Call Microsoft Graph API as a daemon application with application permission from Power Automate using HTTP connector

With the assumption that you already know about Microsoft Graph and its capabilities I will directly jump in with the steps and instructions to call Microsoft graph Endpoints as a daemon app using Application permissions with the help of HTTP connector. Calling graph from a flow opens a wide range of possibilities which are not available with the prebuilt connectors. As of now you will not be able to call Microsoft graph with application permissions using a custom connector.

Pre-Requisites:

  • Access to HTTP Premium Connector in Power Automate
  • Access to register Azure AD Application in Azure AD Portal

Application Registration in Azure AD Portal:

Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the Application permission Calendars.Read to access all the recent events of a user from Outlook.

It is not required in the Azure AD application to have a redirect URI.

Power Automate Flow:

It is now time to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. The only authentication flow to generate a access token for application permissions is Client credentials.

To generate a token

  1. Store the Client Secret on a String variable
  2. Make a HTTP request using the HTTP connector with the following details. Make sure to replace the string for tenantId, azureAdAppclientId and azureAdAppclientSecret

Method 1:

Add a HTTP connector action to the flow for making a POST request per the following information

HTTP Method: POST

URI: https://login.microsoftonline.com/yourtenantId/oauth2/v2.0/token

Headers: Content-Type: application/x-www-form-urlencoded

Body:

Replace the tenantId, client id and client secret from the variable

tenant=yourtenantId&client_id=azureAdAppclientId&client_secret=@{decodeUriComponent(variables('azureAdAppclientSecret'))}&grant_type=client_credentials&scope=https://graph.microsoft.com/.default

For the client secret make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.

To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "scope": {
            "type": "string"
        },
        "expires_in": {
            "type": "integer"
        },
        "ext_expires_in": {
            "type": "integer"
        },
        "access_token": {
            "type": "string"
        },
        "refresh_token": {
            "type": "string"
        }
    }
}

Add the Body from the dynamic content from the HTTP – GET Token action to the content of the Parse JSON action

Include the access token from the Output of the Parse JSON action when calling the Microsoft Graph API on the Headers sections as shown below

To get the users events from the default calendar

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/calendar/events

Method 2:

You can also make a request to Graph API using the Active Directory OAuth Authentication under the advanced options of the action as shown below

My other blog post to call Microsoft graph API in Power Apps and Power Automate using a custom connector.

Summary: I have written a blog to get the attendee details of a meeting using this approach to Microsoft graph event endpoint API. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other Microsoft graph in Power Automate blogposts.

Call Microsoft Graph API as a signed in user with delegated permission in Power Automate or Azure Logic apps using HTTP Connector

If you have a requirement to access graph endpoint as a signed in user/account on an instant/automated/scheduled flow, this blog post will help you with instructions and steps to access the Microsoft graph API with delegated permissions using the

  1. HTTP connector
  2. Invoke an HTTP request connector

There are resources (Presence information, Planner etc) in Microsoft graph which is available only as delegated permissions and not as application permission. Application permissions can be granted only by an administrator but users can register an application with delegated permission (Except All permission) unless the IT team has restricted the app registration by users.

Access Graph API using HTTP connector:

I have used the HTTP connector to generate a token for accessing the Graph API using the OAuth resource owner Password Credentials grant authentication flow supported by Microsoft Identity platform with the User ID and Password. Once we have the access token, the request to the Graph API endpoint will be made. To follow along this post be ready with the following

Pre-Requisites:

  1. Access to HTTP Premium Connector in Power Automate
  2. Access to register Azure AD Application in Azure AD Portal
  3. A service account without MFA enabled
    1. User ID
    1. Password

If you have an account with MFA enabled, then you should be creating a Custom connector. I have written a blog post on creating a custom connector to call Microsoft Graph API for Power Apps and Power Automate.

Azure Active Directory Application:

Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the delegated permission Presence.Read to get the presence information of the service account.

