![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETP%3C/text%3E%3C/svg%3E)
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,542 questions
A 403 Forbidden error when trying to invoke a SCIM API from a Logic App, especially when the same request works via Graph Explorer, usually indicates an issue with permissions or the way the authentication is set up in the Logic App. Let's go through some steps to troubleshoot and resolve this issue:
1. Validate Managed Identity Permissions
- Assigning Roles: Ensure that the System Assigned Managed Identity of your Logic App has been granted sufficient permissions to access the SCIM API. This typically involves assigning the appropriate roles in Azure Active Directory or the specific service where the SCIM API is hosted.
- Scope of Permissions: Verify that the permissions are assigned at the correct scope (like the entire Azure AD or the specific application).
2. Check Application Registration
- App Registration for SCIM API: Make sure that the SCIM API is properly registered in Azure AD and has the necessary permissions to allow access from other applications.
- Expose an API: If you're using a custom SCIM API, ensure that it's properly exposed in the app registration and that the required scopes are defined.
3. Review Logic App Configuration
- Authentication Setup: Double-check the authentication configuration in the Logic App. Ensure that the managed identity is correctly selected and that there are no issues with the way the authentication is being passed in the API request.
- URL and Headers: Verify that the request URL and any necessary headers (like content type) are correctly configured in the Logic App.
4. Cross-Check with Graph Explorer
- Token Comparison: When testing with Graph Explorer, you're likely using a user token. Compare the permissions of this token with the permissions of the managed identity used in the Logic App. This can help identify any missing permissions.
5. Diagnose with Azure Monitor
- Logging and Monitoring: Use Azure Monitor and Logic App run history to trace the detailed error message or logs. This might provide more insights into what's causing the access denial.
6. Testing Managed Identity Access
- Direct Testing: As a test, you can assign the Logic App's managed identity to a user role that has confirmed access to the SCIM API and see if that resolves the issue. If it does, it's a matter of fine-tuning the permissions.
7. Network and Firewall Settings
- Network Restrictions: Check if there are any network restrictions or firewall settings that might be blocking the requests from the Logic App.
8. Contact Support
- Microsoft Support: If you're still facing issues, consider raising a support ticket with Microsoft Azure Support for more direct assistance.
9. Documentation and Community Resources
- Revisit the Inbound provisioning with Logic Apps documentation to ensure all steps were followed correctly.
By systematically checking each of these areas, you should be able to identify the root cause of the 403 Forbidden error and resolve it. If you require further assistance, feel free to ask!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 28.000000000000004%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)