How to fix IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string.

Question

Hello!

i am in a logicapp and i want to create files in a sharepoint drive. So first I create a token based on a app registration id, this one succeed. But the next action failed with the error:

=> Error 401 Unauthorized, InvalidAuthenticationToken

"IDX14102: Unable to decode the header '[PII of type 'Microsoft.IdentityModel.Logging.SecurityArtifact' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' as Base64Url encoded string."

client_id=00000003-0000-0000-c000-000000000000 seems to be wrong.

The token action:

https://login.microsoftonline.com/<sharepoint_Tenant_Id>/oauth2/v2.0/token

POST

Accept = application/json

Content-Type = application/x-www-form-urlencoded

grant_type=client_credentials&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default

Authentification with sharepoint client id and secret

The post new folder action:

https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>/root/children

POST

Authorization = Bearer <sharepoint_Token>

content-type = application/json

Body

{ "name": "Test3", "folder": {} }

How can the app registration have access to the sharepoint site?

Thanx very much!

Answer 1

Hello Diane König,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having multiple errors with logic app and SharePoint.

By the below three best practices steps, you should be able to resolve both the decoding and authentication issues and successfully create folders in SharePoint using your Logic App.

Step 1: Resolve IDX14102 (Token Decoding Issue), this issue indicates a problem with the token returned by Azure AD.

1. You will need to verify the token by:

• Decode the token using jwt.io - to ensure it is valid. Check for the following:
  • The token must be well-formed (header.payload.signature).
  • The header must include the alg (algorithm) and typ (type) fields.
  • The payload must include claims such as aud (audience) and scp (scope).

2. Then, in your application settings, enable PII logging to get more details on the error:

   IdentityModelEventSource.ShowPII = true;

3. Verify Azure AD Setup by doing the following:

• Ensure the app registration's client_id and client_secret match those used in your Logic App.
• Confirm the tenant_id is correct.
• Check the token endpoint URL: https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token

Step 2: Fix 401 Unauthorized (Invalid Token)

1.Go to **Azure AD > App Registrations > Your App > API Permissions.

• Add Microsoft Graph API permissions:
• Delegated Permissions: Sites.ReadWrite.All.
• Application Permissions: Sites.ReadWrite.All.
• Click Grant Admin Consent to approve these permissions.

2. Verify Token Scope and Audience:

• The scope in the token request should be: https://graph.microsoft.com/.default
• Use a tool like jwt.io to ensure the token includes:

  •  `aud`: `https://graph.microsoft.com`  
    

  •  `scp`: `Sites.ReadWrite.All`  
    

3. Then, grant SharePoint Access to use the AppInv page in SharePoint to grant permissions:
   1. Navigate to https://<your-site>.sharepoint.com/_layouts/15/appinv.aspx.
   2. Enter the client_id of your app.
   3. Set permission XML:

        <AppPermissionRequests AllowAppOnlyPolicy="true">  
            <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write" />  
        </AppPermissionRequests>

 4. Click Create and confirm.  

Step 3: Test Endpoints

1. Use Postman or Fiddler to test the token generation and folder creation API calls directly.
2. Ensure the Authorization header is: Authorization: Bearer <token>

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.