Scanning Salesforce with Microsoft Purview: Access Token Retrieval Error

Question

Scanning Salesforce with Microsoft Purview: Access Token Retrieval Error

Matthias Paul Sobiech 20

I am trying to scan a demo Salesforce system that is publicly available over the internet (so no SHIR needed as I see it). However, even when trying out the SHIR as well as AIR to run a scan after registering the Salesforce with the URL, I receive the error message:

Failed to testConnection: Exception when processing request: Connector Exception: Can not retrieve access token. Make sure you specify proper parameters.

This issue seems to be related to the User Name, Password, Connected App Consumer Key, and Consumer Secret combination. I created a connected key vault, and the managed identity of Purview has sufficient read rights (Key Vault Secrets Officer and Key Vault Secrets User) on that key vault, where I created four secrets:

The concatenated API user password and security token
The API User Password
The Consumer Secret of the Connected App
The security token

I have tried every possible combination and might have overlooked something. According to the Connect to and manage Salesforce in Microsoft Purview documentation:

Consumer key is selected while creating a credential. (Automatically checked)
The username of the user that the connected app is imitating is provided in the username input field. (Using an integration user with the permission set for this)
The password of the user that the connected app is imitating is stored in an Azure Key Vault secret.
- If the self-hosted integration runtime machine's IP is within the trusted IP ranges for the organization set on Salesforce, only the password of the user is provided.
  - Otherwise, the password and security token are concatenated as the value of the secret. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. (I also tried through an SHIR with the concatenated password and security token).
    - The consumer key from the connected app definition is provided. This can be found on the connected app's Manage Connected Apps page or from the connected app's definition. (This was taken exactly)
      - The consumer secret from the connected app definition is stored in an Azure Key Vault secret. This can also be found along with the consumer key. (This was taken exactly and stored in the key vault)

I found an older post where some users managed to make it work: Trying to connect purview to salesforce ... - Microsoft Q&A.

Is it necessary to concatenate the user password and security token when using AIR as well? Any input or suggestions would be greatly appreciated!

phemanth 14,800 Reputation points Microsoft External Staff

2025-02-11T19:01:51.4933333+00:00
@Matthias Paul Sobiech

Welcome to Microsoft Q&A platform and thanks for posting your query here.

The error message you're seeing typically indicates a problem with the credentials or the way they are being used.> please Check the below steps

Concatenation of Password and Security Token: Yes, it is necessary to concatenate the user password and security token when using Azure Integration Runtime (AIR) if your IP is not within the trusted IP ranges set on Salesforce. This concatenation is required to authenticate from an untrusted network.

Key Vault Secrets: Ensure that the secrets in your Azure Key Vault are correctly set up. You should have:

The concatenated API user password and security token.

The API user password.

The consumer secret of the connected app.

The security token.

Permissions: Verify that the managed identity of Purview has the necessary permissions (Key Vault Secrets Officer and Key Vault Secrets User) to read the secrets from the Key Vault

Consumer Key and Secret: Double-check that the consumer key and consumer secret from the connected app in Salesforce are correctly entered and stored in the Key Vault

please refer; https://techcommunity.microsoft.com/discussions/azurepurview/scanning-salesforce-with-purview--connector-exception-can-not-retrieve-access-to/4376660

I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
Matthias Paul Sobiech 20 Reputation points

2025-02-12T11:52:41.7666667+00:00

@phemanth thanks for taking the time to answer but this seems more like a summary of my question and isn't exactly helping me answer the question. The link you provided is my own post in the purview community.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-13T20:24:27.7066667+00:00

@Matthias Paul Sobiech

Thanks for your information

Given that you've already ensured the necessary permissions and correct setup of secrets in Azure Key Vault, here are a few additional steps:

Check the Connected App Settings: Ensure that the connected app in Salesforce is configured correctly. Sometimes, the OAuth settings might need to be adjusted. Make sure the "Enable OAuth Settings" is checked and the "Callback URL" is correctly set.

Verify IP Restrictions: Double-check the IP ranges set in Salesforce. If your IP is not within the trusted range, the concatenation of the password and security token is necessary. Ensure there are no typos or misconfigurations in the IP ranges.

Test with Postman: Use Postman to manually test the OAuth flow with the same credentials and secrets. This can help isolate whether the issue is with the credentials or the way Purview is handling them.

Review Logs: Check the logs in both Salesforce and Azure Purview for any additional error messages or clues. Sometimes, the logs can provide more detailed information about what might be going wrong.

Update and Sync: Ensure that all components (Salesforce, Azure Purview, and Azure Key Vault) are up to date. Sometimes, updates can resolve underlying issues.

I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-14T17:51:45.37+00:00

@Matthias Paul Sobiech We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Matthias Paul Sobiech 20 Reputation points

2025-02-21T10:36:57.5333333+00:00

So, I actually managed to figure out that it was the configuration of the API user and not the correct token (session instead of security token). After fixing that and double-checking the OAuth settings of the connected app, everything worked as expected, and I was able to use the AIR normally. Thanks again for answering.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-21T19:11:34.02+00:00

@Matthias Paul Sobiech Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-24T17:33:47.8633333+00:00

@Matthias Paul Sobiech Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

phemanth 14,800 Reputation points Microsoft External Staff

2025-02-11T19:01:51.4933333+00:00

@Matthias Paul Sobiech

Welcome to Microsoft Q&A platform and thanks for posting your query here.

