Share via

Getting 401 Unauthorized When Accessing Azure FHIR API Using Service Principal

Sumit Verma 0 Reputation points
2025-04-11T06:54:38.95+00:00

I'm currently working with Azure Health Data Services (FHIR) and trying to access the FHIR API using a service principal. The access token is successfully acquired using the service principal credentials, but using the token for requests to the FHIR API returns a 401 Unauthorized error.  

The Exact Error    Error creating patient: 401 - {"resourceType":"OperationOutcome","id":"951d884b-b5c0-46a1-811e-b99baf21815a","issue":[{"severity":"error","code":"login","diagnostics":"Authentication failed."}]}

Setup Summary:

  • Registered Azure Entra ID app with the correct client ID and secret.
  • App has the FHIR Data Contributor role assigned on the FHIR service.
  • Requesting the token with the scope: https://azurehealthcareapis.com/.default
  • Token is retrieved successfully.
  • Including the token in the Authorization: Bearer <token> header in API requests.
  • The FHIR service is deployed and configured in Azure properly.

Despite this setup, every API call to the FHIR endpoint results in a 401 error. There is a suspicion that the issue might relate to role assignments or permissions, but the exact missing configuration is unclear.

Assistance is requested to identify potential misconfigurations or missing steps regarding role assignments/permissions for the service principal. Thank you in advance!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SrideviM 5,840 Reputation points Moderator
    2025-04-14T01:56:45.7433333+00:00

    Hello Sumit Verma,

    I understand you're getting a 401 Unauthorized error when trying to call the Azure FHIR API using a service principal, even though you're able to generate the token successfully.

    The error occurred as you are using wrong scope value while generating the access token.

    I have one Azure Health Data Services (FHIR) service with below audience:

    enter image description here

    Now, I registered one Entra ID application and added FHIR Data Contributor role to it under FHIR service like this:

    enter image description here

    Initially, I generated access token with same scope as you and got same error like this:

    Token generation:

    enter image description here

    Same error with above token while calling API:

    enter image description here

    To resolve the error, make sure to generate access token with scope set to your actual FHIR service URL like this:

    
https://<workspacename-fhirservicename>.fhir.azurehealthcareapis.com/.default

    After I updated the scope and generated a new token using the correct value, the API call started working without any issues like this:

    Token generation:

    
POST https://login.microsoftonline.com/tenantId/oauth2/v2.0/token

grant_type:client_credentials

client_id:<appId>

client_secret:<secret_value>

scope: https://<workspacename-fhirservicename>.fhir.azurehealthcareapis.com/.default

    enter image description here

    API call successful:

    
GET https://<workspacename-fhirservicename>.fhir.azurehealthcareapis.com/Patient

    enter image description here

    Let me know if you have any other questions or need help with anything else.

    Hope this helps!

    If this answer was helpful, please click "Accept the answer" and mark Yes for was this answer helpful, as this can help other community members.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.