Resubmit your failed Power Automate flow runs automatically using M365 CLI and REST API

Have you ever been forced to resubmit lot of failed Power Automate flow runs manually, if so this blog post will help you to automatically resubmit the flow runs using

  • CLI for Microsoft 365
  • Power Automate REST API
  • Power Automate Management connector

CLI for Microsoft 365:

Microsoft 365 CLI helps you manage configuration settings of Microsoft 365 tenant and its various services like SharePoint, Power Automate, Power Apps, Microsoft Graph etc and to build automation scripts on any platform.

Getting started: The CLI for Microsoft 365 is available and distributed as an NPM package. To use it, install it globally using:

npm i -g @pnp/cli-microsoft365

To install the beta version

npm i -g @pnp/cli-microsoft365@next

To update to the latest stable version

@pnp/cli-microsoft365@latest

Next, login to Microsoft 365 CLI using the following command.

m365 login

You will be presented with a code and a login URL https://microsoft.com/devicelogin, navigate to the URL and enter the code > Sign-in using the Microsoft 365 work account. The above command uses device code flow to authenticate and authorize the user through an Azure Active directory app PnP Management Shell. If you are accessing M365 CLI for the first time, you may have to consent for permissions. After the sign-in process is completed, you can enter various commands available within Microsoft 365 CLI.

Let us start with a basic command to list all Power Automate environments in your Tenant

m365 flow environment list

You can try the various cmdlets available as shown in the below screenshot with in Microsoft 365 CLI from the following url

https://pnp.github.io/cli-microsoft365/cmd/flow/flow-list/

CLI cmdlet to List all Flow Runs:

Replace the flowEnvironmentID & flowGUID pertaining to yours

m365 flow run list --environment flowEnvironmentID --flow flowGUID --output json

The above command lists all runs details. It provides information like status (Failed, Successful), run ID, run start time etc

CLI cmdlet to Resubmit a Flow Run:

Replace the flowEnvironmentID, flowGUID & flowRunID

m365 flow run resubmit --environment flowEnvironmentID --flow flowGUID --name flowRunID –confirm

There are cmdlets which accepts JMESPath to query. You can run the M365 CLI commands stored in a file like PowerShell cmdlets. Find below the M365 CLI cmdlets stored in a PowerShell file (.ps1) to resubmit the failed flows automatically.

$flowEnvironment=$args[0]
$flowGUID=$args[1]
$flowRuns = m365 flow run list --environment $flowEnvironment --flow $flowGUID --output json | ConvertFrom-Json
foreach ($run in $flowRuns) 
{
    if($run.status -eq "Failed")
	{
		Write-Output "Run details: " $run
		#Resubmit all the failed flows
		m365 flow run resubmit --environment $flowEnvironment --flow $flowGUID --name $run.name --confirm
		Write-Output "Run resubmitted successfully"			
	}
}

The above script stored in a file can be executed as shown below by passing the Flow Environment ID and the Flow ID in the command line

You can modify the script to Resubmit flow run according to your requirement, for e.g. within a certain date range since there is information on the run start date. There are sample scripts available in the github repo for M365 CLI submitted by community members

https://pnp.github.io/cli-microsoft365/sample-scripts/

Power Automate REST API:

There are Power Automate REST API endpoints to list the Flow Runs and to re-submit a run. Go through the following blog post for more information on how access the Power Automate REST API endpoints

Everything to know about Power Automate REST API to manage your flows

The above-mentioned blogpost helps you to call the following Power Automate REST APIs from a custom connector and programmatically from other applications.

API Endpoint to list flow runs:

GET https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}/runs?api-version=2016-11-01

Endpoint to Resubmit a flow run:

POST https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}/triggers/manual/histories/{FlowRunID}/resubmit?api-version=2016-11-01

Power Automate Management Connector:

There is also an action to Resubmit flow run from the Power Automate management connector. Find the action below to resubmit a flow run with the details filled in. The environment and the flow value has to be selected from the dropdown.

For the trigger name, you can get the exact name from the flow definition file or using the expression trigger() added to the flow on a compose action.

To get the flow definition file go to the flow and export it as a Package.zip

Open the Zip package, go to the path Microsoft.Flow\flows\{flowGUID} and then open the file definition.json. Search for the keyword triggers, you can find the name of the trigger

In a Power Automate flow, you can get the flow run details using the following expression.

workflow()

Find below test result of a flow run using the expression workflow() on the compose action which has the runid and other details of the flow run.

With these possibilities you can automatically resubmit a failed flow run (time out, failure due to config change etc) if the details of the failed flows are logged somewhere.

There is also PowerShell support for Power Platform, do look at the following documentation to get to know the list of available cmdlets:

https://docs.microsoft.com/en-us/power-platform/admin/powerapps-powershell#cmdlet-list—maker-cmdlets

Cmdlet Get-FlowRun, gets all the flow runs of a particular flow.

Summary: I would recommend getting familiar with Microsoft 365 CLI which has various cmdlets to make your job easier. The syntax of all commands is well documented with examples. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.

Everything to know about Power Automate REST API to manage and administer your flows

Power Automate Management connector enables interaction with Power Automate management service to manage your flows with different actions to create, edit and update flows. If you want to do more but you were not able to find an action with this connector for e.g. get details on the Runs the flow has made, as of now there is no action which gets the run details of a flow with the Power Automate Management connector. So how to get the Runs the flow has made and even more actions like turning on/off/disable a flow etc? There are REST APIs with different endpoints for Power Automate, as of now there is no documentation from Microsoft on these API’s but there is documentation for Azure Logic Apps REST API. It is quite easy to convert the Logic Apps REST API for Power Automate operations. The APIs are secured with Azure AD OAuth 2.0, in this blog post let’s see how to call these API’s using

  1. Custom Connector
  2. Authorization code flow
  3. Implicit flow

Let’s start this post with the API endpoint to list the flow runs for Azure Logic Apps & Power Automate. Find below the API endpoint for Azure Logic apps as per this documentation to list the Workflow Runs

Azure Logic Apps – List Workflow Runs:

GET

https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/runs?api-version=2016-06-01

Find below the API endpoint for Power Automate to list the flow runs, the URL was formed based on the above Azure Logic apps URL.

Power Automate – List flow Runs:

GET

https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/xxx-flow-env-guid-xxx/flows/xxx-flow-guid-xxx/runs?api-version=2016-11-01

You can easily notice the differences in the table below:

Azure Logic AppsPower Automate
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/https://api.flow.microsoft.com/
providers/Microsoft.Logicproviders/Microsoft.ProcessSimple/environments/xxx-flow-env-guid-xxx
workflows/{workflowName}flows/xxx-flow-guid-xxx
runsruns
api-version=2016-06-01api-version=2016-11-01

The API version for Power Automate can be different in Microsoft 365 when compared against Azure Logic Apps. This information can be identified using fiddler or any browser-based developer tool (Network) by analyzing the http request traffic the portal makes to API endpoints for different operations after logging in to the Power Automate Portal. Find below screenshot regarding the API version on the home screen of the portal

As a first step towards accessing the API endpoint for Power Automate, there must be an Azure Active directory app registered in the AD tenant of the Microsoft 365 environment which has the Power Automate environment.

Azure Active Directory App Registration:

Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. After the app is registered, follow the below steps to grant permission for the app to call the Power Automate Flow APIs:

  1. In the App, click the API permission under the Manage blade and then click + Add a permission. Under the Microsoft APIs tab, click Flow Service as shown below
  1. The flow API as of now supports only delegated permission (User Context). Now select the Permission based on the requirement. For this post, I have selected the permission Flows.Manage.All for listing the runs of the flow
  1. Add a Web Redirect URI https://global.consent.azure-apim.net/redirect as shown below to use the app in a custom connector

The app is registered with the necessary configurations, let us now see how to call the Power Automate API using a custom connector. The custom connector takes care of generating the authorization token required to access the API using the authorization code flow.

