Share via

“HTTP with Microsoft Entra ID (preauthorized)” connector doesn’t transfer cleanly across managed environments

Pia 0 Reputation points
2026-04-02T05:23:47.8933333+00:00

The “HTTP with Microsoft Entra ID (preauthorized)” connector doesn’t transfer cleanly across managed environments in power automate online.

The interface in the deployment process for Test environment and Prod environment look different. The reauthorization works fine in Test but throws an error during the Prod deployment with “Create and authorize OAuth connection failed.”

Screenshot 2026-03-30 103611.png Screenshot 2026-03-27 073611.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siddhesh Desai 5,590 Reputation points Microsoft External Staff Moderator
    2026-04-10T10:19:44.38+00:00

    Hi @Pia

    Thank you for reaching out to Microsoft Q&A.

    The issue you are encountering occurs due to a known limitation with the “HTTP with Microsoft Entra ID (preauthorized)” connector when deploying Power Automate solutions across managed environments (for example, DEV → TEST → PROD). While the connection works correctly in the source environment where it was originally authorized, Power Automate requires the OAuth connection to be recreated during solution import into another environment. The preauthorized Entra ID connector does not handle this OAuth re‑creation process cleanly, which results in the error “Create and authorize OAuth connection failed.” In your case, the behavior appears inconsistent because Microsoft is gradually rolling out a newer authorization interface your Test environment is already using the new interface, while Production is still using the old one, where the deployment fails. This is not caused by misconfiguration or permissions but is a connector-level limitation.

    Refer below points to resolve this issue or use as workaround:

    Create the HTTP with Microsoft Entra ID (preauthorized) connection manually in the target (PROD) environment Before importing the solution, go to Power Automate → Connections in the Production environment and manually create the “HTTP with Microsoft Entra ID (preauthorized)” connection. Use the required Base Resource URL and Entra ID Resource URI (for example, https://graph.microsoft.com). During solution import, map the solution to this existing connection instead of allowing Power Automate to create a new one. This prevents OAuth re-authorization and avoids the error.

    Use the non‑preauthorized “HTTP with Microsoft Entra ID” connector As an alternative, use the standard “HTTP with Microsoft Entra ID” connector instead of the preauthorized version. This requires explicit admin consent and reconfiguration after deployment, but deployments typically succeed because the OAuth flow is fully supported across environments.

    Use a Custom Connector for strict ALM scenarios For enterprise or long-term ALM stability, create a Custom Connector backed by your own Microsoft Entra ID app registration and explicitly managed permissions. While this requires more setup effort, it provides full control and avoids the deployment limitations of the preauthorized connector.

    0 comments
  2. Q&A Assist
    2026-04-02T05:24:05.7233333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior is caused by how OAuth- and Microsoft Entra ID–based connections are handled and validated per environment, especially in managed environments, and by tenant-level security/Conditional Access configuration differences between Test and Prod.

    Key points and what to check:

    1. OAuth connections are environment- and owner-specific
      • OAuth connections cannot be shared between users or environments. Each environment (Test, Prod) must establish its own valid OAuth connection at deployment time.
      • If the solution expects to “reuse” or “carry over” the HTTP with Microsoft Entra ID (preauthorized) connection from Test to Prod, the Prod deployment will fail with errors like “Create and authorize OAuth connection failed.” because a new connection must be created and authorized in the Prod environment.
      • This is by design for security reasons: one user’s OAuth connection cannot be used by another user or in another environment.
    2. Password / credential or token invalidation
      • If the account used for the HTTP with Microsoft Entra ID connection has had its password changed, reset, or expired between environments or between attempts, the existing connection/token becomes invalid and reauthorization fails.
      • In that case, the connection must be edited or recreated in the target environment with the current credentials.
    3. Microsoft Entra ID configuration and Conditional Access differences
      • Changes or stricter policies in Prod (for example, different Conditional Access, MFA, Terms of Use, device compliance, or location-based rules) can invalidate or block token issuance for the connector in Prod even though it works in Test.
      • If Prod has different CA policies for Power Automate / Microsoft Flow Service or for the HTTP connector’s enterprise app than Test, the token exchange can fail and surface as a generic “Create and authorize OAuth connection failed.”
      • Ensure that Conditional Access policies targeting Power Automate and any host apps (SharePoint, Teams, etc., if the flow is embedded) are consistent across Test and Prod. If individual apps are targeted, verify that requirements (MFA, Terms of Use, device compliance) match between Test and Prod.
    4. IP allow lists and device ID claim behavior
      • For Microsoft Entra ID–based connections, the initial login stores the public IP address in the device ID claim. This IP is not changed on token refresh.
      • If Prod has an IP allow list in Microsoft Entra ID that differs from Test, the user’s public IP must be allowed there as well; otherwise, token acquisition or refresh can fail during Prod deployment.
    5. OIDC / app assignment and tightened security
      • If the HTTP with Microsoft Entra ID (preauthorized) connector relies on an enterprise app with OIDC configuration, and Prod has Assignment required enabled for that app while Test does not, authorization can fail with an invalid_grant-type error.
      • In that case, either disable Assignment required for that enterprise app in Prod or explicitly assign the service principal / users that need to authorize the connector.
    6. Practical remediation steps for Prod
      In the Prod environment:
      1. Confirm that the user performing the deployment can create connections and has access to the Microsoft Entra app used by the HTTP connector.
      2. Create or edit the HTTP with Microsoft Entra ID (preauthorized) connection directly in Prod and complete the sign-in there, rather than relying on the Test connection.
      3. Verify that:
        • No expired/changed password is being reused.
        • Conditional Access policies for Microsoft Flow Service and any host apps are aligned between Test and Prod.
        • Any IP allow lists in Microsoft Entra ID include the user’s public IP.
        • If using an OIDC enterprise app, Assignment required is either disabled or the correct assignments are configured.
      4. After a successful connection is created in Prod, re-run the solution deployment so it can bind to the valid Prod connection.

    These checks address the difference in behavior between Test and Prod and align with how Microsoft Entra ID–based and OAuth connections are validated and refreshed in Power Automate and managed environments.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.