Activity feed notifications appears in the Teams activity feed panel with link to various locations thus enabling developers to build actionable content. These notifications are sent as push notifications in the Teams client. In this blogpost, let us see how to send Teams activity feed notification using
Custom Teams App with a Bot
Power Automate standard action: Post a feed notification
Pre-Requisites:
Access to HTTP Premium Connector in Power Automate
Microsoft graph has API endpoints to send activity feed notifications to Teams users. The pre-requisite to use the activity feed graph endpoint is to have a custom Teams app scoped to a Team, or in a chat or user.
Step 1: Custom Teams App scoped to Team:
For this blogpost, I have used a custom Teams app scoped to a Team. Refer to the following blogpost to create a custom Team app scoped to a Team with a Bot capable of sending an Adaptive card message on a channel
Do not install the Teams App yet before completing the other steps given below. After the Teams bot is created, a custom Azure Active directory Application must be registered.
Step 2: Azure AD Application – Microsoft Graph Activity Feed permission:
Register an Azure AD application to add the Microsoft Graph permission to be send activity feed. Copy the Application (client) ID and Tenant Id of the registered app from the Overview section and create a secret from the Certificates & secrets under Manage blade per the screenshot shown below. Once the secret is created, copy the value to be used in the Power Automate cloud flow
Add the application permission TeamsActivity.Send with an admin consent.
Step 3: Link the AD app to the Teams App
The AD application with permission to send activity feed is created, the next step is to link the Teams app created in Step 1 with the AD app. In the Teams Developer portal, enter the Application (client) ID in the apps Basic Information under the Overview section as shown in the below screen shot
Don’t forget to Save the App in the Developer portal after the Application ID is entered. Now go to the App Features and then click Activity Feed notification as shown below
Click + Add an activity and enter the following information per the screenshot below
Type: informationBroadcasted
Description: Information Broadcasted Activity
Title: Notification from {actor} broadcasted by {broadcastedBy}
Click Save. The Teams app is now ready to be installed, follow the instructions here to install the bot in a Team for testing the Activity Feed notifications.
Power Automate Cloud Flow to send Adatpive card message and Activity Feed:
The Teams app is ready and now let’s create an Instant cloud flow with manual trigger to send an Adaptive card message to a Teams channel (General or any standard channel) and then Deep link to the adaptive card post in the Teams Channel to the activity feed notification. I have used a Premium HTTP connector action to send the adaptive card using Bot Framework REST API. Go through the following post to send the Adaptive card
In the flow after the action HTTP-SendAdaptiveCardMessage, add a compose action with the following expression to get the Message ID of the Adaptive card channel message
body('HTTP-SendAdaptiveCardMessage')?['id']
Add two compose action to store the TeamIdorGroupId and TeamChannelID as shown below
Add a HTTP action (Premium) to send the activity feed to all Team members (Beta) using the Graph Activity Feed API. Find the details below for the HTTP request
If you are having issues (Invalid Expression) while saving the flow, add additional @ keyword in the recipient as shown below
Click Show advanced options in the HTTP action to enter the Authentication details. Enter the Client (Application) ID, Secret and Tenant Id from Step 2
Time to test the Power Automate flow. Find below the Activity Feed message for a Teams user
Note:
The Teams app can also be enabled with Resource Specific Consent, to do so in the Teams Developer portal click Permissions on the Left bar. In the section Team Permissions select TeamsActivity.Send.Group under Application. If you have done this, Step 2 is not required. I will cover this in a different blog post.
Power Automate standard action: Post a feed notification:
There is a standard Teams action Post a feed notification which creates an activity feed with/without Deep link to a chat or Teams Channel using the Power Automate Teams Bot. Find below the action
Summary:
Isn’t this powerful to have engaging and actionable content for the users in Teams. There can be many use cases which could be applied for this setup e.g: Notify user and deep link to a Power App added in Teams channel etc. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
You can share an app with Microsoft Teams users since each Microsoft team also creates a Microsoft 365 group in Azure AD. The only pre-requisite is the associated Microsoft 365 group of the Microsoft Team should be securityEnabled. By default, the Microsoft team group is not security enabled. If you are trying to share a Power Apps with a Microsoft team which is not security enabled, you will not be able to add or select the group
Microsoft has documentation on how to security enable a Microsoft 365 group but you should have PowerShell installed on your computer. In this blog post, let us see how to enable securityEnabled property using Graph Explorer which is a web portal.
Pre-requisite:
Owner of the Microsoft Team
Access to Graph Explorer
Step 1: Find the Microsoft Teams Group Object ID. Login to the Microsoft Azure Active directory admin portal. Search for the Microsoft teams group using the display name of the Team. From the overview section of the group, copy the group Object Id
Step 2: Sign in to Graph Explorer. Find below the request details
If you have consent for permissions, click Modify permissions as shown above to grant consent. Once everything is set, click Run query to enable security role. Once the property is set to True, you can share the Power App with Teams users. This setting is not required to share a Microsoft cloud flow.
Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.