Custom Connector to call the Power Automate APIs:

A custom connector is a wrapper around a REST API (Logic Apps also supports SOAP APIs) that allows Logic Apps, Power Automate or Power Apps to communicate with that REST or SOAP API. In the Power Automate portal expand Data on the left panel > Custom connectors > + New custom connector > Create from blank

After entering the connector name, in the General information enter the description and Host name to api.flow.microsoft.com

Now click Security on the right bottom corner to enter the Azure AD application information for the OAuth 2.0 authentication type. Under the section OAuth 2.0

After the above information is filled in, click Create connector which autogenerates the Redirect URL https://global.consent.azure-apim.net/redirect. This is the URL we have added as a Redirect Web URI in the Azure AD application. The connector is now ready for the actions to list the flow Runs with the help of Power Automate REST API endpoint.

Action to List Flow Runs:

The Power Automate REST API endpoint to list the flow runs is

Http Request Mode: GET

Request URI: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}/runs?api-version=2016-11-01

After the custom connector is created in the above step, now click the Definition tab of the Custom Connector > click + New action to enter Summary, Description & Operation ID of the action > Click + Import from sample to enter the above API endpoint to list the flow runs in URL box and Verb as GET > Click Import

Click Update connector. To the test the action, click Test at the bottom right corner. In the following screen, create a connection and then pass the parameters for Power Automate Environment, Flow GUID & API Version of the Power Automate REST API. Flow GUID & Environment ID can be obtained from any of your existing flow in the environment. To get these information navigate to the My Flows section in the Power Automate portal and click any flow, the information will be on the URL as shown on the below sample

Flow Details URL: https://emea.flow.microsoft.com/manage/environments/xxxx-flow-env-guid acb/flows/flow-guid-xxxx-xxxx-xxxxxxxxxxx/details

After entering the details, click Test operation to get the list of run details the flow had till now. You can get details like the status of the flow, flow start time & endtime, flow run id etc on the response

Copy the Response body from the above screen to add it to the default response for the action. Click the + Add default response on the action definition screen > Click + Import from sample > Paste the copied value to the Body section > Click Import.

The above step is recommended to parse the information of the response either in Power Automate or Power Apps. The sample Custom connector used for this blogpost can be downloaded from here.

Find below some REST API endpoints for different operations:

Get Flow Details:

HTTP Request Type: GET

URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}?api-version=2016-11-01

Resubmit a flow run:

HTTP Request Type: POST

URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}/triggers/manual/histories/{FlowRunID}/resubmit?api-version=2016-11-01

Cancel a flow run:

HTTP Request Type: POST

URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{FlowEnvironment}/flows/{FlowGUID}/runs/{FlowRunID}/cancel?api-version=2016-11-01

Turn On or Turn Off a Flow:

HTTP Request Type: POST

Turn Off URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/ {FlowEnvironment}/flows/{FlowGUID}/stop?api-version=2016-11-01

Turn On URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/ {FlowEnvironment}/flows/{FlowGUID}/start?api-version=2016-11-01

Add a Owner:

HTTP Request Type: POST

URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/ {FlowEnvironment}/flows/{FlowGUID}?api-version=2016-11-01

Body:

{“put”:[{“name”:”userGUIDhere”,”properties”:{“principal”:{“id”:”userGUIDhere”,”displayName”:”userDisplayNamehere”,”email”:”userUPNhere”,”type”:”User”}}}]}

Delete a Flow:

HTTP Request Type: DELETE

Turn Off URL: https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/ {FlowEnvironment}/flows/{FlowGUID}?api-version=2016-11-01

The above operations are just some samples, if you would to get the REST API endpoint details for different operations, go through the Logic Apps rest API documentation. You can also use Fiddler tool or browser developer tools to help you in finding the corresponding API endpoints after logging in to the Power Automate portal and then performing various operations within the portal interface.

Custom connector takes care of generating the token automatically to call the Power Automate REST APIs secured with OAuth but if you have to call these API programmatically in an application, you can use any one of the below authentication flows to generate the token.

Authorization code flow for token generation:

As the first step to generate the token using Authorization code flow, add the Redirect URI in the Azure Active directory app for your application. For this example, I have added http://localhost/ as a Redirect URI for the Web platform as shown below

Make the above change on the Azure AD application which was registered initially in this post to access Power Automate REST API. Construct the following URL after replacing the tenantId and azureAppId to generate the code in any browser for generating a token

https://login.microsoftonline.com/tenantId/oauth2/authorize?
client_id=azureAppId
&response_type=code
&redirect_uri=http://localhost/
&scope=https://service.flow.microsoft.com//.default

After the above URL is accessed in the browser, you will be prompted to sign-in. Once the sign-in is complete, a code will be generated in the below format on the browser address bar as a response to the sign-in

http://localhost/?code=0.xxxxxxxxxxxxxxxxAA&session_state=88f349ba-63e3-4064-b9c9-992ba6c5606c#

The code can be used to redeem for an access token. Make the following HTTP request to generate the access token after replacing the tenantId on the request URL

Request Type: POST

Request URL: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

Body:

client_id= azureAppId
&scope=https://service.flow.microsoft.com//.default 
&code=0.xxxxxxxxxxxxxxxxAA
&redirect_uri=http://localhost/
&grant_type=authorization_code
&client_secret=appClientSecret

Replace the AzureAppId, code value copied from the above request and the appClientSecret.

Headers:

Key: Content-Type

Value: application/x-www-form-urlencoded

Find screenshot below for the Postman request

The generated token can be used to access different Power Automate REST API endpoints based on the permissions you have consented to the Azure AD application by passing the token on the Authorization header as Bearer.

Reference for the error message I was receiving while working this flow “Access token has been obtained from wrong audience”: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/1735

Implicit flow for token generation:

To generate a token using implicit flow, enable the following setting on the Azure Active directory app

Construct the following URL after replacing the tenantId and azureAppId to generate the access token directly in any browser

https://login.microsoftonline.com/tenantId/oauth2/v2.0/authorize?
client_id=azureAppId
&response_type=token
&redirect_uri=http://localhost/
&scope=https://service.flow.microsoft.com//.default

Or

https://login.microsoftonline.com/common/oauth2/authorize?resource=https://service.flow.microsoft.com/&response_type=token&client_id=azureAppId&redirect_uri=http://localhost/

After any of the above URL is accessed in the browser, you will be prompted to sign-in. Once the sign-in is complete, access token will be generated in the below format on the browser address bar as a response to the sign-in

http://localhost/#access_token=exxxxxxxxxxxxx&token_type=Bearer&expires_in=3599&scope=https://service.flow.microsoft.com//Flows.Manage.All https://service.flow.microsoft.com//User https://service.flow.microsoft.com//.default&session_state=88f349ba-63e3-4064-b9c9-992ba6c5606c

Microsoft recommends Authorization code flow than the implicit flow.

Refer to the following blog posts for more information on accessing an API with delegated permissions

Also go through this documentation from Microsoft which has information of the different types of connectors to automate tasks with Power Automate.

Summary: On this post we have seen how to use Power Automate REST API to manage your cloud flows. These APIs works for both individual flows (My Flows) and flows which is part of the solutions. Power Automate REST APIs are very powerful to manage your cloud flows. I can think of scenario where in you can resubmit all your failed flows programmatically leveraging these API endpoints. Microsoft has documented WEB API for Power Automate flows included in solutions. If you are visiting my blog for the first time, please do look at my other blogposts.

What is GraphQL and how to consume a GraphQL Query based API in Power Automate

I had a recent requirement to call a GraphQL based API secured with OAuth2 in Power Automate, this blog post is to share my learnings on GraphQL & how to call them in Power Automate. Let us quickly see some introduction to GraphQL

GraphQL is an open-source query language for your APIs with a service-side runtime for executing the queries based on pre-defined schema. It is not tied to any specific database but rather backed by your existing code and data.