Add the redirect URI for the web http://localhost as shown on the screenshot below.

The Web redirect URI http://localhost/ is required to provide consent for the Azure AD application for the permission scope by the service account. The consent can be provided by an admin to use this application in flow by all users or the consent has to be provided by an individual user. To provide consent by an individual user in this case by the service account, construct the following url using the tenant ID, Client ID and the scope (ex. Presence.Read)

Individual User Consent URL:

https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/authorize?
client_id=azureadappclientid
&response_type=code
&redirect_uri=http://localhost/
&response_mode=query
&scope=https://graph.microsoft.com/Presence.Read

If there are multiple delegated permissions, the scope should be separated by a space (%20)

scope=https://graph.microsoft.com/Presence.Read%20
https://graph.microsoft.com/Sites.Read.all

Now login to Office.com with the service account and enter the above User Consent url on a separate tab for the consent which will bring up a screen similar to the one shown below

Now Click the Accept button to provide consent for the requested permission for the service account. After the Accept button is clicked there will be a message stating that this site cannot be reached or something similar with the url like below on the browser address bar

http://localhost/?code=xxxxxxxxxxxxxxxxxx&session_state=xxxx-xxx-xxx-xx-xxxxx

The consent is provided, to validate the consent login to My Applications link url and the select the Azure AD application from the list and then click Manage your application as shown below

Find below screenshot with consent for Presence.Read permission. To revoke the permission, click Revoke permissions

To provide Admin consent for all the users to use this app in the flow, the URL is

https://login.microsoftonline.com/yourtenantID/adminconsent?client_id=azureadappclientid

Power Automate Flow:

Now we are ready to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. To generate a token in Flow

  1. Store the Client Secret on a String variable
  2. Make the following HTTP request using the HTTP connector

HTTP Method: POST

URI: https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/token

Headers: Content-Type: application/x-www-form-urlencoded

Body:

Replace the client id, service account username and password

client_id=azureadappclientid&username=serviceaccount@yourdomain.com&password=serviceaccountpassword&grant_type=password&client_secret=azureadappclientsecret&scope=Presence.Read%20offline_access

For the client secret and password (only if there is special character), make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.

If there is no consent provided by the user/service account for the Azure AD application then the above HTTP request will generate the following error

{“error”:”invalid_grant”,”error_description”:”AADSTS65001: The user or administrator has not consented to use the application with ID ‘xxxxxxx-65xx-47e0-xxxx-xxxxx0bb22′ named AzureADAppName’.

To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "scope": {
            "type": "string"
        },
        "expires_in": {
            "type": "integer"
        },
        "ext_expires_in": {
            "type": "integer"
        },
        "access_token": {
            "type": "string"
        },
        "refresh_token": {
            "type": "string"
        }
    }
}

Add the Body from the dynamic content from the HTTP – GET Token action to the content of the Parse JSON action

Include the access token when calling the Microsoft Graph API on the Headers sections as shown below. The access_token is from the output of the Parse JSON action

If you run the flow, you can now see the response with the presence information of the service account as shown below

Use Azure Key vault connector to secure the Client Secret & Password information in the flow.

Invoke a HTTP Request connector:

This connector can be used to fetch resources from various web services authenticated by Azure AD including Microsoft Graph in more easier way. Look for the action with the keyword invoke an HTTP request

If it is accessed for the first time, enter https://graph.microsoft.com on both Base and Azure AD resource URI and then click Sign In

Enter the Graph API endpoint on the Url of the request and select the Method

The API is executed in the context of the action’s connection as shown below. In this example it gets the profile information of the serviceaccount

If you get an error similar to { “error”: { “code”: “Forbidden”, “message”: “” } }, then it could be because the connector has a limited set of scopes. Getting Presence information is not supported with this connector as of now. If your scenario requires something more advanced or not currently supported by the connector, please use the �HTTP� connector as shown above or create a custom connector.

