Why this exists: You are thirty minutes from a demo and something returns 401 with a JSON body that might as well be hieroglyphics. This is the cheat sheet professionals use without pretending the cloud is personal.
For you if: You already built something in Parts 1 through 4 and you need order, not vibes.
Still Microsoft-hosted. If your connector never leaves Azure’s public endpoints, this list stays relevant.
| Signal | Plain language | Usually look at |
|---|---|---|
| 401 Unauthorized | Token missing, expired, or not the shape your API expects | Connection, secret rotation, wrong audience or scope |
| 403 Forbidden | Token is valid for Entra but your API says “not allowed” | App roles, assignments, route authorization, Dataverse roles |
| Admin consent required | Tenant policy stops you until someone approves | Directory admin, documented permission request |
| Redirect mismatch | OAuth dance starts then dies on callback | Redirect URL on app registration vs connector |
One connector action. One test user. One connection. Green in Test tab before you return to the agent chat. If you cannot get green there, Studio will not invent magic.
Skip OAuth for ten minutes. Open Part 3 and verify roles with a non-admin tester.
Open the run, read the red action, pull the message Part 4 told you to copy. Pair with Flow Troubleshooting Checklist if you want more breadth.