In this blog article, let us see how to call a Microsoft Graph API as an application in a Power Automate HTTP connector using a certificate credentials instead of a secret from the Azure Active directory application. Microsoft recommends using a certificate (instead of a client secret) as a credential for a higher level of assurance. Find below the list of actions to enable calling the Graph API using certificate credentials
Creation of Self-Signed certificate
Application Registration in Azure AD Portal
Creation of Power Automate cloud flow with the HTTP Connector
Method 1: Without using Azure Key Vault
Method 2: Azure Key Vault to store Certificate
Pre-Requisites:
Access to HTTP Premium Connector in Power Automate
The first step is to create a certificate. A self-signed certificate can be created by using the Windows PowerShell command New-SelfSignedCertificate or PnP PowerShell command New-PnPAzureCertificate. The self-signed certificate will be used in the Azure AD application. Find below PnP PowerShell command to create the certificate with the default validity of 10 years and secured with a password.
From the above screenshot, the certificate files MSFlow.pfx and MSFlow.cer will be available on C:\Users\ashiq\Desktop\Projects\PowerAutomate. Copy the PfxBase64 and the password which will be used in the HTTP connector while calling the Graph API. To get the details of an existing certificate, the PnP command
Register an application in Azure AD and obtain the client id & tenant id for the registered application. In this example I have added the Application permission with Admin Consent to access all the recent events of a user from Outlook.
To add the above created self-signed certificate, click Certificates & secrets under the Manage blade. Click Upload certificate > Select the certificate file MSFlow.cer > Add
Once the certificate is added successfully, you would be able to see the certificate Thumbprint with the Start date & Expiry date
Creation of Power Automate cloud flow with the HTTP Connector:
Let us see below how to access a Microsoft Graph API with & without using the Azure Key Vault.
Method 1: Without using Azure Key Vault
Method 2: Azure Key Vault to store Certificate
Method 1: Without using Azure Key Vault
In the cloud flow, add a Compose action to store the PfxBase64 value copied during the creation of the certificate. Now add the HTTP action to get the users events from the default calendar
Password: Certificate password during the creation Find below screenshot for your reference
Find below screenshot for your reference
Run the flow, it should be able to get the outlook events as an application for the given user.
Method 2: Azure Key Vault to store Certificate
Azure Key Vault is a cloud service for storing and accessing secrets enabling your applications accessing it in a secure manner. Follow this article to upload the above generated certificate to the Azure key vault.
After the certificate is uploaded to the Azure Key Vault, with the help of the premium Azure Key Vault connector you would be able to access & use the secret in your cloud flow or logic app.
Step 1: Add the action Get secret in the flow. After entering the name of the Key Vault and the sign button is clicked, the connection would be established.
There are different authorization flows available in Microsoft Graph which could be leveraged based on needs. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I post them.
SharePoint and Microsoft teams services in Microsoft 365 makes it easier to share content or collaborate with external users who is outside your organization. A guest or external user is someone who do not have a school or work account with your organization, they can be your partner, vendor, customer etc. In this article let us see how to build a self-registration experience for external users with the help of Microsoft Forms & Power Automate to onboard them to a
SharePoint online site
Microsoft Team
Microsoft Form to collect details from External User:
To start building this experience, create a Microsoft form with the setting Anyone can respond and with fields (Name, Email address etc) to collect information from the external user to send invitation.
Azure Active Directory Application registration:
The next step after creating the form is to register an application in Azure AD with Microsoft graph API permission to send invitation to external user. After the app is registered obtain the client id, client secret & tenant id to be used in the Power Automate flow further down this article to generate the JSON webtoken to access Microsoft Graph API for sending invitation. Find below screenshot with the permission User.Invite.All added to the app. Keep in mind the permission requires Admin consent.
There is also delegated permission available for User.Invite.All.
Onboard External users to a SharePoint online site:
Once the Microsoft form is ready, we can start building the Power Automate flow which can send the email invitation to the external user and for granting access to the SharePoint site. The external sharing features of SharePoint Online enables users in your organization share content with people outside the organization. There is no limit to the number of guests you can invite to SharePoint sites as per this SharePoint online limits documentation. Find below steps to create the Power Automate flow with a custom approval on a Microsoft Team
Power Automate Flow:
Create an Automated flow with the trigger When a new response is submitted with the above form name selected on the dropdown and then add the action Get response details with the Response Id selected from the dynamic content for the trigger to get the form details submitted in the Microsoft form by the external user. Find screenshot below
Adaptive card for Teams Approval:
For the Approval in Microsoft Teams, I have used a custom card created from the Adaptive card designer with elements ColumnSet, TextBlock to display information submitted in the form & action button Approve and Reject to take further action by a Microsoft teams user to proceed with Invitation for the Guest account creation. Find screenshot below from the adaptive card designer
After the card is designed, copy the card payload from the designer and go to the flow and then add the action Post adaptive card and wait for a response and make appropriate selection on the available fields as shown below
Post as: Flow bot
Post in: Channel
Message: Payload copied from designer. Replace the fields for usrName & userEmail selected from the dynamic content from the outputs of the action Get response details. The created on textBlock element has the flow expression formatDateTime(utcNow(),’g’) to display the current datetime information on the card.
