“One or more claims either missing or does not match with the open authentication access control policy.”

Trying to call a Power Automate that is triggered by an HTTP request that requires authentication.

Interestingly, the official docs only give one side of the story – how to set it up. There’s no info on how to call it, but there are posts such as this one.

I want to call it from PowerShell. It’s all very straight forward, but I struggled with it today. This is what I was trying:

$powerAutomateURL = "https://prod-05.xxx2016-06-01"

$tenantId = "==replace me=="
$appId = "==replace me==" 
$scope = "https://service.flow.microsoft.com/.default"

$clientSecret = "==replace me=="

$entraAuthBody = @{
    "tenant" = "$tenantId"
    "client_id" = "$appId"
    "scope" = "$scope"
    "grant_type" = "client_credentials"
    "client_secret" = $clientSecret
}

$entraAuthUrl = "https://login.microsoftonline.com/$tenantId"
$entraToken = Invoke-RestMethod -Method POST -Uri "$entraAuthUrl/oauth2/v2.0/token" -Body $entraAuthBody -ContentType "application/x-www-form-urlencoded"

$header = @{
    "Authorization" = "Bearer " + $entraToken.access_token
}

Invoke-RestMethod -Method POST -Uri $powerAutomateURL -Headers $header -Body '{"Input": "test"}' -ContentType "application/json"

$powerAutomateURL = "https://prod-05.xxx2016-06-01"

$tenantId = "==replace me=="

$appId = "==replace me=="

$scope = "https://service.flow.microsoft.com/.default"

$clientSecret = "==replace me=="

$entraAuthBody = @{

"tenant" = "$tenantId"

"client_id" = "$appId"

"scope" = "$scope"

"grant_type" = "client_credentials"

"client_secret" = $clientSecret

}

$entraAuthUrl = "https://login.microsoftonline.com/$tenantId"

$entraToken = Invoke-RestMethod -Method POST -Uri "$entraAuthUrl/oauth2/v2.0/token" -Body $entraAuthBody -ContentType "application/x-www-form-urlencoded"

$header = @{

"Authorization" = "Bearer " + $entraToken.access_token

}

Invoke-RestMethod -Method POST -Uri $powerAutomateURL -Headers $header -Body '{"Input": "test"}' -ContentType "application/json"

On paper this should work, but I kept getting an error:

Invoke-RestMethod:
{
  "error": {
    "code": "MisMatchingOAuthClaims",
    "message": "One or more claims either missing or does not match with the open authentication access control policy."
  }
}

Invoke-RestMethod:

{

"error": {

"code": "MisMatchingOAuthClaims",

"message": "One or more claims either missing or does not match with the open authentication access control policy."

}

I examined the token in jwt.ms and the claims seem fine. From the docs, the following claims are needed:

I had all of those, so it made no sense.

As usual, I faffed around by trying to connect as a user and wasted time on that – but it too didn’t work.

Then I realized, the audience values look like this:

But in my claims, it doesn’t have the slash.

Could that be it?

So I modified the scope in the code from

"https://service.flow.microsoft.com/.default"

1	"https://service.flow.microsoft.com/.default"

"https://service.flow.microsoft.com//.default"

1	"https://service.flow.microsoft.com//.default"

and tried again.

And this time it worked!

How irritating! 😠