power automate accessdenied error

Imagine a beginner who just built their first flow in Power Automate. They connect it to Microsoft Graph because they want to grab some basic profile information and use /me to make the flow feel personal.

In their head, it sounds simple: “When I run the flow, it should pull in my name from Graph and put it in the message.” But when they test it, the flow stops with a red X. The error says the request is forbidden by graph api. error code is ‘accessdenied’. power automate. For someone just starting out, this can feel like a wall they don’t know how to climb.

What’s really happening here is that Power Automate is sending a call to Graph, but the identity the flow is using doesn’t line up with what Graph expects. If the flow is running as an automated process, it often uses what’s called an app-only identity. Graph won’t let app-only identities use /me, because /me means “the currently signed-in user.” In that case, Graph replies with a 403 and you get the AccessDenied message. A citizen developer might not know the difference between app-only and delegated permissions, but this is the crux of the issue. The fix is either to change the endpoint to /users/{userPrincipalName} when using app-only, or to adjust the connector so the call is made in the context of an actual user.

Another scenario a beginner might run into is when the request touches data stored in Exchange Online. Some tenants have application access policies that explicitly block app-only calls to user mailboxes or calendars. In those cases the error looks slightly different and reads access to odata is disabled: [raop] : blocked by tenant configured apponly accesspolicy settings. If you see that, it isn’t your flow syntax at fault, it’s a tenant setting that needs to be revisited by an administrator to allow the app or to move to the new RBAC for Applications model. To someone new, this message feels even more cryptic, but the story is the same: Graph is protecting resources until the right permissions are in place.

For troubleshooting as a beginner, the easiest first step is to expand the failed run in Power Automate and read both the Inputs and Outputs. If the error is 403, that means your token is valid but Graph is saying “not allowed.” From there, ask yourself if you’re trying to act as a user or as an app. If it’s a user, then make sure the connector really is running under your account and has the User.Read scope at minimum. If it’s an app, then use a /users/{id} call and make sure your app registration has the right application permissions consented. The pattern becomes clearer with a bit of practice, and the 403 message starts to look less like a brick wall and more like a simple signpost pointing to the kind of identity you need.