How to fix IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Question

Hello!

i am in a logicapp and i want to create files in a sharepoint drive. So first I create a token based on a app registration id, this one succeed. But the next action failed with the error:

=> Error 401 Unauthorized, InvalidAuthenticationToken

"IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string."

client_id=00000003-0000-0000-c000-000000000000 seems to be wrong.

The token action:

https://login.microsoftonline.com/<sharepoint_Tenant_Id>/oauth2/v2.0/token

POST

Accept = application/json

Content-Type = application/x-www-form-urlencoded

grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

Authentification with sharepoint client id and secret

The post new folder action:

https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>/root/children

POST

Authorization = Bearer <sharepoint_Token>

content-type = application/json

Body

{ "name": "Test3", "folder": {} }

How can the app registration have access to the sharepoint site?

Thanx very much!

Answer 1

Hello Diane König,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having multiple errors with logic app and SharePoint.

By the below three best practices steps, you should be able to resolve both the decoding and authentication issues and successfully create folders in SharePoint using your Logic App.

Step 1: Resolve IDX14102 (Token Decoding Issue), this issue indicates a problem with the token returned by Azure AD.

1. You will need to verify the token by:

• Decode the token using jwt.io - to ensure it is valid. Check for the following:
  • The token must be well-formed (header.payload.signature).
  • The header must include the alg (algorithm) and typ (type) fields.
  • The payload must include claims such as aud (audience) and scp (scope).

2. Then, in your application settings, enable PII logging to get more details on the error:

   IdentityModelEventSource.ShowPII = true;

3. Verify Azure AD Setup by doing the following:

• Ensure the app registration's client_id and client_secret match those used in your Logic App.
• Confirm the tenant_id is correct.
• Check the token endpoint URL: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

Step 2: Fix 401 Unauthorized (Invalid Token)

1.Go to **Azure AD > App Registrations > Your App > API Permissions.

• Add Microsoft Graph API permissions:
• Delegated Permissions: Sites.ReadWrite.All.
• Application Permissions: Sites.ReadWrite.All.
• Click Grant Admin Consent to approve these permissions.

2. Verify Token Scope and Audience:

• The scope in the token request should be: https://graph.microsoft.com/.default
• Use a tool like jwt.io to ensure the token includes:

  •  `aud`: `https://graph.microsoft.com`  
    

  •  `scp`: `Sites.ReadWrite.All`  
    

3. Then, grant SharePoint Access to use the AppInv page in SharePoint to grant permissions:
   1. Navigate to https://<your-site>.sharepoint.com/_layouts/15/appinv.aspx.
   2. Enter the client_id of your app.
   3. Set permission XML:

        <AppPermissionRequests AllowAppOnlyPolicy="true">  
            <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write" />  
        </AppPermissionRequests>

 4. Click Create and confirm.  

Step 3: Test Endpoints

1. Use Postman or Fiddler to test the token generation and folder creation API calls directly.
2. Ensure the Authorization header is: Authorization: Bearer <token>

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer 2

Hello Diane König,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: How to fix IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Error Message: Error 401 Unauthorized, InvalidAuthenticationToken "IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string."

Solution:

I solved the problem with microsoft now, here is the report:

Initial Observation:

We connected with the customer over a call to troubleshoot the issue.

During the call, we observed that the configuration of the HTTP action, specifically while generating the bearer token from the Graph API, was incorrect. The body parameters were passed in an incorrect format, resulting in an incompatible bearer token.

Reconfiguration of Bearer Token Generation:

 

Steps involved in generating the bearer token:

 Configure the HTTP Action:

 

Set the method to POST.

In the URI field, enter the token endpoint URL. For Microsoft Graph, it typically looks like this: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.

In the Headers section, add the following key-value pair:

Content-Type: application/x-www-form-urlencoded

 

In the Body section, add the following parameters in the form of key-value pairs:

client_id: Your application's client ID.

scope: https://graph.microsoft.com/.default

client_secret: Your application's client secret.

grant_type: client_credentials

Parse the JSON Response:

 Added a "Parse JSON" action to parse the response from the HTTP action.

In the Content field, select the body of the HTTP response.

In the Schema field, we provided the following content:

{

    "properties": {

        "access_token": {

            "type": "string"

        },

        "expires_in": {

            "type": "integer"

        },

        "ext_expires_in": {

            "type": "integer"

        },

        "token_type": {

            "type": "string"

        }

    },

    "type": "object"

}

Using the Bearer Token for SharePoint API Authentication:

 Now that we have the bearer token, in the subsequent HTTP action to call the SharePoint Graph API, we added the following key-value pair in the Headers section:

Authorization: Bearer @{body('Parse_JSON')?['access_token']}

This action was successful, confirming that the bearer token was valid and correctly configured.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.