Update Message: Custom message which appear after an action taken in Microsoft Teams
Team: Select the Team where you would like to post the card
Channel: Select the channel from the Microsoft Team where you would like to have the approval adaptive card posted
The above adaptive card is used to get approval from the Organization teams user based on the information submitted by the external user in the Microsoft form to proceed with the next steps for sending the guest account invite. Now we will have to identify if the user has clicked the button Approve or Reject. This information can be easily obtained from the Outputs of the action.
Note: Adaptive card can also be sent using a Microsoft Graph API with the card payload in Attachments field
Adaptive card for Teams – Dynamic content Missing:
As of the time I am writing this article there is an issue in getting the output as dynamic content for the Post adaptive card and wait for a response action if there is dynamic content added on the JSON Payload (Name, Email from Forms). The fix is to run the flow till the post adaptive card action and take an action on Microsoft teams by clicking either Approve or Reject and then go to the Flow run from the history as shown below
From the above screenshot, we can see if the user has clicked the Approve or Reject button from the field submitActionId. To get this value in Flow, use the expression
To get the submitActionId, enter the expression outputs(‘Post_adaptive_card_and_wait_for_a_response’).body.submitActionId in the compose action, then add a condition control to decide action based on users approval
I have observed this issue occurs in other team’s adaptive card actions as well, the above fix should work. Now we can implement the logic to send the Guest Invitation using Microsoft Graph API. To send the invite, we will use the Azure AD application registered above.
Generate JSON Web token to Access Graph API:
Be ready with the ClientId, Client Secret and Tenant Id collected from the AD app registration you have done initially. The only authentication flow to generate a access token for application permissions is Client credentials.
To generate a token
Store the Client Secret on a String variable or a compose action
Make a HTTP request using the HTTP connector with the following details. Make sure to replace the string for tenantId, azureAdAppclientId and azureAdAppclientSecret
Add a HTTP connector action to the flow for making a POST request per the following information
For the client secret make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request may fail due to the presence of special characters.
In the above screen, I have added a compose action to store the SharePoint site address to be used for granting the external user access to. To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema
Include the access token when calling the Microsoft Graph API in the Headers section or raw as shown in the next section.
Send Invitation using Microsoft Graph API:
Before sending the invitation, validate if the user already exists in your organization AD tenant by using the email address of the external user with the help of the action Search for users as shown below
If there is null response for the action Search for users, then the user does not exist. This can be calculated using the expression length and by passing the value as a parameter, if it is equals zero then the external user does not exist. If the user already exists, we can directly proceed to granting the external user access to SharePoint.
Graph API to check if a guest user already exists:
{
"invitedUserDisplayName": "External User Name",
"invitedUserEmailAddress": "External User Email Address",
"sendInvitationMessage": true,
"inviteRedirectUrl": "SharePoint site URL or any URL",
"invitedUserMessageInfo": {
"messageLanguage": "en-US",
"customizedMessageBody": "Welcome to the M365PAL SharePoint site! Click the link below and sign in."
}
}
In HTTP request body, use the dynamic content of the form to populate the fields invitedUserDisplayName & Emailaddress. The invite redirectUri is the output of the compose action which has the SharePoint site url. I have added a delay of one minute before granting access to SharePoint site for the external user, this step is to make sure there is an entry in Azure AD for the external user/guest account.
Grant Access to SharePoint site for the external user:
As soon as the guest account invite is sent from the above Microsoft graph API request HTTP action, it is time to grant access to the SharePoint site for the external user. There is a SharePoint REST API endpoint to add a user to a SharePoint group (Owners, Member, Visitors), find below the request details
For the external user, the email address used to send the invite works.
Go back to the flow and add the action Send an HTTP request to SharePoint to call the above REST api. Find below the screenshot of the action
The above action uses delegated permission, the user of the connection should have access to the SharePoint site. As of now, there is no Graph API for adding the user to a SharePoint group but you can register an app in Active directory and add permission for SharePoint to call the above REST API. Refer to the documentation Granting access via Azure AD App-Only for calling the REST API using the registered AD app.
Testing the flow:
The whole flow can now be tested by submitting the form which sends the adaptive card on Teams first as shown below
After the card is approved, the invite is sent to the external user. After the external user accepts the invite, the user should be automatically redirected to the SharePoint site with the appropriate access. The access to the SharePoint site for the external user can be validated by the checking the membership of the SharePoint group in the site even before the user accepts the invitation. The site members can also be validated by accessing the URL for All users list:
This approach of granting access to SharePoint site for external user can be applied to internal users by turning off the access requests.
Limit External Sharing by domain:
The external sharing on SharePoint can be restricted based on domain of the external user. To enable the setting login into the SharePoint admin center > Policies > Sharing > Enable the checkbox Limit external sharing by domain > Add domain
Onboard External users to a Microsoft Team:
To onboard the external user to a Microsoft Team, the only change to the above flow is, instead of adding the user to the SharePoint group the user must be added as a Member to the Microsoft 365 group connected to the Microsoft Teams. The graph API to add a member to a Microsoft Team is
The expression to get the user object Id of the external user as per the below screenshot is
outputs(‘HTTP-SendGuestInvitation’).body.invitedUser.Id The expression can be used in a compose action to get the Object Id of the external user which can be used in the Graph API request to add the member to a Team. HTTP-SendGuestInvitation is the name of the HTTP Action.
