Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,388 questions
Scanning Salesforce with Microsoft Purview: Access Token Retrieval Error
Matthias Paul Sobiech
0
Reputation points
I am trying to scan a demo Salesforce system that is publicly available over the internet (so no SHIR needed as I see it). However, even when trying out the SHIR as well as AIR to run a scan after registering the Salesforce with the URL, I receive the error message:
Failed to testConnection: Exception when processing request: Connector Exception: Can not retrieve access token. Make sure you specify proper parameters.
This issue seems to be related to the User Name, Password, Connected App Consumer Key, and Consumer Secret combination. I created a connected key vault, and the managed identity of Purview has sufficient read rights (Key Vault Secrets Officer and Key Vault Secrets User) on that key vault, where I created four secrets:
- The concatenated API user password and security token
- The API User Password
- The Consumer Secret of the Connected App
- The security token
I have tried every possible combination and might have overlooked something. According to the Connect to and manage Salesforce in Microsoft Purview documentation:
- Consumer key is selected while creating a credential. (Automatically checked)
- The username of the user that the connected app is imitating is provided in the username input field. (Using an integration user with the permission set for this)
- The password of the user that the connected app is imitating is stored in an Azure Key Vault secret.
- If the self-hosted integration runtime machine's IP is within the trusted IP ranges for the organization set on Salesforce, only the password of the user is provided.
- Otherwise, the password and security token are concatenated as the value of the secret. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. (I also tried through an SHIR with the concatenated password and security token).
- The consumer key from the connected app definition is provided. This can be found on the connected app's Manage Connected Apps page or from the connected app's definition. (This was taken exactly)
- The consumer secret from the connected app definition is stored in an Azure Key Vault secret. This can also be found along with the consumer key. (This was taken exactly and stored in the key vault)
- The consumer key from the connected app definition is provided. This can be found on the connected app's Manage Connected Apps page or from the connected app's definition. (This was taken exactly)
- Otherwise, the password and security token are concatenated as the value of the secret. The security token is an automatically generated key that must be added to the end of the password when logging in to Salesforce from an untrusted network. (I also tried through an SHIR with the concatenated password and security token).
- If the self-hosted integration runtime machine's IP is within the trusted IP ranges for the organization set on Salesforce, only the password of the user is provided.
I found an older post where some users managed to make it work: Trying to connect purview to salesforce ... - Microsoft Q&A.
Is it necessary to concatenate the user password and security token when using AIR as well? Any input or suggestions would be greatly appreciated!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
phemanth 13,785 Reputation points Microsoft Vendor2025-02-11T19:01:51.4933333+00:00 Welcome to Microsoft Q&A platform and thanks for posting your query here.
The error message you're seeing typically indicates a problem with the credentials or the way they are being used.> please Check the below steps
- Concatenation of Password and Security Token: Yes, it is necessary to concatenate the user password and security token when using Azure Integration Runtime (AIR) if your IP is not within the trusted IP ranges set on Salesforce. This concatenation is required to authenticate from an untrusted network.
- Key Vault Secrets: Ensure that the secrets in your Azure Key Vault are correctly set up. You should have:
- The concatenated API user password and security token.
- The API user password.
- The consumer secret of the connected app.
- The security token.
- Permissions: Verify that the managed identity of Purview has the necessary permissions (Key Vault Secrets Officer and Key Vault Secrets User) to read the secrets from the Key Vault
- Consumer Key and Secret: Double-check that the consumer key and consumer secret from the connected app in Salesforce are correctly entered and stored in the Key Vault
I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
-
Matthias Paul Sobiech 0 Reputation points
2025-02-12T11:52:41.7666667+00:00 @phemanth thanks for taking the time to answer but this seems more like a summary of my question and isn't exactly helping me answer the question. The link you provided is my own post in the purview community.
-
phemanth 13,785 Reputation points Microsoft Vendor
2025-02-13T20:24:27.7066667+00:00 Thanks for your information
Given that you've already ensured the necessary permissions and correct setup of secrets in Azure Key Vault, here are a few additional steps:
Check the Connected App Settings: Ensure that the connected app in Salesforce is configured correctly. Sometimes, the OAuth settings might need to be adjusted. Make sure the "Enable OAuth Settings" is checked and the "Callback URL" is correctly set.
Verify IP Restrictions: Double-check the IP ranges set in Salesforce. If your IP is not within the trusted range, the concatenation of the password and security token is necessary. Ensure there are no typos or misconfigurations in the IP ranges.
Test with Postman: Use Postman to manually test the OAuth flow with the same credentials and secrets. This can help isolate whether the issue is with the credentials or the way Purview is handling them.
Review Logs: Check the logs in both Salesforce and Azure Purview for any additional error messages or clues. Sometimes, the logs can provide more detailed information about what might be going wrong.
Update and Sync: Ensure that all components (Salesforce, Azure Purview, and Azure Key Vault) are up to date. Sometimes, updates can resolve underlying issues.
I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
Sign in to comment
Sign in to answer