Reference:

https://docs.microsoft.com/en-us/graph/auth/auth-concepts#delegated-and-application-permissions

https://ashiqf.com/2021/03/16/call-microsoft-graph-api-in-power-apps-and-power-automate-using-a-custom-connector/

Summary: There are many endpoints available with Microsoft graph which can be leveraged for different use cases. Keep in mind the HTTP connector in Power Automate is Premium, you can also consider using this approach in Azure Logic apps. The access token is valid only for an hour, if you have to call a graph api after an hour from the initial token generation time the token has to be obtained again. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.

Call Microsoft Graph API in Power Apps and Power Automate using a Custom connector

Microsoft graph is the gateway to data and intelligence in Microsoft 365 which connects multiple services like SharePoint, Teams, Planner etc and devices. Microsoft graph has one common endpoint that is RESTful Web API enabling you to access Microsoft Cloud service resources. With that said if you want to communicate with Microsoft Graph Services or any API services, custom connectors can be used to address needs which are not available as prebuilt connectors in Power Apps and Power Automate. The purpose of this blog post is to show how to

  • Create & setup Custom Connector to call Microsoft Graph API
  • Call Microsoft Graph API in Power Apps using custom connector
  • Call Microsoft Graph API in Power Automate using custom connector

Custom connector supports the following authentication types

  • Anonymous (No Authentication)
  • Basic Authentication (UserName & Password)
  • API Key
  • OAuth 2.0

As of the time I am writing this article, custom connector supports only authentication flow Authorization code & not client credentials. If you use OAuth 2.0, it means you can use only delegated permissions & not application permissions as permission type in the custom connector. To be more precise, the logged in user from PowerApps or flow actions/trigger connection user should have access to the resource to be accessed from Microsoft Graph & cannot access the resource as a daemon app (Application Permission). Find below the pre-requisite for the custom connector

  1. Premium Plan (App/user based) for all users intended to use the custom connector in Power Apps or Power Automate. To test the custom connector you can also get a community plan if you do not have a premium plan.
  2. Access to register Application in Azure AD portal

Create & setup Custom Connector to call Microsoft Graph API:

Custom connector can be created from Power Apps maker portal or Power Automate portal. Custom connector created from any of the above-mentioned interfaces can be used in a Power App or Power Automate cloud flow. A custom connector is nothing but a wrapper around a REST API that allows Power Apps or Power Automate and Azure Logic Apps to communicate with that REST API.

Azure Active Directory Application:

To access the Microsoft Rest API there must be an Azure AD app registered with appropriate graph permission intended for the operations through a custom connector. For this example I have registered an AD application with the following delegated permissions

  1. Calendars.Read
    • To display the users recent events in Power Apps gallery control
  2. Sites.Manage.All
    • To create a New list item in SharePoint list from Power Apps and Power Automate
  3. User.Read
    • To display users profile information from an Extension Attribute in Power Apps

Obtain the Client ID from the Overview section of the Azure AD app and create a secret from the Certificates & secrets under Manage blade. Once the secret is created, copy the value to be used in the custom connector.

Add a Web Redirect URI https://global.consent.azure-apim.net/redirect as shown below

The Redirect URI is common and will be created while creating the custom connector. Now we are ready to create the custom connector, go to Power Automate portal and expand Data on the left panel > Custom connectors > + New custom connector > Create from blank

After entering the connector name, you will get the below screen. Do not have the word SharePoint part of your connector name to avoid issues.