Permission for the Azure AD App to add a member to a Microsoft Team:
The application permission Group.ReadWrite.All has to be added on the Azure AD app, if you are going to be using the same JSON webtoken generated above. There is delegated permission as well for adding members.
Summary: With this, the Power Automate flow should send the invitation as shown below to the external user.
If it is for a Microsoft Team, the external user should be licensed for teams service to open it on their teams client. The same flow can be also configured for Microsoft 365 group. If you are visiting my blog for the first time, please do look at my other blogposts.
With the assumption that you already know about Microsoft Graph and its capabilities I will directly jump in with the steps and instructions to call Microsoft graph Endpoints as a daemon app using Application permissions with the help of HTTP connector. Calling graph from a flow opens a wide range of possibilities which are not available with the prebuilt connectors. As of now you will not be able to call Microsoft graph with application permissions using a custom connector.
Pre-Requisites:
Access to HTTP Premium Connector in Power Automate
Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the Application permission Calendars.Read to access all the recent events of a user from Outlook.
It is not required in the Azure AD application to have a redirect URI.
Power Automate Flow:
It is now time to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. The only authentication flow to generate a access token for application permissions is Client credentials.
To generate a token
Store the Client Secret on a String variable
Make a HTTP request using the HTTP connector with the following details. Make sure to replace the string for tenantId, azureAdAppclientId and azureAdAppclientSecret
Method 1:
Add a HTTP connector action to the flow for making a POST request per the following information
For the client secret make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.
To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema
Summary: I have written a blog to get the attendee details of a meeting using this approach to Microsoft graph event endpoint API. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other Microsoft graph in Power Automate blogposts.
If you have a requirement to access graph endpoint as a signed in user/account on an instant/automated/scheduled flow, this blog post will help you with instructions and steps to access the Microsoft graph API with delegated permissions using the
HTTP connector
Invoke an HTTP request connector
There are resources (Presence information, Planner etc) in Microsoft graph which is available only as delegated permissions and not as application permission. Application permissions can be granted only by an administrator but users can register an application with delegated permission (Except All permission) unless the IT team has restricted the app registration by users.
Access Graph API using HTTP connector:
I have used the HTTP connector to generate a token for accessing the Graph API using the OAuth resource owner Password Credentials grant authentication flow supported by Microsoft Identity platform with the User ID and Password. Once we have the access token, the request to the Graph API endpoint will be made. To follow along this post be ready with the following
Pre-Requisites:
Access to HTTP Premium Connector in Power Automate
Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the delegated permission Presence.Read to get the presence information of the service account.
Add the redirect URI for the web http://localhost as shown on the screenshot below.
The Web redirect URI http://localhost/ is required to provide consent for the Azure AD application for the permission scope by the service account. The consent can be provided by an admin to use this application in flow by all users or the consent has to be provided by an individual user. To provide consent by an individual user in this case by the service account, construct the following url using the tenant ID, Client ID and the scope (ex. Presence.Read)
Now login to Office.com with the service account and enter the above User Consent url on a separate tab for the consent which will bring up a screen similar to the one shown below
Now Click the Accept button to provide consent for the requested permission for the service account. After the Accept button is clicked there will be a message stating that this site cannot be reached or something similar with the url like below on the browser address bar
The consent is provided, to validate the consent login to My Applications link url and the select the Azure AD application from the list and then click Manage your application as shown below
Find below screenshot with consent for Presence.Read permission. To revoke the permission, click Revoke permissions
To provide Admin consent for all the users to use this app in the flow, the URL is
Now we are ready to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. To generate a token in Flow
Store the Client Secret on a String variable
Make the following HTTP request using the HTTP connector
For the client secret and password (only if there is special character), make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.
If there is no consent provided by the user/service account for the Azure AD application then the above HTTP request will generate the following error
{“error”:”invalid_grant”,”error_description”:”AADSTS65001: The user or administrator has not consented to use the application with ID ‘xxxxxxx-65xx-47e0-xxxx-xxxxx0bb22′ named AzureADAppName’.
To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema
Add the Body from the dynamic content from the HTTP – GET Token action to the content of the Parse JSON action
Include the access token when calling the Microsoft Graph API on the Headers sections as shown below. The access_token is from the output of the Parse JSON action
If you run the flow, you can now see the response with the presence information of the service account as shown below
Use Azure Key vault connector to secure the Client Secret & Password information in the flow.
Invoke a HTTP Request connector:
This connector can be used to fetch resources from various web services authenticated by Azure AD including Microsoft Graph in more easier way. Look for the action with the keyword invoke an HTTP request
If it is accessed for the first time, enter https://graph.microsoft.com on both Base and Azure AD resource URI and then click Sign In
Enter the Graph API endpoint on the Url of the request and select the Method
The API is executed in the context of the action’s connection as shown below. In this example it gets the profile information of the serviceaccount
If you get an error similar to { “error”: { “code”: “Forbidden”, “message”: “” } }, then it could be because the connector has a limited set of scopes. Getting Presence information is not supported with this connector as of now. If your scenario requires something more advanced or not currently supported by the connector, please use the �HTTP� connector as shown above or create a custom connector.
Summary: There are many endpoints available with Microsoft graph which can be leveraged for different use cases. Keep in mind the HTTP connector in Power Automate is Premium, you can also consider using this approach in Azure Logic apps. The access token is valid only for an hour, if you have to call a graph api after an hour from the initial token generation time the token has to be obtained again. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.
Microsoft graph is the gateway to data and intelligence in Microsoft 365 which connects multiple services like SharePoint, Teams, Planner etc and devices. Microsoft graph has one common endpoint that is RESTful Web API enabling you to access Microsoft Cloud service resources. With that said if you want to communicate with Microsoft Graph Services or any API services, custom connectors can be used to address needs which are not available as prebuilt connectors in Power Apps and Power Automate. The purpose of this blog post is to show how to
Call Microsoft Graph API in Power Apps using custom connector
Call Microsoft Graph API in Power Automate using custom connector
Custom connector supports the following authentication types
Anonymous (No Authentication)
Basic Authentication (UserName & Password)
API Key
OAuth 2.0
As of the time I am writing this article, custom connector supports only authentication flow Authorization code & not client credentials. If you use OAuth 2.0, it means you can use only delegated permissions & not application permissions as permission type in the custom connector. To be more precise, the logged in user from PowerApps or flow actions/trigger connection user should have access to the resource to be accessed from Microsoft Graph & cannot access the resource as a daemon app (Application Permission). Find below the pre-requisite for the custom connector
Premium Plan (App/user based) for all users intended to use the custom connector in Power Apps or Power Automate. To test the custom connector you can also get a community plan if you do not have a premium plan.
Create & setup Custom Connector to call Microsoft Graph API:
Custom connector can be created from Power Apps maker portal or Power Automate portal. Custom connector created from any of the above-mentioned interfaces can be used in a Power App or Power Automate cloud flow. A custom connector is nothing but a wrapper around a REST API that allows Power Apps or Power Automate and Azure Logic Apps to communicate with that REST API.
Azure Active Directory Application:
To access the Microsoft Rest API there must be an Azure AD app registered with appropriate graph permission intended for the operations through a custom connector. For this example I have registered an AD application with the following delegated permissions
Calendars.Read
To display the users recent events in Power Apps gallery control
Sites.Manage.All
To create a New list item in SharePoint list from Power Apps and Power Automate
User.Read
To display users profile information from an Extension Attribute in Power Apps
Obtain the Client ID from the Overview section of the Azure AD app and create a secret from the Certificates & secrets under Manage blade. Once the secret is created, copy the value to be used in the custom connector.
The Redirect URI is common and will be created while creating the custom connector. Now we are ready to create the custom connector, go to Power Automate portal and expand Data on the left panel > Custom connectors > + New custom connector > Create from blank
After entering the connector name, you will get the below screen. Do not have the word SharePoint part of your connector name to avoid issues.
Enter graph.microsoft.com on Host and some description about the connector. You can also change the logo to a custom one. Now click Security on the right bottom corner to enter the Azure AD application information for the OAuth 2.0 authentication type. Under the section OAuth 2.0
Change the Identity provider to Azure Active Directory
Enter the Client id & Client secret of the Azure AD application
Enter the Scope as Calendars.Read Sites.Manage.All User.Read based on the permissions you have added on the Azure AD app. Leave a space between each permission
After the above information is filled in, click Create connector which will autogenerate the Redirect URL https://global.consent.azure-apim.net/redirect. This is the URL we have added as a Redirect Web URI in the Azure AD application. The connector is now ready to add actions based on Graph API endpoint to
Get users recent events from the users default Outlook calendar
Create a List item in SharePoint List
Get users custom extension attribute from users Active directory profile
Get users recent events from the Outlook calendar:
After the custom connector is created in the above step, now click the Definition tab of the Custom Connector > click + New action which will create the following screen to enter information about the action
After the Summary, Description and Operation ID is entered. Click + Import from sample under the Request section to the enter the Graph API endpoint url https://graph.microsoft.com/v1.0/me/calendar/events.
It is Okay to exclude the url https://graph.microsoft.com since we have provided the information in the Security tab.
Now we are ready to provide default response for the action. To get the request response sample for the graph api endpoint, SignIn to the Graph Explorer with your organizational ID to copy the response of the API request to be used in the custom connector action
After running the query in the graph explorer tool, copy the whole content (CTRL+A) from the Response preview section as shown on the above screenshot. If there is any error related to permissions while executing the http request in the explorer tool, make sure you have consented to the permissions in the Modify permissions tab.
Click + Add default response and then paste the content copied from the graph explorer tool on Body as shown below
Click Import and then click Update connector. Let us add the second action to create a list item in a SharePoint list
You should replace the SiteId and listId in the above URL. Easy way to get the ListId and SiteId is by viewing the Viewing the page source of the SharePoint site with the list open
Request Body:
For this example I have a SharePoint list with a default column Title and a single line of text column by the name Location.
Once again click + New action on the Definition tab to add an action for creating a new list item.
After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb now selected as POST and the request body or payload
Click Import. To get the request response sample for the graph api endpoint, go to the graph explorer to copy the request response as shown below for the above POST request to create the list item
Click + Add default response and then add the response copied from the graph explorer tool on the Body section as shown below
Click Import button and then click Update connector. Let us add the second action to read the users active directory profile to extract extension attribute information
Get users custom extension attribute from users Active directory profile:
On my tenant I have added additional properties on extension attribute in Azure AD profile of the user & displayed them on the User profile card using the profile card graph API. The graph API to get the extension attribute information of the user is in Beta as of now
Once again click + New action on the Definition tab to add the third action for getting the users profile information from Azure active directory.