  • A GraphQL API is different from a REST API in that it allows the client application to query for certain fields of resources. Send a GraphQL query to your API and get exactly what you need, like the name of a user and only receive that data.
  • GraphQL APIs get’s all the data a client needs in a single request.
  • It replaces multiple REST requests with a single call to fetch the data you specify.
  • Provides an abstraction layer to the client, which means that clients do not need to query multiple URLs to access different data.  

Find some comparisons against REST

RESTGraphQL
HTTP Verbs (GET, POST, PATCH, PUT, DELETE) determines the operation to be performedYou will provide a JSON body aka GraphQL query whether you have to read or fetch values (GET) or a mutation (POST, PATCH, PUT, DELETE) to write values
Multiple API Endpoints http://api.com/users http://api.com/products etcSingle API Endpoint
http://api.com/graphql

When a HTTP GraphQL request is made with a query, the GraphQL server parses the query and respond back with data usually in a specific JSON format. There can also be variables in a query which makes it more powerful and dynamic. In GraphQL, the HTTP verb is predominantly POST but there can be implementations where Query & Variables are sent in URL encoded query parameters in the URL. I have used GitHub to learn & test GraphQL queries against my GitHub account.

GitHub GraphQL Explorer:

Github has GraphQL API that allows you to query and perform operations against repositories, users, issues, etc. To follow along this blogpost, sign in with your GitHub account on the GitHub GraphQL explorer URL https://docs.github.com/en/graphql/overview/explorer for testing some GraphQL queries

  1. Create a Repository in your GitHub account
  2. Get all your existing repositories

Let’s make first query on the explorer to get your GitHub Id for creating a new repo, the query is

{
  viewer {
    login
    id    
  }
}

In Explorer

Type your queries on the left side panel and hit play to see the JSON response on the right side. Click the Docs link on the right top corner to go through the documentation. The GitHub graphql explorer can be a great starting point to learn and to write queries

Tip: Hitting Ctrl+Space on the explorer will show you all the available fields that you can query against the API.

Create a Repository in your GitHub account:

Find below the query & variables to create a Repo in your GitHub account. The ownerId on the query variables should be value copied from the previous query. The other observation on the query is we are using mutation since we are creating a repository

Query to create a Repo with out passing a query variable:

mutation createRepo {
 createRepository(input:
{
  name: "GraphQLDemoRepo-Blog",
  ownerId: "xxxxxxxxxxxxxxxxxxxxxx",
  visibility: PRIVATE
}){
  repository
  {
    name
    createdAt
  }
}
}

Get all your existing repositories

Find below the query to get all your existing repositories

{
  viewer {
    name
    repositories(first: 100) {
      totalCount
      nodes {
        name
      }
    }
  }
}

Till now we have seen couple of example queries in GitHub explorer, let us now see how to consume them in Power Automate

Call a GraphQL query in Power Automate:

HTTP connector in Power Automate can be used to call a GraphQL query based API but you will have to first convert the GraphQL query (Query+Variables) to a HTTP request with raw body. You can use the Postman utility to help you with the conversion. To call the above mentioned GraphQL query to create a Repo in Postman, the first step is create a Personal Access token. Create the token as per the instructions given in the following documentation with the scope repo selected

https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token#creating-a-token

In Postman, add a new request as per the following detail

Method: POST

Request URL: https://api.github.com/graphql

Authorization Type: Bearer Token

Token value should be the Personal Access token you have generated above. Find below screenshot for your reference in order to set the authorization token

In the request Body tab, enter the Query and GraphQL variables for creating the repo after selecting the Body type to GraphQL from none

On the query tab, CTRL+Space also works in Postman which autoprompts with some suggestions for fields.

Execute the request by clicking Send button which will create a New repo by the Name GraphQLDemo-blog in your github account. To call this GraphQL query in Power Automate, click the Code button as shown above on the right panel of the postman request and then select HTTP to auto generate a code snippet for making a HTTP request with raw body

Copy the request body as shown above. On the Power Automate HTTP connector, enter the following details to create the Repo

Method: POST

URI: https://api.github.com/graphql

Headers:

Key: Authorization

Value: Bearer PersonalAccessToken

Body: Value copied from Postman

Test the flow. If all is well you can see the repo created in your github account. Find below screenshot from run history

References:

https://graphql.org/learn/

https://docs.github.com/en/graphql/overview/about-the-graphql-api

https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#about-queries

https://www.apollographql.com/docs/apollo-server/deployment/azure-functions/

Playground to test GraphQL queries (No Authentication required): http://graphql.github.io/swapi-graphql/

Summary: On this post we have seen how to call a GraphQL query based API from Github in Power Automate using a HTTP connector to create a Repo, this can be replicated to consume any other GraphQL based APIs. You can also construct dynamic request body on the HTTP connector for various operations. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do look at my other blogposts.

Call Microsoft Graph API as a daemon application with application permission from Power Automate using HTTP connector

With the assumption that you already know about Microsoft Graph and its capabilities I will directly jump in with the steps and instructions to call Microsoft graph Endpoints as a daemon app using Application permissions with the help of HTTP connector. Calling graph from a flow opens a wide range of possibilities which are not available with the prebuilt connectors. As of now you will not be able to call Microsoft graph with application permissions using a custom connector.

Pre-Requisites:

  • Access to HTTP Premium Connector in Power Automate
  • Access to register Azure AD Application in Azure AD Portal

Application Registration in Azure AD Portal:

Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the Application permission Calendars.Read to access all the recent events of a user from Outlook.

It is not required in the Azure AD application to have a redirect URI.

Power Automate Flow:

It is now time to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. The only authentication flow to generate a access token for application permissions is Client credentials.

To generate a token

  1. Store the Client Secret on a String variable
  2. Make a HTTP request using the HTTP connector with the following details. Make sure to replace the string for tenantId, azureAdAppclientId and azureAdAppclientSecret

Method 1:

Add a HTTP connector action to the flow for making a POST request per the following information

HTTP Method: POST

URI: https://login.microsoftonline.com/yourtenantId/oauth2/v2.0/token

Headers: Content-Type: application/x-www-form-urlencoded

Body:

Replace the tenantId, client id and client secret from the variable

tenant=yourtenantId&client_id=azureAdAppclientId&client_secret=@{decodeUriComponent(variables('azureAdAppclientSecret'))}&grant_type=client_credentials&scope=https://graph.microsoft.com/.default

For the client secret make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.

To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "scope": {
            "type": "string"
        },
        "expires_in": {
            "type": "integer"
        },
        "ext_expires_in": {
            "type": "integer"
        },
        "access_token": {
            "type": "string"
        },
        "refresh_token": {
            "type": "string"
        }
    }
}

Add the Body from the dynamic content from the HTTP – GET Token action to the content of the Parse JSON action

Include the access token from the Output of the Parse JSON action when calling the Microsoft Graph API on the Headers sections as shown below

To get the users events from the default calendar

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/calendar/events

Method 2:

You can also make a request to Graph API using the Active Directory OAuth Authentication under the advanced options of the action as shown below

My other blog post to call Microsoft graph API in Power Apps and Power Automate using a custom connector.

Summary: I have written a blog to get the attendee details of a meeting using this approach to Microsoft graph event endpoint API. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other Microsoft graph in Power Automate blogposts.

Call Microsoft Graph API as a signed in user with delegated permission in Power Automate or Azure Logic apps using HTTP Connector

If you have a requirement to access graph endpoint as a signed in user/account on an instant/automated/scheduled flow, this blog post will help you with instructions and steps to access the Microsoft graph API with delegated permissions using the

  1. HTTP connector
  2. Invoke an HTTP request connector

There are resources (Presence information, Planner etc) in Microsoft graph which is available only as delegated permissions and not as application permission. Application permissions can be granted only by an administrator but users can register an application with delegated permission (Except All permission) unless the IT team has restricted the app registration by users.

Access Graph API using HTTP connector:

I have used the HTTP connector to generate a token for accessing the Graph API using the OAuth resource owner Password Credentials grant authentication flow supported by Microsoft Identity platform with the User ID and Password. Once we have the access token, the request to the Graph API endpoint will be made. To follow along this post be ready with the following

Pre-Requisites:

  1. Access to HTTP Premium Connector in Power Automate
  2. Access to register Azure AD Application in Azure AD Portal
  3. A service account without MFA enabled
    1. User ID
    1. Password

If you have an account with MFA enabled, then you should be creating a Custom connector. I have written a blog post on creating a custom connector to call Microsoft Graph API for Power Apps and Power Automate.

Azure Active Directory Application:

Register an application in Azure AD and obtain the client id, client secret & tenant id for the registered application. In this example I have added the delegated permission Presence.Read to get the presence information of the service account.

Add the redirect URI for the web http://localhost as shown on the screenshot below.

The Web redirect URI http://localhost/ is required to provide consent for the Azure AD application for the permission scope by the service account. The consent can be provided by an admin to use this application in flow by all users or the consent has to be provided by an individual user. To provide consent by an individual user in this case by the service account, construct the following url using the tenant ID, Client ID and the scope (ex. Presence.Read)

Individual User Consent URL:

https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/authorize?
client_id=azureadappclientid
&response_type=code
&redirect_uri=http://localhost/
&response_mode=query
&scope=https://graph.microsoft.com/Presence.Read

If there are multiple delegated permissions, the scope should be separated by a space (%20)

scope=https://graph.microsoft.com/Presence.Read%20
https://graph.microsoft.com/Sites.Read.all

Now login to Office.com with the service account and enter the above User Consent url on a separate tab for the consent which will bring up a screen similar to the one shown below

Now Click the Accept button to provide consent for the requested permission for the service account. After the Accept button is clicked there will be a message stating that this site cannot be reached or something similar with the url like below on the browser address bar

http://localhost/?code=xxxxxxxxxxxxxxxxxx&session_state=xxxx-xxx-xxx-xx-xxxxx

The consent is provided, to validate the consent login to My Applications link url and the select the Azure AD application from the list and then click Manage your application as shown below

Find below screenshot with consent for Presence.Read permission. To revoke the permission, click Revoke permissions

To provide Admin consent for all the users to use this app in the flow, the URL is

https://login.microsoftonline.com/yourtenantID/adminconsent?client_id=azureadappclientid

Power Automate Flow:

Now we are ready to generate the graph token using the HTTP connector in flow which is a pre-requisite to call the Graph API endpoint. To generate a token in Flow

  1. Store the Client Secret on a String variable
  2. Make the following HTTP request using the HTTP connector

HTTP Method: POST

URI: https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/token

Headers: Content-Type: application/x-www-form-urlencoded

Body:

Replace the client id, service account username and password

client_id=azureadappclientid&username=serviceaccount@yourdomain.com&password=serviceaccountpassword&grant_type=password&client_secret=azureadappclientsecret&scope=Presence.Read%20offline_access

For the client secret and password (only if there is special character), make sure to URL encode using the expression encodeUriComponent(variables(‘clientSecret’)) else the request will fail due to the presence of special characters.

If there is no consent provided by the user/service account for the Azure AD application then the above HTTP request will generate the following error

{“error”:”invalid_grant”,”error_description”:”AADSTS65001: The user or administrator has not consented to use the application with ID ‘xxxxxxx-65xx-47e0-xxxx-xxxxx0bb22′ named AzureADAppName’.

To extract the token from the above request, add the parse JSON action with Content from the HTTP request body and the following schema

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "scope": {
            "type": "string"
        },
        "expires_in": {
            "type": "integer"
        },
        "ext_expires_in": {
            "type": "integer"
        },
        "access_token": {
            "type": "string"
        },
        "refresh_token": {
            "type": "string"
        }
    }
}

Add the Body from the dynamic content from the HTTP – GET Token action to the content of the Parse JSON action

Include the access token when calling the Microsoft Graph API on the Headers sections as shown below. The access_token is from the output of the Parse JSON action

If you run the flow, you can now see the response with the presence information of the service account as shown below

Use Azure Key vault connector to secure the Client Secret & Password information in the flow.

Invoke a HTTP Request connector:

This connector can be used to fetch resources from various web services authenticated by Azure AD including Microsoft Graph in more easier way. Look for the action with the keyword invoke an HTTP request

If it is accessed for the first time, enter https://graph.microsoft.com on both Base and Azure AD resource URI and then click Sign In

Enter the Graph API endpoint on the Url of the request and select the Method

The API is executed in the context of the action’s connection as shown below. In this example it gets the profile information of the serviceaccount

If you get an error similar to { “error”: { “code”: “Forbidden”, “message”: “” } }, then it could be because the connector has a limited set of scopes. Getting Presence information is not supported with this connector as of now. If your scenario requires something more advanced or not currently supported by the connector, please use the �HTTP� connector as shown above or create a custom connector.

Reference:

https://docs.microsoft.com/en-us/graph/auth/auth-concepts#delegated-and-application-permissions

https://ashiqf.com/2021/03/16/call-microsoft-graph-api-in-power-apps-and-power-automate-using-a-custom-connector/

Summary: There are many endpoints available with Microsoft graph which can be leveraged for different use cases. Keep in mind the HTTP connector in Power Automate is Premium, you can also consider using this approach in Azure Logic apps. The access token is valid only for an hour, if you have to call a graph api after an hour from the initial token generation time the token has to be obtained again. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.

Call Microsoft Graph API in Power Apps and Power Automate using a Custom connector

Microsoft graph is the gateway to data and intelligence in Microsoft 365 which connects multiple services like SharePoint, Teams, Planner etc and devices. Microsoft graph has one common endpoint that is RESTful Web API enabling you to access Microsoft Cloud service resources. With that said if you want to communicate with Microsoft Graph Services or any API services, custom connectors can be used to address needs which are not available as prebuilt connectors in Power Apps and Power Automate. The purpose of this blog post is to show how to

  • Create & setup Custom Connector to call Microsoft Graph API
  • Call Microsoft Graph API in Power Apps using custom connector
  • Call Microsoft Graph API in Power Automate using custom connector

Custom connector supports the following authentication types

  • Anonymous (No Authentication)
  • Basic Authentication (UserName & Password)
  • API Key
  • OAuth 2.0

As of the time I am writing this article, custom connector supports only authentication flow Authorization code & not client credentials. If you use OAuth 2.0, it means you can use only delegated permissions & not application permissions as permission type in the custom connector. To be more precise, the logged in user from PowerApps or flow actions/trigger connection user should have access to the resource to be accessed from Microsoft Graph & cannot access the resource as a daemon app (Application Permission). Find below the pre-requisite for the custom connector

  1. Premium Plan (App/user based) for all users intended to use the custom connector in Power Apps or Power Automate. To test the custom connector you can also get a community plan if you do not have a premium plan.
  2. Access to register Application in Azure AD portal

Create & setup Custom Connector to call Microsoft Graph API:

Custom connector can be created from Power Apps maker portal or Power Automate portal. Custom connector created from any of the above-mentioned interfaces can be used in a Power App or Power Automate cloud flow. A custom connector is nothing but a wrapper around a REST API that allows Power Apps or Power Automate and Azure Logic Apps to communicate with that REST API.

Azure Active Directory Application:

To access the Microsoft Rest API there must be an Azure AD app registered with appropriate graph permission intended for the operations through a custom connector. For this example I have registered an AD application with the following delegated permissions

  1. Calendars.Read
    • To display the users recent events in Power Apps gallery control
  2. Sites.Manage.All
    • To create a New list item in SharePoint list from Power Apps and Power Automate
  3. User.Read
    • To display users profile information from an Extension Attribute in Power Apps

Obtain the Client ID from the Overview section of the Azure AD app and create a secret from the Certificates & secrets under Manage blade. Once the secret is created, copy the value to be used in the custom connector.

Add a Web Redirect URI https://global.consent.azure-apim.net/redirect as shown below

The Redirect URI is common and will be created while creating the custom connector. Now we are ready to create the custom connector, go to Power Automate portal and expand Data on the left panel > Custom connectors > + New custom connector > Create from blank

After entering the connector name, you will get the below screen. Do not have the word SharePoint part of your connector name to avoid issues.

Enter graph.microsoft.com on Host and some description about the connector. You can also change the logo to a custom one. Now click Security on the right bottom corner to enter the Azure AD application information for the OAuth 2.0 authentication type. Under the section OAuth 2.0

  • Change the Identity provider to Azure Active Directory
  • Enter the Client id & Client secret of the Azure AD application
  • Leave the Login URL as https://login.windows.net & Tenant ID as common
  • Enter the Resource URL as https://graph.microsoft.com
  • Enter the Scope as Calendars.Read Sites.Manage.All User.Read based on the permissions you have added on the Azure AD app. Leave a space between each permission

After the above information is filled in, click Create connector which will autogenerate the Redirect URL https://global.consent.azure-apim.net/redirect. This is the URL we have added as a Redirect Web URI in the Azure AD application. The connector is now ready to add actions based on Graph API endpoint to

  • Get users recent events from the users default Outlook calendar
  • Create a List item in SharePoint List
  • Get users custom extension attribute from users Active directory profile

Get users recent events from the Outlook calendar:

The Graph API to get the logged in users list of recent calendar events is

Http Request Mode: GET

Request URI: https://graph.microsoft.com/v1.0/me/calendar/events

After the custom connector is created in the above step, now click the Definition tab of the Custom Connector > click + New action which will create the following screen to enter information about the action

After the Summary, Description and Operation ID is entered. Click + Import from sample under the Request section to the enter the Graph API endpoint url https://graph.microsoft.com/v1.0/me/calendar/events.

It is Okay to exclude the url https://graph.microsoft.com since we have provided the information in the Security tab.

Now we are ready to provide default response for the action. To get the request response sample for the graph api endpoint, SignIn to the Graph Explorer with your organizational ID to copy the response of the API request to be used in the custom connector action

After running the query in the graph explorer tool, copy the whole content (CTRL+A) from the Response preview section as shown on the above screenshot. If there is any error related to permissions while executing the http request in the explorer tool, make sure you have consented to the permissions in the Modify permissions tab.

Click + Add default response and then paste the content copied from the graph explorer tool on Body as shown below

Click Import and then click Update connector. Let us add the second action to create a list item in a SharePoint list

Create a List item in SharePoint List:

The graph API to create a List item in a SharePoint List is

Http Request Mode: POST

Request URI: https://graph.microsoft.com/v1.0/sites/siteId/lists/listId/items

You should replace the SiteId and listId in the above URL. Easy way to get the ListId and SiteId is by viewing the Viewing the page source of the SharePoint site with the list open

Request Body:

For this example I have a SharePoint list with a default column Title and a single line of text column by the name Location.

{
  "fields": {
    "Title": "Widget",
    "Location": "Stockholm"
  }
}

Once again click + New action on the Definition tab to add an action for creating a new list item.

After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb now selected as POST and the request body or payload

Click Import. To get the request response sample for the graph api endpoint, go to the graph explorer to copy the request response as shown below for the above POST request to create the list item

Click + Add default response and then add the response copied from the graph explorer tool on the Body section as shown below

Click Import button and then click Update connector. Let us add the second action to read the users active directory profile to extract extension attribute information

Get users custom extension attribute from users Active directory profile:

On my tenant I have added additional properties on extension attribute in Azure AD profile of the user & displayed them on the User profile card using the profile card graph API. The graph API to get the extension attribute information of the user is in Beta as of now

Http Request Mode: GET

Request URI: https://graph.microsoft.com/beta/me

Once again click + New action on the Definition tab to add the third action for getting the users profile information from Azure active directory.

After the Summary, Description and Operation ID is entered click + Import from sample under the Request section to the enter the Graph API endpoint url with the Verb selected as GET

Click Import. Go to the graph explorer to copy the request response for the GET request for https://graph.microsoft.com/beta/me and then click + Add default response to paste the request response copied from the graph explorer tool. Click Import button and then click Update connector. We have till now added three actions which can be tested in the same interface

Test the Action:

To test the different actions added in the connector, click the Test tab and then click + New connection.

You will be prompted to sign in using the Organization ID and provide a consent for the permissions requested as a scope on the custom connector.

After the connection is created, you can test the different actions available as shown below for one of the action CreateListItem in SharePoint

The custom connector creates the Swagger definition, you can also view and update the Swagger definition by turning on Swagger Editor

If you look at the security definitions in the above screenshot for the connector we have created till now, the authentication flow used to authenticate the user is Authorization code which supports only delegated permissions and not application permissions in MS Graph. The Swagger definition file can be downloaded from interface shown below

The Swagger definition file can be used to re-create the custom connector by clicking the Down arrow and then by clicking Import an OpenAPI file. On the popup window enter the Connector Name and select the downloaded Swagger file to recreate the connector after filling in information on the Security tab.

You download the Swagger definition file of the custom connector with the above mentioned actions from this github link.

Call Microsoft Graph API in Power Apps using custom connector:

To call a custom connector in Power Apps, the first step is to add the connector to the Power App by the app maker. Click Data on the left panel and then click the button Add data > look for the connector by the name > Click the connector name to create a connection.

Once the connection is created & added, you will be able to use it in the different controls added to the app

I added the following controls to

  1. Label – To display the Extension attribute of the user from the action GetUserProfile
  2. Gallery – To display the users recent calendar events from the action
  3. Button – To create new item on the list and to get information from Graph about the user calendar events and to get the users AD profile

A Button control to load the data from Microsoft Graph GET actions GetUserProfile &  GetMyEvents on a context variable.

UpdateContext({userProfileData:'NameoftheConnector'.GetUserProfile(),userCalendarEvents:'NameoftheConnector'.GetMyEvents().value})

Once we have the data loaded on the context variable using the OnSelect button click event, the data can be displayed on different controls. Use the graph explorer tool to validate the response of the request and to help with display the data on a control. Find below the response for the me endpoint which provides the profile information of user including the extension attribute.

To display the Extension attribute1 information on a label control, the code is

userProfileData.onPremisesExtensionAttributes.extensionAttribute1

I have added a gallery control to display the calendar events. First step is to bind the gallery control to the context variable (userCalendarEvents) using Items property of the control

Items: userCalendarEvents

On the gallery control fields

field1: ThisItem.subject

field2: ThisItem.organizer.emailAddress.name

For constructing the above formula (Field1 and Field2) for displaying the information on the different fields in the control, graph explorer response preview will help you

I have added a button control to create the list item using the action CreateListItem with the following formula on the OnSelect event

'NameoftheConnector'.CreateListItem({fields: {Title: "Mohamed Ashiq Faleel",Location:"Sunbyberg"}});

Reference: https://docs.microsoft.com/en-us/powerapps/maker/canvas-apps/functions/function-json

Once the Power App is shared with other users

  • Connecter will be shared along with the app
  • The user has to create a connection to the Custom Connector & provide consent for the Graph permission (User.Read Sites.Manage.All Calendars.Read) for the first time
  • The users of the app should have premium license (App/user based)

Call Microsoft Graph API in Power Automate using custom connector:

To use a custom connector by a user in a flow Instant/Scheduled/Automated, it

  • Must be shared to the user by the custom connector Owner/creator
  • Premium license for the flow user
  • Consent to be provided for the graph permissions. The consent can be individual or admin consent

Add the action to the flow by clicking Custom and then select the custom connector as shown below

Now select the action

It will ask you to Sign In to create the connection and there will be a prompt to provide consent to the permission for the AD application for the first time as shown below

Enter the parameter values to create the list item

Summary: Microsoft Power Apps and Power Automate are great and simple to get started with no code. If you are a pro developer and want to extend the capabilities with Microsoft Graph & other external/custom RESTFul API’s you can do so with the custom connector. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.