Enter graph.microsoft.com on Host and some description about the connector. You can also change the logo to a custom one. Now click Security on the right bottom corner to enter the Azure AD application information for the OAuth 2.0 authentication type. Under the section OAuth 2.0

  • Change the Identity provider to Azure Active Directory
  • Enter the Client id & Client secret of the Azure AD application
  • Leave the Login URL as https://login.windows.net & Tenant ID as common
  • Enter the Resource URL as https://graph.microsoft.com
  • Enter the Scope as Calendars.Read Sites.Manage.All User.Read based on the permissions you have added on the Azure AD app. Leave a space between each permission

After the above information is filled in, click Create connector which will autogenerate the Redirect URL https://global.consent.azure-apim.net/redirect. This is the URL we have added as a Redirect Web URI in the Azure AD application. The connector is now ready to add actions based on Graph API endpoint to

  • Get users recent events from the users default Outlook calendar
  • Create a List item in SharePoint List
  • Get users custom extension attribute from users Active directory profile

Get users recent events from the Outlook calendar:

The Graph API to get the logged in users list of recent calendar events is

Http Request Mode: GET

Request URI: https://graph.microsoft.com/v1.0/me/calendar/events

After the custom connector is created in the above step, now click the Definition tab of the Custom Connector > click + New action which will create the following screen to enter information about the action

After the Summary, Description and Operation ID is entered. Click + Import from sample under the Request section to the enter the Graph API endpoint url https://graph.microsoft.com/v1.0/me/calendar/events.

It is Okay to exclude the url https://graph.microsoft.com since we have provided the information in the Security tab.

Now we are ready to provide default response for the action. To get the request response sample for the graph api endpoint, SignIn to the Graph Explorer with your organizational ID to copy the response of the API request to be used in the custom connector action

After running the query in the graph explorer tool, copy the whole content (CTRL+A) from the Response preview section as shown on the above screenshot. If there is any error related to permissions while executing the http request in the explorer tool, make sure you have consented to the permissions in the Modify permissions tab.

Click + Add default response and then paste the content copied from the graph explorer tool on Body as shown below

Click Import and then click Update connector. Let us add the second action to create a list item in a SharePoint list

Create a List item in SharePoint List:

The graph API to create a List item in a SharePoint List is

Http Request Mode: POST

Request URI: https://graph.microsoft.com/v1.0/sites/siteId/lists/listId/items

You should replace the SiteId and listId in the above URL. Easy way to get the ListId and SiteId is by viewing the Viewing the page source of the SharePoint site with the list open

Request Body:

For this example I have a SharePoint list with a default column Title and a single line of text column by the name Location.

{
  "fields": {
    "Title": "Widget",
    "Location": "Stockholm"
  }
}

Once again click + New action on the Definition tab to add an action for creating a new list item.

After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb now selected as POST and the request body or payload

Click Import. To get the request response sample for the graph api endpoint, go to the graph explorer to copy the request response as shown below for the above POST request to create the list item

Click + Add default response and then add the response copied from the graph explorer tool on the Body section as shown below

Click Import button and then click Update connector. Let us add the second action to read the users active directory profile to extract extension attribute information

Get users custom extension attribute from users Active directory profile:

On my tenant I have added additional properties on extension attribute in Azure AD profile of the user & displayed them on the User profile card using the profile card graph API. The graph API to get the extension attribute information of the user is in Beta as of now

Http Request Mode: GET

Request URI: https://graph.microsoft.com/beta/me

Once again click + New action on the Definition tab to add the third action for getting the users profile information from Azure active directory.

After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb selected as GET

Click Import. Go to the graph explorer to copy the request response for the GET request for https://graph.microsoft.com/beta/me and then click + Add default response to paste the request response copied from the graph explorer tool. Click Import button and then click Update connector. We have till now added three actions which can be tested in the same interface

Test the Action:

To test the different actions added in the connector, click the Test tab and then click + New connection.

You will be prompted to sign in using the Organization ID and provide a consent for the permissions requested as a scope on the custom connector.

After the connection is created, you can test the different actions available as shown below for one of the action CreateListItem in SharePoint

The custom connector creates the Swagger definition, you can also view and update the Swagger definition by turning on Swagger Editor

If you look at the security definitions in the above screenshot for the connector we have created till now, the authentication flow used to authenticate the user is Authorization code which supports only delegated permissions and not application permissions in MS Graph. The Swagger definition file can be downloaded from interface shown below

The Swagger definition file can be used to re-create the custom connector by clicking the Down arrow and then by clicking Import an OpenAPI file. On the popup window enter the Connector Name and select the downloaded Swagger file to recreate the connector after filling in information on the Security tab.

You download the Swagger definition file of the custom connector with the above mentioned actions from this github link.

Call Microsoft Graph API in Power Apps using custom connector:

To call a custom connector in Power Apps, the first step is to add the connector to the Power App by the app maker. Click Data on the left panel and then click the button Add data > look for the connector by the name > Click the connector name to create a connection.

Once the connection is created & added, you will be able to use it in the different controls added to the app

I added the following controls to

  1. Label – To display the Extension attribute of the user from the action GetUserProfile
  2. Gallery – To display the users recent calendar events from the action
  3. Button – To create new item on the list and to get information from Graph about the user calendar events and to get the users AD profile

A Button control to load the data from Microsoft Graph GET actions GetUserProfile &  GetMyEvents on a context variable.

UpdateContext({userProfileData:'NameoftheConnector'.GetUserProfile(),userCalendarEvents:'NameoftheConnector'.GetMyEvents().value})

Once we have the data loaded on the context variable using the OnSelect button click event, the data can be displayed on different controls. Use the graph explorer tool to validate the response of the request and to help with display the data on a control. Find below the response for the me endpoint which provides the profile information of user including the extension attribute.

To display the Extension attribute1 information on a label control, the code is

userProfileData.onPremisesExtensionAttributes.extensionAttribute1

I have added a gallery control to display the calendar events. First step is to bind the gallery control to the context variable (userCalendarEvents) using Items property of the control

Items: userCalendarEvents

On the gallery control fields

field1: ThisItem.subject

field2: ThisItem.organizer.emailAddress.name

For constructing the above formula (Field1 and Field2) for displaying the information on the different fields in the control, graph explorer response preview will help you

I have added a button control to create the list item using the action CreateListItem with the following formula on the OnSelect event

'NameoftheConnector'.CreateListItem({fields: {Title: "Mohamed Ashiq Faleel",Location:"Sunbyberg"}});

Reference: https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/functions/function-json

Once the Power App is shared with other users

  • Connecter will be shared along with the app
  • The user has to create a connection to the Custom Connector & provide consent for the Graph permission (User.Read Sites.Manage.All Calendars.Read) for the first time
  • The users of the app should have premium license (App/user based)

Call Microsoft Graph API in Power Automate using custom connector:

To use a custom connector by a user in a flow Instant/Scheduled/Automated, it

  • Must be shared to the user by the custom connector Owner/creator
  • Premium license for the flow user
  • Consent to be provided for the graph permissions. The consent can be individual or admin consent

Add the action to the flow by clicking Custom and then select the custom connector as shown below

Now select the action

It will ask you to Sign In to create the connection and there will be a prompt to provide consent to the permission for the AD application for the first time as shown below

Enter the parameter values to create the list item

Summary: Microsoft Power Apps and Power Automate are great and simple to get started with no code. If you are a pro developer and want to extend the capabilities with Microsoft Graph & other external/custom RESTFul API’s you can do so with the custom connector. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.

How to use Microsoft graph SharePoint Sites.Selected application permission in a Azure AD application for more granular control

As per this announcement made on Feb 2021, Microsoft graph now provides option to have granular permissions level using Sites.Selected application permission for the AD application instead of granting permission for all the sites in the tenant. The permission Sites.Selected does not provide access to any SharePoint site collections for the application unless the AD application has been assigned with permission roles read or write by an Admin. On this post let us see how to grant a site permission (Read or Write) to an AD Application with Sites.Selected permission by using postman client. As of the time I am writing this post there is no user interface to assign permissions to specific site collections for the application.