After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb selected as GET
Click Import. Go to the graph explorer to copy the request response for the GET request for https://graph.microsoft.com/beta/me and then click + Add default response to paste the request response copied from the graph explorer tool. Click Import button and then click Update connector. We have till now added three actions which can be tested in the same interface
Test the Action:
To test the different actions added in the connector, click the Test tab and then click + New connection.
You will be prompted to sign in using the Organization ID and provide a consent for the permissions requested as a scope on the custom connector.
After the connection is created, you can test the different actions available as shown below for one of the action CreateListItem in SharePoint
The custom connector creates the Swagger definition, you can also view and update the Swagger definition by turning on Swagger Editor
If you look at the security definitions in the above screenshot for the connector we have created till now, the authentication flow used to authenticate the user is Authorization code which supports only delegated permissions and not application permissions in MS Graph. The Swagger definition file can be downloaded from interface shown below
The Swagger definition file can be used to re-create the custom connector by clicking the Down arrow and then by clicking Import an OpenAPI file. On the popup window enter the Connector Name and select the downloaded Swagger file to recreate the connector after filling in information on the Security tab.
You download the Swagger definition file of the custom connector with the above mentioned actions from this github link.
Call Microsoft Graph API in Power Apps using custom connector:
To call a custom connector in Power Apps, the first step is to add the connector to the Power App by the app maker. Click Data on the left panel and then click the button Add data > look for the connector by the name > Click the connector name to create a connection.
Once the connection is created & added, you will be able to use it in the different controls added to the app
I added the following controls to
Label – To display the Extension attribute of the user from the action GetUserProfile
Gallery – To display the users recent calendar events from the action
Button – To create new item on the list and to get information from Graph about the user calendar events and to get the users AD profile
A Button control to load the data from Microsoft Graph GET actions GetUserProfile & GetMyEvents on a context variable.
Once we have the data loaded on the context variable using the OnSelect button click event, the data can be displayed on different controls. Use the graph explorer tool to validate the response of the request and to help with display the data on a control. Find below the response for the me endpoint which provides the profile information of user including the extension attribute.
To display the Extension attribute1 information on a label control, the code is
I have added a gallery control to display the calendar events. First step is to bind the gallery control to the context variable (userCalendarEvents) using Items property of the control
Items: userCalendarEvents
On the gallery control fields
field1: ThisItem.subject
field2: ThisItem.organizer.emailAddress.name
For constructing the above formula (Field1 and Field2) for displaying the information on the different fields in the control, graph explorer response preview will help you
I have added a button control to create the list item using the action CreateListItem with the following formula on the OnSelect event
The user has to create a connection to the Custom Connector & provide consent for the Graph permission (User.Read Sites.Manage.All Calendars.Read) for the first time
The users of the app should have premium license (App/user based)
Call Microsoft Graph API in Power Automate using custom connector:
To use a custom connector by a user in a flow Instant/Scheduled/Automated, it
Must be shared to the user by the custom connector Owner/creator
Premium license for the flow user
Consent to be provided for the graph permissions. The consent can be individual or admin consent
Add the action to the flow by clicking Custom and then select the custom connector as shown below
Now select the action
It will ask you to Sign In to create the connection and there will be a prompt to provide consent to the permission for the AD application for the first time as shown below
Enter the parameter values to create the list item
Summary: Microsoft Power Apps and Power Automate are great and simple to get started with no code. If you are a pro developer and want to extend the capabilities with Microsoft Graph & other external/custom RESTFul API’s you can do so with the custom connector. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.
As per this announcement made on Feb 2021, Microsoft graph now provides option to have granular permissions level using Sites.Selected application permission for the AD application instead of granting permission for all the sites in the tenant. The permission Sites.Selected does not provide access to any SharePoint site collections for the application unless the AD application has been assigned with permission roles read or write by an Admin. On this post let us see how to grant a site permission (Read or Write) to an AD Application with Sites.Selected permission by using postman client. As of the time I am writing this post there is no user interface to assign permissions to specific site collections for the application.
Pre-Requisite:
Register Azure AD Application (APP 1) in Azure AD Portal with the following permissions
Sites.Selected (Admin Consented)
Another AD Application (APP 2) with following permission only for the admins to assign selected roles to the above App
Sites.FullControl.All (Admin Consented)
App Registration:
Start with registering the above said two Azure AD applications
Another app for admins for granting roles to APP 1
Grant permission role to the SharePoint site for the Azure AD Application:
This step is grant permission for the Azure AD application with Sites.Selected application permission to a given site collection. Perform the following steps to grant the role (Read/Write or Read and Write) to the AD app (APP 1)
Gather the Client ID, Tenant ID and Client secret of the admin app
In PostMan, make a HTTP request to generate the access token for the admin app – APP 2
Copy the access_token to be used for granting roles.