How to use Microsoft graph SharePoint Sites.Selected application permission in a Azure AD application for more granular control

As per this announcement made on Feb 2021, Microsoft graph now provides option to have granular permissions level using Sites.Selected application permission for the AD application instead of granting permission for all the sites in the tenant. The permission Sites.Selected does not provide access to any SharePoint site collections for the application unless the AD application has been assigned with permission roles read or write by an Admin. On this post let us see how to grant a site permission (Read or Write) to an AD Application with Sites.Selected permission by using postman client. As of the time I am writing this post there is no user interface to assign permissions to specific site collections for the application.

Pre-Requisite:

  1. Register Azure AD Application (APP 1) in Azure AD Portal with the following permissions
    • Sites.Selected (Admin Consented)
  2. Another AD Application (APP 2) with following permission only for the admins to assign selected roles to the above App
    • Sites.FullControl.All (Admin Consented)

App Registration:

Start with registering the above said two Azure AD applications

APP 1:

Register an Azure AD application with the following permission

APP 2 (Admin App):

Another app for admins for granting roles to APP 1

Grant permission role to the SharePoint site for the Azure AD Application:

This step is grant permission for the Azure AD application with Sites.Selected application permission to a given site collection. Perform the following steps to grant the role (Read/Write or Read and Write) to the AD app (APP 1)

  1. Gather the Client ID, Tenant ID and Client secret of the admin app
  2. In PostMan, make a HTTP request to generate the access token for the admin app – APP 2

Request Method: POST

Request URL: https://login.microsoftonline.com/yourtenantID/oauth2/v2.0/token

Request Header:

Key: Content-Type

Value: application/x-www-form-urlencoded

Request Body:

grant_type: client_credentials

scope: https://graph.microsoft.com/.default

client_id: adminappclientid

client_secret: adminappclientsecret

  1. Copy the access_token to be used for granting roles.
  2. Get the Client ID of the Azure AD Application – APP 1 with Sites.Selected permission
  3. Decide on the Role (Read or Write) for the granting the Site specific role for the APP 1 with Sites.Selected permission.
  4. Get the SiteId of the SharePoint site to be assigned permissions for the application (App 1). An easy way to get the siteId is by viewing the page source from the browser with the site open.
  5. In PostMan, make a HTTP request to grant the site role to the APP 1. Replace the siteId with the actual siteId which will be a guid

Request Method: POST

Request URL: https://graph.microsoft.com/v1.0/sites/siteId/permissions

Request Header:

Key: Content-Type

Value: application/json

Request Body: raw

Replace the id with APP 1 client id and the display name of the APP 1

{

  "roles": ["write"],

  "grantedToIdentities": [{

    "application": {

      "id": "xxxxxx-APP1GUID-4ad9-xxxx-4d36e68b0454",

      "displayName": "AppNamewithSelectedPermissions-App1"

    }

  }]

}
  1. Paste the access token on the token box as shown below with Authorization type selected as Bearer Token
  1. Send the request for granting the role for APP 1. After the request is made the APP 1 with the Sites.Selected permission has access to the site with write role we have granted to. The same way you can assign app access to multiple SharePoint sites.

Grant the Role using PnP PowerShell:

There is a PnP PowerShell cmdlet to grant access to SharePoint site for the registered AD application with Sites.Selected permission. The command to grant permission can be executed by the Site Collection administrator after creating a connection to the site

Connect-PnPOnline https://tenantname.sharepoint.com/sites/siteName -Interactive

You will be prompted to enter credentials including the second factor. After the connection is created, enter the following command to grant Write permission to the AD App

Grant-PnPAzureADAppSitePermission -AppId 'AzureAppIdwithSitesdotselectedpermission' -DisplayName 'App Name here' -Site 'https://tenantname.sharepoint.com/sites/sitename' -Permissions Write

To install PnP PowerShell module on the local workstation, enter the following command

Install-Module -Name PnP.PowerShell

There is also a PnP cmdlet to register an AD app in the Azure Active directory.

Grant the Role by an Admin using the Graph Explorer tool:

Role can also be assigned by an admin with out having the admin AD app (APP 2) using the graph explorer tool. This can be done only by an Admin

If there is any error related to permissions, make sure the admin consents to Sites.FullControl.All for the Graph tool. There is also an SPFx community webpart developed by a community member with User Interface for this operation

https://github.com/pnp/sp-dev-fx-webparts/tree/master/samples/react-sites-selected-admin

Reference:

Assign permission role programmatically: https://docs.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=csharp

Summary: On this post we have seen how to grant access to Azure AD which has the Sites.Selected permission. You can also grant permission/role to an app with sites.selected permission programmatically. Hope you have found this informational & thanks for reading. If you are visiting my blog for the first time, please do take a look at my other blogposts.

Send email from a common mailbox in Power Automate using Microsoft Teams email address or Shared Mailbox

Power Automate is widely used to automate many business processes and Email is one of most widely used action to send out notifications. Having said that, there will be definitely request to send the email from a generic address instead of the flow creator email address or the email action’s connection owner email address as shown below:

By default, the from Address of the mail generated from Power Automate uses the Flow creator email address as shown above under My connections. To send an email from generic email address, you can

  1. Create a Shared mailbox in exchange online (No license required) and grant access to the flow creator and then use any of the following action in the flow
    • Send an email
    • Send an email from a shared mailbox
  2. Use an existing Microsoft 365 group in
    • Send an email

Setup Shared Mailbox in Exchange Online & Power Automate email actions:

Find steps below to create a shared mailbox in Exchange online & provide delegated permission (Send as) to the flow creator.

  1. Sign into Exchange Admin center. Go to Recipients > Shared and then click New Add Icon. Enter the Name, email address & domain for the shared mailbox and then click Create.
  1. Open the newly created mailbox which opens the mailbox details pane as shown below. Click Manage mailbox delegation.
  1. To use the action Send an email from a Shared Mailbox in the flow
    • Grant Read and manage  and Send As permissions by clicking Edit button>Add permissions and then select the user (Flow Creator) you want to grant permissions to.
  1. Find the flow action for reference
  1. To use the action Send an email in the flow. Grant Send As permissions by clicking Edit button>Add permissions and then select the user (Flow Creator) you want to grant permissions to.
  1. It takes approximately an hour for the permissions to be reflected so as to use in the Power Automate action.

Microsoft 365 group in Send an Email action:

If you have a Microsoft 365 group or a Microsoft Team, you can use the mailbox associated to group in Microsoft Flow for sending the email (Send as). Microsoft Teams creates a Microsoft 365 group whenever a team is created. Let us see how to enable a M365 group in order to use in Power Automate action Send an email action by providing Send as permissions to the flow creator or the email action’s connection owner. Find steps below to grant Send as permissions

  1. Sign into Exchange Admin center. Go to Recipients > Groups and then click the Microsoft 365 group you wish to be used in the flow. Go to Settings>Click Edit manage delegates
  1. Add the Flow creator email address and grant Send as permission
  1. Save changes

Tip:

By default, the Microsoft 365 group are not capable to receiving emails from external senders. To enable it Check the box as shown on the above picture “Allow External senders to email this group”

If the permissions are not set right, you might get any of the following message in the flow

  • You are not authorized to send mail on behalf of the specified sending account
  • Specified folder not found. The error could potentially be caused by lack of access permissions. Please verify that you have full access to the mailbox

Summary: To send an email from third party application you can use the trigger “When a HTTP request is received” with the email action. This trigger generates an anonymous API endpoint which could be used on applications to trigger the flow. Hope you have found this informational.