The error message you're seeing typically indicates a problem with the credentials or the way they are being used.> please Check the below steps

Concatenation of Password and Security Token: Yes, it is necessary to concatenate the user password and security token when using Azure Integration Runtime (AIR) if your IP is not within the trusted IP ranges set on Salesforce. This concatenation is required to authenticate from an untrusted network.

Key Vault Secrets: Ensure that the secrets in your Azure Key Vault are correctly set up. You should have:

The concatenated API user password and security token.

The API user password.

The consumer secret of the connected app.

The security token.

Permissions: Verify that the managed identity of Purview has the necessary permissions (Key Vault Secrets Officer and Key Vault Secrets User) to read the secrets from the Key Vault

Consumer Key and Secret: Double-check that the consumer key and consumer secret from the connected app in Salesforce are correctly entered and stored in the Key Vault

please refer; https://techcommunity.microsoft.com/discussions/azurepurview/scanning-salesforce-with-purview--connector-exception-can-not-retrieve-access-to/4376660

I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
Matthias Paul Sobiech 20 Reputation points

2025-02-12T11:52:41.7666667+00:00

@phemanth thanks for taking the time to answer but this seems more like a summary of my question and isn't exactly helping me answer the question. The link you provided is my own post in the purview community.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-13T20:24:27.7066667+00:00

@Matthias Paul Sobiech

Thanks for your information

Given that you've already ensured the necessary permissions and correct setup of secrets in Azure Key Vault, here are a few additional steps:

Check the Connected App Settings: Ensure that the connected app in Salesforce is configured correctly. Sometimes, the OAuth settings might need to be adjusted. Make sure the "Enable OAuth Settings" is checked and the "Callback URL" is correctly set.

Verify IP Restrictions: Double-check the IP ranges set in Salesforce. If your IP is not within the trusted range, the concatenation of the password and security token is necessary. Ensure there are no typos or misconfigurations in the IP ranges.

Test with Postman: Use Postman to manually test the OAuth flow with the same credentials and secrets. This can help isolate whether the issue is with the credentials or the way Purview is handling them.

Review Logs: Check the logs in both Salesforce and Azure Purview for any additional error messages or clues. Sometimes, the logs can provide more detailed information about what might be going wrong.

Update and Sync: Ensure that all components (Salesforce, Azure Purview, and Azure Key Vault) are up to date. Sometimes, updates can resolve underlying issues.

I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-14T17:51:45.37+00:00

@Matthias Paul Sobiech We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Matthias Paul Sobiech 20 Reputation points

2025-02-21T10:36:57.5333333+00:00

So, I actually managed to figure out that it was the configuration of the API user and not the correct token (session instead of security token). After fixing that and double-checking the OAuth settings of the connected app, everything worked as expected, and I was able to use the AIR normally. Thanks again for answering.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-21T19:11:34.02+00:00

@Matthias Paul Sobiech Glad to know your issue has been resolved. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others "I'll repost your solution in case you'd like to accept the answer.
phemanth 14,800 Reputation points Microsoft External Staff

2025-02-24T17:33:47.8633333+00:00

@Matthias Paul Sobiech Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

@Matthias Paul Sobiech

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer .

Ask:

I am trying to scan a demo Salesforce system that is publicly available over the internet (so no SHIR needed as I see it). However, even when trying out the SHIR as well as AIR to run a scan after registering the Salesforce with the URL, I receive the error message:

AI ConvertCopy

Failed to testConnection: Exception when processing request: Connector Exception: Can not retrieve access token. Make sure you specify proper parameters.

This issue seems to be related to the User Name, Password, Connected App Consumer Key, and Consumer Secret combination. I created a connected key vault, and the managed identity of Purview has sufficient read rights (Key Vault Secrets Officer and Key Vault Secrets User) on that key vault, where I created four secrets:

The concatenated API user password and security token
The API User Password
The Consumer Secret of the Connected App
The security token

I have tried every possible combination and might have overlooked something. According to the Connect to and manage Salesforce in Microsoft Purview documentation:

Consumer key is selected while creating a credential. (Automatically checked)
The username of the user that the connected app is imitating is provided in the username input field. (Using an integration user with the permission set for this)

The password of the user that the connected app is imitating is stored in an Azure Key Vault secret.

If the self-hosted integration runtime machine's IP is within the trusted IP ranges for the organization set on Salesforce, only the password of the user is provided.

 - Otherwise, the password and security token are concatenated as the value of the secret. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. (I also tried through an SHIR with the concatenated password and security token).

          - The consumer key from the connected app definition is provided. This can be found on the connected app's Manage Connected Apps page or from the connected app's definition. (This was taken exactly)

                      - The consumer secret from the connected app definition is stored in an Azure Key Vault secret. This can also be found along with the consumer key. (This was taken exactly and stored in the key vault)

I found an older post where some users managed to make it work: Trying to connect purview to salesforce ... - Microsoft Q&A.

Is it necessary to concatenate the user password and security token when using AIR as well? Any input or suggestions would be greatly appreciated!

Solution: So, I actually managed to figure out that it was the configuration of the API user and not the correct token (session instead of security token). After fixing that and double-checking the OAuth settings of the connected app, everything worked as expected, and I was able to use the AIR normally. Thanks again for answering.

If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Share via

Scanning Salesforce with Microsoft Purview: Access Token Retrieval Error

0 additional answers

Your answer