://service.flow.microsoft.com/, e.g. context.aadTokenProviderFactory.getTokenProvider.then((provider)=>{provider.getToken("https://service.flow.microsoft.com/", true).then((token)=>{....})})
  5. As a result error occured: AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization

Expected behavior

We need a way to get token to call Power Automate from SPFx. I think using aadTokenProviderFactory is a correct way but it's not working.

How to get token to call Power Automate flow with OAuth from SPFx?
@vlad-nvs vlad-nvs added the type:bug-suspected Suspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs. label May 26, 2025
@Ashlesha-MSFT
Copy link

Hello @vlad-nvs
Thank you for bringing this issue to our attention. We will look into it and get back to you shortly.

@Ashlesha-MSFT Ashlesha-MSFT self-assigned this May 26, 2025
@Ashlesha-MSFT Ashlesha-MSFT added sharepoint-developer-support sharepoint-developer-support area:powerautomate Category: Power Automate / Flow area:auth Category: Authentication (Azure AD / etc) labels May 26, 2025
@Ashlesha-MSFT
Copy link

@vlad-nvs,
Are you expecting something like the approach described here: Execute Power Automate Workflow from SPFx? That article uses a direct HTTP call to a flow with a trigger URL, which works well when anonymous or token-based access is allowed. Let me know if that's the kind of integration you're aiming for — happy to help validate or suggest improvements based on that.

@vlad-nvs
Copy link
Author

vlad-nvs commented May 27, 2025
edited
Loading

Hi @Ashlesha-MSFT

Thanks for the article. I checked once again, and the approach described in the article is not working for the HTTP triggers where the option 'Who can trigger the flow' is set to 'Any user in my tenant' or 'Specific user in my tenant'.

The article you mention is an old one. When you configure the flow, you can now choose Who can trigger the flow. The URL is changed when user select options and Save the flow (check my screenshot).

Image

If I use the next code:
context.httpClient.post(flowURL, HttpClient.configurations.v1, { headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) }).then((response: HttpClientResponse) => {..........

I'll get the next error:

Image

'The OAuth authorization scheme is required. Please add authentication scheme and try again.'

And this is predictable, because a POST call should contain Authorization header for this case, but it's not possible to get a Bearer token to pass it to the Authorization header. I tried aadTokenProviderFactory.getTokenProvider and even aadClientFactory.getClient. For example:

context.aadTokenProviderFactory.getTokenProvider().then((provider) => {
          provider.getToken("https://service.flow.microsoft.com/", true).then((token) => {
            context.httpClient.post(flowURL, HttpClient.configurations.v1, {
              headers: {
                'Content-Type': 'application/json',
                'Accept': 'application/json',
                'Authorization': `Bearer ${token}`
              },
              body: JSON.stringify(body)
            }).then((response: HttpClientResponse) => {......

OR

        context.aadHttpClientFactory.getClient('7df0a125-d3be-4c96-aa54-591f83ff541c').then((client) => {
            client.post(flowURL, AadHttpClient.configurations.v1, {
              headers: {
                'Content-Type': 'application/json',
                'Accept': 'application/json'
              },
              body: JSON.stringify(body)
            })
              .then((response: AadHttpClientResponse) => {......

But in all cases, I got the error:
AADSTS65002: Consent between first party application and first party resource must be configured via preauthorization

As well, I trusted API permissions:

Image

And it's not working either.

I also found a similar question on Microsoft, but without an answer:
https://learn.microsoft.com/en-us/answers/questions/2264725/aadsts65002-consent-between-first-party-applicatio?comment=question&translated=false#newest-question-comment

For me, it looks like a bug, and it's not possible to call Power Automate flow from SPFx if it has configured options 'Who can trigger the flow' set to Any user in my tenant' or 'Specific user in my tenant'.

P.S. Option 'Anyone' for 'Who can trigger the flow' will work without any issues but it's not my case.

Hope it's clear.

Any ideas?

@Ashlesha-MSFT
Copy link

@vlad-nvs,
Thanks again for your detailed explanation.

We’ve seen that setting the flow’s “Who can trigger the flow” option to “Anyone” allows anonymous access and typically resolves the OAuth requirement. However, if it’s still not working even in that mode, we’d be happy to help further investigate the flow configuration or how the request is being made.

Image

That said, triggering flows with tenant-level authentication from SPFx directly (using aadTokenProviderFactory or aadHttpClientFactory) is currently not fully supported, due to AADSTS65002 errors caused by required preauthorization between first-party apps and the Power Automate service.

We understand this feels like a limitation, and we agree it would be beneficial to support this scenario. If this functionality is important for your use case, we recommend submitting a feature request or upvoting an existing one via the Microsoft Feedback Portal:
https://feedbackportal.microsoft.com/feedback/forum/06735c62-321c-ec11-b6e7-0022481f8472

@Ashlesha-MSFT Ashlesha-MSFT added the type:uservoice-request Enhancements & feature requests should be posted: http://aka.ms/sp-dev-uservoice label May 28, 2025
@vlad-nvs
Copy link
Author

vlad-nvs commented May 28, 2025
edited
Loading

Hi @Ashlesha-MSFT

Yes, option 'Anyone' for 'Who can trigger the flow' allows anonymous access and request from SPFx to the flow URL is working as expected.

However, this limitation for the two other options is confusing and I think this issue will raise again and again in future because of the security reasons.

But anyway, thank you for the clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ashlesha-MSFT Ashlesha-MSFT

Labels
area:auth Category: Authentication (Azure AD / etc) area:powerautomate Category: Power Automate / Flow sharepoint-developer-support sharepoint-developer-support type:bug-suspected Suspected bug (not working as designed/expected). See “type:bug-confirmed” for confirmed bugs. type:uservoice-request Enhancements & feature requests should be posted: http://aka.ms/sp-dev-uservoice
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vlad-nvs @Ashlesha-MSFT