Azure IoT with Arduino UNO board to turn on/off LED using a .NET core console application connected to Power Apps

This post is in continuation to my journey with IoT leveraging Microsoft cloud services & it’s technology and based out of few questions I have been asked in few of the events I’ve spoken on the Topic Controlling Devices using Power Apps. In this post let us see how to turn on/off a LED connected to an Arduino UNO board by sending a message from Azure IoT hub or Power Apps with the help of a .NET core console application created from Visual studio code.

What is Arduino UNO Board:

Arduino Uno is an open-source & low cost microcontroller board based on Microchip ATmega328P microcontroller. The board is equipped with digital and analog Input/Output pins that can be interfaced with other circuits. If there is a need to collect data from sensors (Temperature, Humidity etc) then the mode of the pin should be Input and for controlling devices or activating relays the pin mode must be Output. For this example since we will have to turn on/off a LED, the pin mode has to set as Output.

Arduino IDE:

The IDE is a cross platform application written using C++. If you have worked with an Arduino board already, you would have probably used the Arduino IDE to deploy code called as Sketch. The code written on the sketch is compiled to a HEX file (Machine language) which can be understood by the microcontroller once the sketch is uploaded. The hex file is then sent to the Arduino UNO board using the USB port.

Pre-Requisite:

Find below the design with information on the different components used:

Azure IoT Hub:

IoT hub is a managed service hosted in cloud that acts as a central message hub for bi-directional communication from the device to the cloud and the cloud to the device. There is an also a Free-Tier limited to one per subscription which can add up to 500 devices and 8000 msgs/day as of today based on the Pricing calculator. Create a IoT Hub for us to send a message to the Arduino UNO device as per the instruction given in the article. After the IoT hub is created.

  1. A device must be registered with your IoT hub before it can connect. There are different ways to register a device like using Azure Cloud shell, in this case we will use portal. Click IoT Devices under the Explorers blade on the IoT hub and click on + New, enter the Device ID and click save.
  1. Copy the Primary key of the registered device
  2. Copy the Hostname from the IoT Hub Overview blade
  3. These values will be used later in the .NET console application

Arduino Sketch:

Let us now create a simple Arduino project sketch from Visual studio code to send signal to Arduino Board using the serial port with the help of the Nuget package System.IO.Ports. Make sure the Arduino IDE and the Arduino extension for VS code is installed. The Arduino board can now be plugged in to the USB port of your laptop or computer with the provided cable. Follow the below mentioned steps to create an Arduino sketch template from VS Code

  1. Create a folder on the development machine for the Arduino project and then open the folder in Visual Studio code
  2. In VS Code, hit the key CTRL+Shift+P to open the command pallete
  3. Type the command Arduino: Initialize which will try to create a file with name app.ino. Change the name of the file relevant to your project. I have named it as ControlDevicesforCSharp.ino.
  4. You will now be prompted to select the name of the Arduino board. I have selected Arduino UNO. You can also select the board and port from the VS Code right bottom corner as shown below

The serial port will be visible if the board in plugged in and recognized by the computer. This is how it looks after the board and the port is selected.

  1. Now update the code as shown below to receive signal from the console application. If it receives a value of A to the character variable inputValue from the console application, then the PIN 13 is set to HIGH which means it generates 5v as an output and if the inputValue is B the PIN 13 is set to LOW which means the Output of the pin will be zero as opposed to 5v when set to HIGH. If you want, you can connect a LED to the PIN 13 with a 220 ohm resistor bu the pin 13 has a in-built LED to test. You can also notice on the code the PIN mode for 13 is set to Output.
#define BaudRate 9600

char inputValue;
int led1 = 13;

void setup() {
  // Initialize serial communication at 9600 bits per second
  Serial.begin(BaudRate);
  // Prepare the digital output pins
  pinMode(led1, OUTPUT);
  // Initially all are off
  digitalWrite(led1, LOW);
}

// the loop function runs over and over again forever
void loop() 
{
  // Reads the input
  inputValue = Serial.read();
  if(inputValue == 'A')
  {
    // Turn on the LED  
    digitalWrite(led1, HIGH);   
  }
  else if (inputValue == 'B') 
  {
    // Turn off the LED
    digitalWrite(led1, LOW);     
  }
}
  1. Now you verify the sketch by pressing CTRL+AL+R if there is any compile error. If all is well, you can now upload the sketch by pressing the key CTRL+ALT+U. If the upload is successful, you will the following message on the VS output terminal

Now the sketch is ready, it is now time to create the console application to receive message from Azure IoT hub to control the LED from cloud applications like Power Apps.

.NET core console Application:

The package System.IO.Ports supports to control serial ports which will be used to send message to Arduino board (A or B) to turn on or off the LED. Follow the below given steps to create the console application

  1. Use the same directory you have used to create the Arduino sketch. On the VS Code terminal window, enter the command dotnet new console to create a new console application
  2. Add the package System.IO.Ports using the nuget package manager plugin by CTRL+SHIFT+P > NuGet Package Manager: Add Package or enter the command on the terminal window dotnet add package System.IO.Ports –version 6.0.0-preview.1.21102.12
  3. Add the package Microsoft.Azure.Devices.Client to connect to client devices to Azure IoT Hub
  4. Use the Hostname of Azure IoT Hub, Device ID, Primary key of the Device copied earlier during the setup
    • private const string IotHubUri = “YourIoTHub.azure-devices.net”;
    • private const string deviceKey = “Your Key”;
    • private const string deviceId = “Your device ID”;
  5. In the code the
    • Method deviceClient.ReceiveAsync() receives a message from the IoT hub queue
    • Method Encoding.ASCII.GetString(receivedMessage.GetBytes()) reads the message
    • Method deviceClient.CompleteAsync(receivedMessage, _ct) deletes the message from the queue
  6. The following code establishes the connection on the serial port COM4
// Initialises the serial port communication on COM4
SerialPort = new SerialPort("COM4")
{
                BaudRate = 9600,
                Parity = Parity.None,
                StopBits = StopBits.One,
                DataBits = 8,
                Handshake = Handshake.None
};
// Subscribe to the event
SerialPort.DataReceived += SerialPortDataReceived;
// Now open the port.
SerialPort.Open();

With the help of the following method to Subscribe

static void SerialPortDataReceived(object sender, SerialDataReceivedEventArgs e)
{
 var serialPort = (SerialPort)sender;
 // Read the data that's in the serial buffer.
 var serialdata = serialPort.ReadExisting();
}
  1. The code SerialPort.Write(“A”) send the message to the Arduino Sketch.
  2. Now run the dotnet application using the command dotnet run. Now send a message from the Azure IoT explorer or from Azure portal IoT device explorer ON1 or Off1 to turn On/Off the LED connected to PIN 13
  1. The complete code is uploaded in my Github here.

Azure Function App – HTTP Trigger & Power Apps:

For the Azure function and Power Apps code, go through my other blog post

https://ashiqf.com/2020/11/01/learn-how-to-control-devices-from-powerapps-using-raspberry-pi/

Summary: On this post we have seen how to control the I/O pins of Arduino board with Azure IoT and integration to Power App.

How to create & setup Dynamic Microsoft 365 Group or Distribution list based on the user’s domain for Teams, Yammer and Exchange

There are many organizations maintaining multiple domains on a single Microsoft 365 or Azure AD tenant, in those cases there might be a need to create dynamic Microsoft 365 groups, security groups & distributions list based on the user’s domain to manage the group’s membership. On this blogpost, let us see how to

  1. Create Dynamic Microsoft 365 group based on the user’s domain for Teams & Yammer
  2. Create a Dynamic distribution list based on user’s domain in Exchange online

To begin with let us see some basics of a Dynamic group. The membership of a dynamic group will automatically update as people join, leave, or move within the organization whenever the user’s Azure Active Directory attributes are changed. In simple terms, rules determines the group membership. The users will be added or removed automatically as and when the user attributes change or users join and leave the tenant which reduces the administrative effort of adding and removing users from a group. Dynamic group can be created based on variety of attributes including role, location, department etc.

