Authenticating with Microsoft Graph using Power Automate

Share the love

We often need to access the Microsoft Graph API in Power Automate (I use it mainly for Microsoft 365 Group data). However, you need to authenticate against the Graph to prove you have the right permission to access the data you want. Therefore, you will need to register an app in Azure. The API permissions you give your app will depend on the information you want to query. Usually, I need to query Azure Active Directory Graph as well as Microsoft Graph. I have given my app the following permissions that I use to query Microsoft 365 Group data:

API / Permissions nameTypeDescriptionAdmin consent required
Azure Active Directory Graph (12)
Directory.AccessAsUser.AllDelegatedAccess the directory as the signed-in user
Directory.Read.AllDelegatedRead directory dataYes
Directory.Read.AllApplicationRead directory dataYes
Directory.ReadWrite.AllDelegatedRead and write directory dataYes
Directory.ReadWrite.AllApplicationRead and write directory dataYes
Group.Read.AllDelegatedRead all groupsYes
Group.ReadWrite.AllDelegatedRead and write all groupsYes
Member.Read.HiddenDelegatedRead hidden membershipsYes
Member.Read.HiddenApplicationRead all hidden membershipsYes
User.ReadDelegatedSign in and read user profile
User.Read.AllDelegatedRead all users’ full profilesYes
User.ReadBasic.AllDelegatedRead all users’ basic profiles
Microsoft Graph (22)
Directory.AccessAsUser.AllDelegatedAccess directory as the signed in userYes
Directory.Read.AllDelegatedRead directory dataYes
Directory.Read.AllApplicationRead directory dataYes
Directory.ReadWrite.AllDelegatedRead and write directory dataYes
Directory.ReadWrite.AllApplicationRead and write directory dataYes
Files.Read.AllApplicationRead files in all site collectionsYes
Files.ReadWrite.AllApplicationRead and write files in all site collectionsYes
Group.Read.AllDelegatedRead all groupsYes
Group.Read.AllApplicationRead all groupsYes
Group.ReadWrite.AllDelegatedRead and write all groupsYes
Group.ReadWrite.AllApplicationRead and write all groupsYes
Sites.FullControl.AllApplicationHave full control of all site collectionsYes
Sites.Manage.AllApplicationCreate, edit, and delete items and lists in all site collectionsYes
Sites.Read.AllApplicationRead items in all site collections (preview)Yes
Sites.ReadWrite.AllApplicationRead and write items in all site collections (preview)Yes
User.ReadDelegatedSign in and read user profile
User.Read.AllDelegatedRead all users’ full profilesYes
User.Read.AllApplicationRead all users’ full profilesYes
User.ReadBasic.AllDelegatedRead all users’ basic profiles
User.ReadWriteDelegatedRead and write access to user profile
User.ReadWrite.AllDelegatedRead and write all users’ full profilesYes
User.ReadWrite.AllApplicationRead and write all users’ full profilesYes

Now we need to set up a Client Secret. While we are still in the app we have set up in Azure, select Certificate & secrets from the left navigation. Click + New client secret. Give your Client Secret a description (optional) and remember the value of the secret. Once you navigate away from this page, you will not be able to recover the secret again.

Image courtesy of Microsoft

Now let’s jump over to Power Automate to create a flow that will authenticate against our Azure app. Let’s start by initializing the variables. All the values for the variables are found on the Overview page of your app in Azure. The Tenant ID is also known as the Directory ID. The Client ID is also known as the Application ID.

Image courtesy of Microsoft

Before we can authenticate with the Microsoft Graph, we need to encode the Client Secret. This replaces any non-ASCII characters in your secret so they can be passed through the API call.

encodeUriComponent(variables('ClientSecret'))

Now it’s time to authenticate with the Microsoft Graph. We use our variables we initialized earlier, and our encoded Client Secret.

https://login.microsoft.com/variables('TenantID')/oauth2/v2.0/token
{
  "Content-Type": "application/x-www-form-urlencoded"
}
client_id=variables('ClientID')&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=outputs('Compose_-_Encode_ClientSecret')&grant_type=client_credentials

We then parse the returned JSON to make it easier to use the bearer token in subsequent API calls. To make it easier, I have included the schema you can paste into your Parse JSON action.

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "expires_in": {
            "type": "integer"
        },
        "ext_expires_in": {
            "type": "integer"
        },
        "access_token": {
            "type": "string"
        }
    }
}

You are now free to make calls to the Microsoft Graph or Azure Active Directory Graph using your bearer token. Make sure you include the Authorization header. If you are getting access denied, it might be that your Azure app does not have the correct API permissions. Look into what data you are trying to retrieve and grant permissions to your app based on those requirements.

{
  "Authorization": "body('Parse_JSON')?['token_type'] body('Parse_JSON')?['access_token']"
}

Share the love

One Reply to “Authenticating with Microsoft Graph using Power Automate”

Leave a Reply

Your email address will not be published.