web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Configure OBO authenti...
Power Apps
Suggested Answer

Configure OBO authentication for custom connectors

(0) ShareShare
ReportReport
Posted on by SR-20021541-0 Microsoft Employee
https://learn.microsoft.com/en-us/microsoft-copilot-studio/advanced-custom-connector-on-behalf-of

I created a custom connector according to this article and for my custom API I entered the Application ID URI (e.g. api://b52b5b7a-e895-4600-b567-2c4cbe27d2e7) from the service app registration into the Resource URL field. I tried a lot of times and different scenarios, but every time I got token with the : "https://apihub.azure.com", instead of the Application ID URI. Could you help to resolve it?

Thanks in advance
1.png
Categories:
Connector development
I have the same question (0)
  • Suggested answer
    Sunil Kumar Pashikanti Profile Picture
    Sunil Kumar Pashikanti 762 Moderator on at
     
    Why you see aud = https://apihub.azure.com
    When you create a connection to a custom connector, the client (Power Apps / Power Automate / Copilot Studio) first acquires an access token for the connector runtime (aka “apihub”). That token’s audience is not your API, it’s the Power Platform connector host (apihub). The connector runtime then performs the OBO exchange server‑side to obtain a second token targeted at your downstream API and forwards that token to your API in the Authorization header when it calls your backend. In other words, the token you’re decoding is only the first hop token.
     
    You can even see clues to this in some error payloads and headers from connector calls (x‑ms‑apihub‑obo: true) indicating OBO is in play behind the scenes.
     
    Don’t validate the connection token you get from the Test UI or your browser dev tools. Validate the token that your API actually receives from the connector call.
     
     
    High level - minimal checklist to get to a working OBO flow
    1) Service app reg (your API)
    Expose an API → set Application ID URI (e.g., api://…)
    Add at least one scope or app role.

    2) Connector app reg (the connector)
    Grant API permissions (to your service app) → admin consent
    (If calling Graph, add the Graph scopes/roles as well.)

    3) Custom connector (Security tab)
    Identity provider: Microsoft Entra ID (OAuth 2.0)
    Authorize/Token: …/oauth2/v2.0/authorize & …/oauth2/v2.0/token
    Resource URL: your API’s App ID URI
    Scope: api://…/.default
    OBO: Enabled.

    4) Test end‑to‑end by hitting your API and decoding the token received by your API—its aud should be your App ID URI. (Don’t rely on the apihub token you see during connection.)
     
     
     ✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
    👍 Feel free to Like the post if you found it useful.

     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the January Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 105 Most Valuable Professional

#2
Haque Profile Picture

Haque 77

#3
VASANTH KUMAR BALMADI Profile Picture

VASANTH KUMAR BALMADI 70

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans