After successfully authorizing the Azure Active Directory connector in Workflows, some action cards execute successfully, while others result in a 403 Forbidden error with the following error message in the body:
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2025-03-05T21:36:16",
"request-id": "85ae2fdb-e3ef-4bee-a2ef-06e96037bf28",
"client-request-id": "85ae2fdb-e3ef-4bee-a2ef-06e96037bf28"
}
}
}- Okta Workflows
- Azure Active Directory Connector
This can occur when the account authorizing the Azure Active Directory connection is not a Global Administrator in Azure AD.
For example, using an account only assigned the Application Administrator role in Azure AD, it is possible to grant consent to all of the permissions requested by the Azure Active Directory app and successfully authorize the connection. However, the account does not have the required permissions to execute all of the underlying Graph APIs used by the connector action cards.
In this example, the account has permission to execute the Read User card but not the Update User card:
The Azure Active Directory connection must be authorized using a Global Administrator account in Azure AD to ensure the connection has sufficient permissions to execute all action cards.
