In this blog article, let us see how to call a Microsoft Graph API as an application in a Power Automate HTTP connector using a certificate credentials instead of a secret from the Azure Active directory application. Microsoft recommends using a certificate (instead of a client secret) as a credential for a higher level of assurance. Find below the list of actions to enable calling the Graph API using certificate credentials
- Creation of Self-Signed certificate
- Application Registration in Azure AD Portal
- Creation of Power Automate cloud flow with the HTTP Connector
- Method 1: Without using Azure Key Vault
- Method 2: Azure Key Vault to store Certificate
Pre-Requisites:
- Access to HTTP Premium Connector in Power Automate
- Access to register Azure AD Application in Azure AD Portal
- Install PnP PowerShell Module
Creation of Self-Signed certificate:
The first step is to create a certificate. A self-signed certificate can be created by using the Windows PowerShell command New-SelfSignedCertificate or PnP PowerShell command New-PnPAzureCertificate. The self-signed certificate will be used in the Azure AD application. Find below PnP PowerShell command to create the certificate with the default validity of 10 years and secured with a password.
New-PnPAzureCertificate -CommonName "MSFlow Certificate" -OutPfx MSFlow.pfx -OutCert MSFlow.cer -CertificatePassword (ConvertTo-SecureString -String "pass@word1" -AsPlainText -Force)
From the above screenshot, the certificate files MSFlow.pfx and MSFlow.cer will be available on C:\Users\ashiq\Desktop\Projects\PowerAutomate. Copy the PfxBase64 and the password which will be used in the HTTP connector while calling the Graph API. To get the details of an existing certificate, the PnP command
Get-PnPAzureCertificate -Path "MSFlow.pfx" -Password (ConvertTo-SecureString -String "pass@word1" -AsPlainText -Force)If you already have a self-signed certificate available, find the below command to convert the certificate to PfxBase64 encoding
$fileContentBytes = get-content 'C:\Users\ashiq\Desktop\Projects\PowerAutomate\MSFlow.pfx' -Encoding Byte
[System.Convert]::ToBase64String($fileContentBytes) | Out-File 'PfxBase64.txt'Application Registration in Azure AD Portal:
Register an application in Azure AD and obtain the client id & tenant id for the registered application. In this example I have added the Application permission with Admin Consent to access all the recent events of a user from Outlook.
To add the above created self-signed certificate, click Certificates & secrets under the Manage blade. Click Upload certificate > Select the certificate file MSFlow.cer > Add
Once the certificate is added successfully, you would be able to see the certificate Thumbprint with the Start date & Expiry date
Creation of Power Automate cloud flow with the HTTP Connector:
Let us see below how to access a Microsoft Graph API with & without using the Azure Key Vault.
- Method 1: Without using Azure Key Vault
- Method 2: Azure Key Vault to store Certificate
Method 1: Without using Azure Key Vault
In the cloud flow, add a Compose action to store the PfxBase64 value copied during the creation of the certificate. Now add the HTTP action to get the users events from the default calendar
Request Type: GET
URL: https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/calendar/events
Authentication: Active Directory OAuth
- Tenant: TenantId
- Audience: https://graph.microsoft.com
- Client ID: Azure AD Client Id
- Pfx: Output of the compose action
- Password: Certificate password during the creation Find below screenshot for your reference
Find below screenshot for your reference
Run the flow, it should be able to get the outlook events as an application for the given user.
Method 2: Azure Key Vault to store Certificate
Azure Key Vault is a cloud service for storing and accessing secrets enabling your applications accessing it in a secure manner. Follow this article to upload the above generated certificate to the Azure key vault.
After the certificate is uploaded to the Azure Key Vault, with the help of the premium Azure Key Vault connector you would be able to access & use the secret in your cloud flow or logic app.
Step 1: Add the action Get secret in the flow. After entering the name of the Key Vault and the sign button is clicked, the connection would be established.
If you have any issues establishing a successful connection to the Azure Key Vault in your Power Automate cloud flow, refer to the blog post https://ashiqf.com/2021/07/18/azure-key-vault-in-power-automate-cloud-flow-could-not-retrieve-values/
Step 2: Select the certificate name from the list of secrets. Add the HTTP action with the details below
Request Type: GET
URL: https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/calendar/events
Authentication: Active Directory OAuth
- Tenant: TenantId
- Audience: https://graph.microsoft.com
- Client ID: Azure AD Client Id
- Pfx: Output of the action Get secret from the dynamic content
- Password: null should be added from the expression right next to dynamic content.
Run the flow, it should work as intended. Refer to my other blog posts related to Microsoft Graph API in Power Automate:
Call Microsoft Graph API in Power Apps and Power Automate using a Custom connector
Batch SharePoint requests [GET, POST, PATCH, DELETE] in PowerAutomate and MS Graph
Summary:
There are different authorization flows available in Microsoft Graph which could be leveraged based on needs. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I post them.
Mohamed Ashiq Faleel 