Forum Discussion
Web activity failure due to Invoking endpoint failed with HttpStatusCode - 403 -- help?
Hi,
I have an Azure Data Factory (ADF) instance that I am using to create a Pipeline to ingest external (cloud based) 3rd party data into my Azure SQL Server database. I am a novice with ADF and have only used it to ingest some external SQL data into my SQL database - it did work.
The external source I'm attempting to extract from uses an OAuth 2.0 API and an API is something I've not used before.
Using Postman (never used this software before this attempt), I have passed the external source's base_url, client_id, and client_secret, and in return successfully received an access token. This tells me that the base_url, client_id, and client_secret values I passed are correct and accepted by the target source/application.
Feeling encourage to implement the same values into ADF, I first created a Linked Service which with a successful test connection returned - see below. This Linked Service uses the same values as the Postman entry which granted an access token.
I then created a Pipeline with a Web activity object within it. The General and User Properties don't have any configuration, only the Settings tab does which shown below. Again, the URL, Client ID and Client Secret configured here are the same as those used in Postman (and the Linked Service).
I execute the Web object and it returns with a failure - see below.
The error states the endpoint refused the request (for an access token). Is this accurate as I was able to receive an access token via Postman when using the same credentials? I don't understand why via Postman I can received an access token but via ADF it errors. I'm wondering if I've completed the ADF parts incorrectly, or if there is more needed just to received an access token, or if it's something else?
Are you able to advise what's taking place here?
Thanks.
1 Reply
A 403 does not necessarily mean the credentials are wrong; it means the request that reached the provider was refused. The linked-service test and the Postman call also do not prove that Web Activity is sending the same URL, headers, body, or outbound IP.
For a third-party OAuth server, avoid Web Activity's Service Principal mode unless the provider uses Microsoft Entra ID. ADF documents that mode with tenant and resource for an Entra-issued token. For this ingestion scenario, use a REST linked service with authenticationType OAuth2ClientCredential and set tokenEndpoint, clientId, clientSecret, plus the provider's exact scope or resource, then use it in Copy Activity.
If you stay with Web Activity, compare it with Postman's generated request: POST the exact token endpoint, use Content-Type application/x-www-form-urlencoded, include grant_type=client_credentials, URL-encode the secret, and match scope/audience. Then pass the returned access_token as a Bearer token to the data request. If it still returns 403, ask the provider to check their logs and whether Azure Integration Runtime outbound IPs must be allow-listed.