Get the Client ID of the Azure AD Application – APP 1 with Sites.Selected permission
Decide on the Role (Read or Write) for the granting the Site specific role for the APP 1 with Sites.Selected permission.
Get the SiteId of the SharePoint site to be assigned permissions for the application (App 1). An easy way to get the siteId is by viewing the page source from the browser with the site open.
In PostMan, make a HTTP request to grant the site role to the APP 1. Replace the siteId with the actual siteId which will be a guid
Paste the access token on the token box as shown below with Authorization type selected as Bearer Token
Send the request for granting the role for APP 1. After the request is made the APP 1 with the Sites.Selected permission has access to the site with write role we have granted to. The same way you can assign app access to multiple SharePoint sites.
Grant the Role using PnP PowerShell:
There is a PnP PowerShell cmdlet to grant access to SharePoint site for the registered AD application with Sites.Selected permission. The command to grant permission can be executed by the Site Collection administrator after creating a connection to the site
You will be prompted to enter credentials including the second factor. After the connection is created, enter the following command to grant Write permission to the AD App
To install PnP PowerShell module on the local workstation, enter the following command
Install-Module -Name PnP.PowerShell
There is also a PnP cmdlet to register an AD app in the Azure Active directory.
Grant the Role by an Admin using the Graph Explorer tool:
Role can also be assigned by an admin with out having the admin AD app (APP 2) using the graph explorer tool. This can be done only by an Admin
If there is any error related to permissions, make sure the admin consents to Sites.FullControl.All for the Graph tool. There is also an SPFx community webpart developed by a community member with User Interface for this operation
On this post we have seen how to grant access to Azure AD which has the Sites.Selected permission. You can also grant permission/role to an app with sites.selected permission programmatically. If you are using SharePoint API instead of Graph API in the Azure AD app registration, Sites.Selected is available on Application Permission as shown below
Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.
Do you like this article?
Subscribe to my blog with your email address using the widget on the right side or on the bottom of this page to have new articles sent directly to your inbox the moment I publish them.
Is there a need to find the type of Microsoft 365 license and the different services assigned for a user to troubleshoot an issue related to the service they have been assigned? You have come to the right place, this post will help you find the details using the Microsoft Graph API endpoints. In Microsoft 365, licenses from licensing plans also known as SKUs give users access to the Microsoft 365 services that are defined for those plans. To find the details, there are endpoints in Graph which gives you those details
There are various tools to make request against different graph endpoints but here I will be using Microsoft Graph Explorer tool.
After you login to Microsoft Graph Explorer tool, make a request to any of the above given endpoints. Find below screenshot for the GET request to the endpoint me/licenseDetails
In the above picture, the sku Id is nothing but the Microsoft 365 license plan and the service plans array shows list of the Microsoft 365 Services (SharePoint, Power Apps, Power Automate, Exchange, Yammer etc) enabled for the user. If there are multiple license assigned for the same user then you get the list as an array with different skuid’s.
For reference, here are some of the most common sku id information that you might need:
Name
ID
Office 365 E1
18181a46-0d4e-45cd-891e-60aabd171b4e
Microsoft 365 E3
05e9a617-0261-4cee-bb44-138d3ef5d965
Microsoft 365 E5
06ebc4ee-1bb5-47dd-8120-11324bc54e06
E5 Developer License
c42b9cae-ea4f-4ab7-9717-81576235ccac
Microsoft 365 F1
17b4a1d6-2c65-478e-a046-51cf40d25d76
Power BI (Free)
a403ebcc-fae0-4ca2-8c8c-7a907fd6c235
Flow Free
f30db892-07e9-47e9-837c-80727f46fd3d
Here are some of the most common Service plan Id information:
Name
ID
SharePoint Online
5dbe027f-2339-4123-9542-606e4d348a72
Yammer
7547a3fe-08ee-4ccb-b430-5077c5041653
Power Apps
9c0dab89-a30c-4117-86e7-97bda240acd2
Power Automate
07699545-9485-468e-95b6-2fca3738be01
AAD Premium 2
eec0eb4f-6444-4f95-aba0-50c24d67f998
Exchange Online
efb87545-963c-4e0d-99df-69c6916d9eb0
For more information on the different Microsoft 365 license & service details, refer the below link
The information can also be accessed from your Office Profile, after logging in to the Office.com
Click the Profile icon and then click View account which will take you to the below screen shown on the left side
Now click Subscriptions which will show the all the different SKU’s assigned to you & the different service plan’s. Refer to the above picture on the right side.
PowerShell:
To access this information with PowerShell, refer the following documentation:
Summary: On this post we have seen how to get information on the assigned Microsoft License & services details for a user. Hope you like this article & find it informational.
This blogpost will help you to explore and interact with MS graph API endpoint’s using the following tools
Postman client
Signed in as a user/On-behalf-of API call (Delegated permission)
Application/daemon API call (Application permissions)
Graph Explorer
I have used MS graph extensively on different MS cloud services like SharePoint, PowerAutomate, PowerApps, Azure services like Azure functions and on devices like Raspberry Pi. It is a very powerful service in Microsoft 365 platform. Let start with some basics
Introduction:
MS Graph API is a RESTful web API which enables you to access different Microsoft 365 cloud service resources through its unified programmability model.