Pre-Requisite:

  1. Register Azure AD Application (APP 1) in Azure AD Portal with the following permissions
    • Sites.Selected (Admin Consented)
  2. Another AD Application (APP 2) with following permission only for the admins to assign selected roles to the above App
    • Sites.FullControl.All (Admin Consented)

App Registration:

Start with registering the above said two Azure AD applications

APP 1:

Register an Azure AD application with the following permission

APP 2 (Admin App):

Another app for admins for granting roles to APP 1

Grant permission role to the SharePoint site for the Azure AD Application:

This step is grant permission for the Azure AD application with Sites.Selected application permission to a given site collection. Perform the following steps to grant the role (Read/Write or Read and Write) to the AD app (APP 1)

  1. Gather the Client ID, Tenant ID and Client secret of the admin app
  2. In PostMan, make a HTTP request to generate the access token for the admin app – APP 2

Request Method: POST

Request URL: https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/token

Request Header:

Key: Content-Type

Value: application/x-www-form-urlencoded

Request Body:

grant_type: client_credentials

scope: https://graph.microsoft.com/.default

client_id: adminappclientid

client_secret: adminappclientsecret

  1. Copy the access_token to be used for granting roles.
  2. Get the Client ID of the Azure AD Application – APP 1 with Sites.Selected permission
  3. Decide on the Role (Read or Write) for the granting the Site specific role for the APP 1 with Sites.Selected permission.
  4. Get the SiteId of the SharePoint site to be assigned permissions for the application (App 1). An easy way to get the siteId is by viewing the page source from the browser with the site open.
  5. In PostMan, make a HTTP request to grant the site role to the APP 1. Replace the siteId with the actual siteId which will be a guid

Request Method: POST

Request URL: https://graph.microsoft.com/v1.0/sites/siteId/permissions

Request Header:

Key: Content-Type

Value: application/json

Request Body: raw

Replace the id with APP 1 client id and the display name of the APP 1

{

  "roles": ["write"],

  "grantedToIdentities": [{

    "application": {

      "id": "xxxxxx-APP1GUID-4ad9-xxxx-4d36e68b0454",

      "displayName": "AppNamewithSelectedPermissions-App1"

    }

  }]

}
  1. Paste the access token on the token box as shown below with Authorization type selected as Bearer Token
  1. Send the request for granting the role for APP 1. After the request is made the APP 1 with the Sites.Selected permission has access to the site with write role we have granted to. The same way you can assign app access to multiple SharePoint sites.

Grant the Role using PnP PowerShell:

There is a PnP PowerShell cmdlet to grant access to SharePoint site for the registered AD application with Sites.Selected permission. The command to grant permission can be executed by the Site Collection administrator after creating a connection to the site

Connect-PnPOnline https://tenantname.sharepoint.com/sites/siteName -Interactive

You will be prompted to enter credentials including the second factor. After the connection is created, enter the following command to grant Write permission to the AD App

Grant-PnPAzureADAppSitePermission -AppId 'AzureAppIdwithSitesdotselectedpermission' -DisplayName 'App Name here' -Site 'https://tenantname.sharepoint.com/sites/sitename' -Permissions Write

To install PnP PowerShell module on the local workstation, enter the following command

Install-Module -Name PnP.PowerShell

There is also a PnP cmdlet to register an AD app in the Azure Active directory.

Grant the Role by an Admin using the Graph Explorer tool:

Role can also be assigned by an admin with out having the admin AD app (APP 2) using the graph explorer tool. This can be done only by an Admin

If there is any error related to permissions, make sure the admin consents to Sites.FullControl.All for the Graph tool. There is also an SPFx community webpart developed by a community member with User Interface for this operation

https://github.com/pnp/sp-dev-fx-webparts/tree/master/samples/react-sites-selected-admin

Reference:

Assign permission role programmatically: https://docs.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=csharp

Summary: On this post we have seen how to grant access to Azure AD which has the Sites.Selected permission. You can also grant permission/role to an app with sites.selected permission programmatically. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.