Create Dynamic Microsoft 365 group based on the user’s domain for Teams & Yammer

Microsoft Teams and Yammer (Microsoft 365 Connected) supports dynamic membership. It enables the membership of Team or Yammer to be defined by one or more rules that check for certain attributes in Azure AD. Microsoft Teams & Yammer creates a Microsoft 365 group in Azure AD. For this post, the membership rule will be simple one which is based on the user’s domain and country. You can also have a complex rule involving multiple Azure AD attributes like Title, Geography, Department etc. Before we proceed further, there are some pre-requisite & facts to be considered before creating a dynamic group.

  • User Administrator or Global administrator role in Azure AD
  • Users you foresee to be part of a dynamic group membership rule should have an Azure AD premium License P1 or P2
    • Microsoft 365 E3, E5, Front line workers MF3 & MF1 has Azure AD premium 1 service which should suffice.
  • An Azure AD organization can have maximum of 5000 dynamic groups.
  • Any number of Azure AD resources can be members of a single group.

Dynamic Membership based on Domain for Teams:

To create a Dynamic membership MS team, create a Microsoft 365 group first with Dynamic membership in Azure Active directory. You can create a dynamic group from PowerShell but here I will be using Azure Ad GUI to create the dynamic Microsoft 365 group with rule to add users based on their domain and country. I have added a domain m365pal.me to my Azure AD tenant which I will be using here for this example.

  1. Sign in to Azure AD Admin center with administrator role in the Azure AD organization
  2. Click Groups and then click + New Group
  3. Select the Group type as Microsoft 365. Dynamic membership will also work with Security group but for team it should be Microsoft 365 group.
  4. Enter the Group Name & Group email address
  5. Select the Membership type as Dynamic User
  6. Select the Owner and then
  7. Under Dynamic user members section, click Add dynamic query
  8. In Dynamic membership rules panel, add rule to define membership based on users domain & country
    • First rule for Domain: under Property column select userPrinicipalName, Operator should be Contains and the Value should be the domain name in format “@yourdomain.com”. This rule will add all users with the UPN user@yourdomain.com. Now click + Add expression to add the second rule
    • Second rule for country: under Property column select country, Operator should be  Equals and the value should be the country name.
  1. You can also validate the rules by clicking the link Validate Rules and then by adding users to check if the user satisfies the rule
  2. Click Save. This is how it should look like
  1. Click Create.
  2. After waiting for couple of minutes, check the group membership. Please find below screenshot for the group which has two members satisfying the condition. You can also notice the + Add members link is disabled since the group is dynamic membership and not assigned. To modify the rules, click the link Dynamic membership rules link.
  1. Now we are ready to create the MS Teams, go to https://teams.microsoft.com/ and then click Join or create a team at the left bottom corner and then Click Create a team
  2. Click From a group or team and then click Microsoft 365 group
  3. Now select the group you have created in Azure AD and then click Create.
  1. The team is now created, you can find the team on the list. Check the membership of the team which will have the two users satisfying the rules and the owner of the group. One more thing to notice here is the message which says The membership settings prevents you from adding or removing members.
  1. Voila! Dynamic Microsoft team is now created & setup.

If you have an existing team to be converted to a Dynamic team, find the Microsoft 365 group in Azure AD for the Team you wish to convert and then update the membership status from Assigned to Dynamic user with membership rules

Dynamic Membership based on Domain for Yammer:

Yammer (Microsoft 365 Connected) also supports dynamic membership. Find the steps below to create a dynamic yammer group based on the user’s domain. Find the steps below

  1. Sign in to https://yammer.com/ with your organizational ID
  2. Click Create a Community and then Enter the name of the Community
  3. Click the button Create
  1. Now sign in to Azure AD Admin center to the update the membership settings of the Microsoft 365 group connected to the Yammer community. Find the yammer group and then click
  1. Click Properties under the Manage blade and then change the membership type from Assigned to Dynamic user
  1. After updating the membership type to Dynamic user. You will now have option to enter the dynamic query. Click dynamic query
  1. In Dynamic membership rules panel, add rule to define membership based on users domain
    • Rule for Domain: under Property column select userPrinicipalName, Operator should be Contains and the Value should be the domain name in format “@yourdomain.com”. This rule will add all users with the UPN user@yourdomain.com. Now click + Add expression to add rules based on need
    • Click Save
  1. Click Save. Wait for couple of minutes for the membership to be updated.
  2. Now check the Yammer group in Yammer.com for the membership status. Please find below screenshot for your reference which will not have the + icon on the highlighted members section for adding users since this is now a dynamic yammer group

Also, Microsoft 365 group/Security group can be used for different use cases. See some sample use cases below

  • You can use to target SharePoint page/news to specific audience with the help of Microsoft 365 group or Security group. Will it not be more powerful if you use dynamic groups within a SharePoint to target content certain group of audience!
  • Assign Microsoft Licenses to users based on Dynamic Group.
  • Grant access to an App (PowerApps etc) using the dynamic group targeting certain departments, geographies etc

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-create-rule

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership

https://docs.microsoft.com/en-us/microsoftteams/dynamic-memberships

https://docs.microsoft.com/en-us/yammer/manage-yammer-groups/create-a-dynamic-group

https://docs.microsoft.com/en-us/yammer/manage-yammer-groups/yammer-and-office-365-groups

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions

Create a Dynamic distribution list based on user’s domain in Exchange online:

Dynamic distribution groups are mail-enabled Active Directory group to distribute email messages to all its members within a Microsoft Exchange organization. Unlike regular distribution lists that contain a defined set of members, the membership list for dynamic distribution groups is calculated each time a message is sent to the group, based on the filters and conditions that you define in the group. You can create a Dynamic Distribution list from Exchange Admin center as shown below but the options to write advanced filter conditions or rules are limited so PowerShell is preferred.

Dynamic Distribution list from PowerShell:

Make sure the Exchange online PowerShell module is installed. There are some limitations to create a recipient filter (Rules) that worked based on user’s domain with the operator like or contains but there is a workaround. The filter works based on the exchange property WindowsEmailAddress which is always the primary SMTP address, you can also consider using the property WindowsLiveID. Follow the steps below to create a Dynamic Distribution list based on user’s domain

  1. Load the module by the running the command Import-Module ExchangeOnlineManagement
  2. Connect to the Exchange online PowerShell in Microsoft 365
Connect-ExchangeOnline -UserPrincipalName userId@domain.com -ShowProgress $true
  1. After authentication, enter the following command to create the Dynamic DL based on User’s domain. I have added the RecipientTypeDetails in the RecipientFilter to apply the filter rule only to user mailboxes which excludes the SharedMailboxes
New-DynamicDistributionGroup -Name "All Users - M365PAL DL" -RecipientFilter "(RecipientTypeDetails -eq 'UserMailbox') -and (WindowsEmailAddress -eq '*@yourdomain.com')"
  1. You can also validate the users using the following script
Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup "All Users - M365PAL DL").RecipientFilter
  1. To view the attributes to be used in the recipient filter enter the following command
Get-User -Identity user@yourdomain.com | Format-List

Reference:

https://docs.microsoft.com/en-us/exchange/recipients/dynamic-distribution-groups/dynamic-distribution-groups

https://docs.microsoft.com/en-us/powershell/module/exchange/get-user

https://docs.microsoft.com/en-us/exchange/recipients/dynamic-distribution-groups/view-dynamic-distribution-group-members

Summary: On this post we have seen how to create dynamic groups based on user’s domain. Do some planning to start using the dynamic groups which will help reduce lot of administrative overhead. Hope you have found this informational & helpful. Let me know any feedback or comments on the comment section below