Microsoft Graph exposes REST APIs and client libraries to access data on the following Microsoft cloud services:
Microsoft 365 services: Delve, Excel, Microsoft Bookings, Microsoft Teams, OneDrive, OneNote, Outlook/Exchange, Planner, SharePoint, Workplace Analytics.
Enterprise Mobility and Security services: Advanced Threat Analytics, Advanced Threat Protection, Azure Active Directory, Identity Manager, and Intune.
Windows 10 services: activities, devices, notifications, Universal Print (preview).
Dynamics 365 Business Central.
Permission Types:
MS Graph exposes granular permissions that controls the access of the apps that has to the different resources like sites, users, groups etc. There are two types of permission
Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph.
Application permissions are used by apps that run without a signed-in user present. For e.g Apps that run as background services or daemons. Application permissions can only be consented by an administrator.
Access token:
To call a MS Graph API all you need is an access token in the authorization header of an HTTP request.
The access tokens are issued by the Microsoft identity platform which contains information to validate if the requestor has appropriate permissions to perform the operation they are requesting. An active directory app is a pre-requisite to generate an access token to call a Graph API endpoint.
There are also Microsoft identity platform authentication libraries for .NET, JS Android, Objective-C, Python, Java, Angular facilitating validation, cookie handling, token caching and on maintaining a secure connection. Let’s now go ahead and see the tools
MS Graph Explorer:
Graph explorer is a web-based tool which can be used to build and test requests using Microsoft Graph API. The explorer can be accessed from the following URL:
There will be a default Active directory application on the Organizational Active directory of the M365 tenant by the name Graph Explorer with application id de8bc8b5-d9f9-48b1-a8ad-b748da725064. This app can be accessed from the Enterprise applications blade of the Active directory as shown below
Delegated permissions are used by Graph Explorer. Based on your access role & admin consent’s you would be able to call different Microsoft Graph API from this tool. After you have signed into the Graph Explorer tool, the access token will be generated automatically
To view the token information, copy the token and paste it on the utility https://jwt.ms/
If your token has a scp (Scope) claim, then it’s a user based token (Delegated permissions). It is a JSON string containing a space separated list of scope the use has access to call different graph endpoints. You can also find other information related to the issued token, token issued at (iat), expirty not before (nbf), expiry time (exp). The data is in UNIX time stamp but you can convert this information to standard time using the online URL
Postman is a tool that can be used to build and test requests using the Microsoft graph API’s. To use this tool for testing the Graph API endpoint’s, register an app in Azure Active directory as per the instructions from this blog post. Provide the permission (Delegated & Application) as per your need to test it using Postman.
Copy the client id, client secret & tenant ID of the registered app. To access the various endpoints like authorization and token, click on the Endpoints from the Overview section of the Active directory app.
Setting up the environment using Postman collections:
There are Postman collections with many MS graph API requests created by Microsoft for us to explore. Import the collections and setup the environment (Client ID, Client secret, tenant id) for Application API calls and on-behalf-of API calls as per the instruction from the following article
To generate an application token, make a POST request to Get App-Only Access Token from the collection Microsoft Graph. The grant_type is client_credentials since it is Application permissions.
Token Validity:
The token is valid for 3599 seconds which is 1 hour. Post that the token will expire, you will have to regenerate the token by making another call.
The AccessToken (Application API call) will be generated and automatically stored on the Environment (Microsoft Graph environment) AppAccessToken with the help of a script on the Tests tab in Postman. Copy the access token value & paste it on the utility https://jwt.ms/. Find the decoded token below which has information like the Application ID/client id of the AD app, display name and roles to which the app has access to poll the graph endpoint.
Graph API call:
The call to the Graph should have the bearer token
Signed-in user/on-behalf-of API Token:
To generate a Signed-in user token, make a POST request to Get user Access Token from the collection Microsoft Graph. The grant_type is password since it is delegated permissions.
The AccessToken (Signed-in user API call) will be generated and automatically stored on the Environment (Microsoft Graph environment) UserAccessToken with the help of a script on the Tests tab in Postman.
Copy the access token value & paste it on the utility https://jwt.ms/. Find the decoded token below which has information like the Application ID/client id of the AD app, display name and scopes (scp) to which the app has access to poll the graph endpoint. If you remember the Application API token had roles & not scopes, so this is how you can identify the token type.
Storing the production User ID and password is not recommended on the Environmental variables since the information is stored in Postman but this can be handled by generating an access token from the request Authorization tab, set the type as OAuth 2.0 and click Get New Access Token button
Fill in all the information gathered from the App in Azure AD like Appid, Secret, Endpoints (Authorization and Token), state can be any random value
Click Request token, this will prompt the user to enter the Username and password. After authentication, it will generate the token which could be used further to make API calls.
Graph API call:
The call to the Graph should have the bearer token on the Authorization tab or on the Headers tab
Summary: On this post we have seen how to use tools like Graph explorer & Postman to test different MS graph API endpoints. You can make requests like GET, POST, PUT, PATCH, DELETE based on its availability. Refer to the Microsoft documentation for v1.0 and beta endpoints. Once you have explored & tested the API, you are ready to use on applications using the available SDK’s for different programming languages. Let me know any feedback or comments on the comment section below
Mohamed Ashiq Faleel 