Microsoft Power Apps Integration Validation Fails with "Invalid Credentials" Due to Microsoft Graph Authorization Failure. Error: 403 Authorization_RequestDeniedIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } When validating the Microsoft Dynamics 365 and Power Apps Subscription integration profile in SaaS License Management, the profile may fail with the message: Connection validation is not successful. Invalid Credentials. However, this message can be misleading. In this scenario, OAuth token generation was successful, but the backend Microsoft Graph API call failed during subscription download validation. The failing call was: GET https://graph.microsoft.com/v1.0/subscribedSKUsResponse status: 403 The Microsoft Graph response was: { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation." }} This confirms that the issue is not caused by an incorrect Client ID, Client Secret, or Tenant ID. The credentials are accepted, but the generated token does not have sufficient authorization to execute the Microsoft Graph API call required by the integration. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ALL Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The integration validation fails because the Azure app registration or delegated user context does not have the required Microsoft Graph permissions and/or admin consent required to access: https://graph.microsoft.com/v1.0/subscribedSKUs The ServiceNow UI displays a generic “Invalid Credentials” message, but the outbound HTTP log confirms the actual failure is: 403 Authorization_RequestDenied The above Error can be seen in the System Outbound HTTP logs. Please set the properties "glide.outbound_http_log.override" to TRUE and "glide.outbound_http_log.override.level" to value "all. https://www.servicenow.com/docs/r/xanadu/api-reference/web-services/outbound-logging-properties.htmlInsufficient privileges to complete the operation. This can occur when one or more of the following are missing or not consented in Azure: LicenseAssignment.Read.AllUser.Read.AllOrganization.Read.AllOffline_access For delegated access, the Microsoft account used to generate the OAuth token must also have the required Microsoft Entra role context, such as Global Reader, Directory Readers, or another supported role required for the subscribedSKUs API. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Ask the Microsoft/Azure administrator to review the Azure app registration used by the ServiceNow Microsoft 365 Graph connection and confirm the following: Add or verify the required Microsoft Graph API permissions: LicenseAssignment.Read.AllUser.Read.AllOrganization.Read.AllOffline_access Select Grant admin consent for the tenant after adding or correcting the permissions.If delegated permissions are used, confirm that the user account used to create and retrieve the OAuth token has the required Microsoft Entra role context.Verify the Dynamics CRM side of the configuration as well, especially: user_impersonation In ServiceNow, regenerate the OAuth token for the Microsoft 365 Graph connection.Return to the Microsoft Dynamics 365 and Power Apps Subscription integration profile and click Validate Connection again. Expected result after the fix: GET https://graph.microsoft.com/v1.0/subscribedSKUsResponse status: 200 Once the required permissions are granted and admin consent is applied, the integration profile validation should complete successfully.