A cloud-based identity and access management service for securing user authentication and resource access
The error indicates that end users cannot acquire an access token for one of the data sources because the required API permissions/consent are not correctly configured for their accounts, even though it works for the admin.
Use these checks and fixes:
- Verify API permissions and admin consent
- In Microsoft Entra admin center, go to App registrations → select the app used by the Power App → API permissions.
- Ensure all required delegated permissions are added for the APIs/data sources being called.
- Select Grant admin consent so that end users are not blocked by “consent required” or “needs admin approval” errors.
- Alternatively, run:
az ad app permission admin-consent --id <app-id>
- Check if user assignment is required for the enterprise application
- Go to Microsoft Entra ID → Enterprise applications → select the app.
- Under Properties, check Assignment required:
- If set to Yes, only assigned users/groups can sign in and get tokens.
- Either set Assignment required to No, or explicitly add the end users/security groups under Users and groups.
- Confirm conditional access is not blocking token acquisition
- If conditional access policies exist, they might allow the admin but block regular users (for example, device compliance, location, or risk-based policies).
- Work with the Entra administrator to either:
- Ensure end users meet the policy requirements, or
- Exclude the Power App’s app registration (or its enterprise application) from the blocking policy.
Once API permissions have admin consent, user assignment is configured correctly, and conditional access is not blocking, end users should be able to acquire access tokens and the retrieve operation should succeed.
References: