Authenticating with Microsoft Graph using Power Automate
We often need to access the Microsoft Graph API in Power Automate (I use it mainly for Microsoft 365 Group data). However, you need to authenticate against the Graph to prove you have the right permission to access the data you want. Therefore, you will need to register an app in Azure. The API permissions you give your app will depend on the information you want to query. Usually, I need to query Azure Active Directory Graph as well as Microsoft Graph. I have given my app the following permissions that I use to query Microsoft 365 Group data:
API / Permissions name | Type | Description | Admin consent required | |
---|---|---|---|---|
Azure Active Directory Graph (12) | ||||
Directory.AccessAsUser.All | Delegated | Access the directory as the signed-in user | – | |
Directory.Read.All | Delegated | Read directory data | Yes | |
Directory.Read.All | Application | Read directory data | Yes | |
Directory.ReadWrite.All | Delegated | Read and write directory data | Yes | |
Directory.ReadWrite.All | Application | Read and write directory data | Yes | |
Group.Read.All | Delegated | Read all groups | Yes | |
Group.ReadWrite.All | Delegated | Read and write all groups | Yes | |
Member.Read.Hidden | Delegated | Read hidden memberships | Yes | |
Member.Read.Hidden | Application | Read all hidden memberships | Yes | |
User.Read | Delegated | Sign in and read user profile | – | |
User.Read.All | Delegated | Read all users’ full profiles | Yes | |
User.ReadBasic.All | Delegated | Read all users’ basic profiles | – | |
Microsoft Graph (22) | ||||
Directory.AccessAsUser.All | Delegated | Access directory as the signed in user | Yes | |
Directory.Read.All | Delegated | Read directory data | Yes | |
Directory.Read.All | Application | Read directory data | Yes | |
Directory.ReadWrite.All | Delegated | Read and write directory data | Yes | |
Directory.ReadWrite.All | Application | Read and write directory data | Yes | |
Files.Read.All | Application | Read files in all site collections | Yes | |
Files.ReadWrite.All | Application | Read and write files in all site collections | Yes | |
Group.Read.All | Delegated | Read all groups | Yes | |
Group.Read.All | Application | Read all groups | Yes | |
Group.ReadWrite.All | Delegated | Read and write all groups | Yes | |
Group.ReadWrite.All | Application | Read and write all groups | Yes | |
Sites.FullControl.All | Application | Have full control of all site collections | Yes | |
Sites.Manage.All | Application | Create, edit, and delete items and lists in all site collections | Yes | |
Sites.Read.All | Application | Read items in all site collections (preview) | Yes | |
Sites.ReadWrite.All | Application | Read and write items in all site collections (preview) | Yes | |
User.Read | Delegated | Sign in and read user profile | – | |
User.Read.All | Delegated | Read all users’ full profiles | Yes | |
User.Read.All | Application | Read all users’ full profiles | Yes | |
User.ReadBasic.All | Delegated | Read all users’ basic profiles | – | |
User.ReadWrite | Delegated | Read and write access to user profile | – | |
User.ReadWrite.All | Delegated | Read and write all users’ full profiles | Yes | |
User.ReadWrite.All | Application | Read and write all users’ full profiles | Yes |
Now we need to set up a Client Secret. While we are still in the app we have set up in Azure, select Certificate & secrets from the left navigation. Click + New client secret. Give your Client Secret a description (optional) and remember the value of the secret. Once you navigate away from this page, you will not be able to recover the secret again.
Now let’s jump over to Power Automate to create a flow that will authenticate against our Azure app. Let’s start by initializing the variables. All the values for the variables are found on the Overview page of your app in Azure. The Tenant ID is also known as the Directory ID. The Client ID is also known as the Application ID.
Before we can authenticate with the Microsoft Graph, we need to encode the Client Secret. This replaces any non-ASCII characters in your secret so they can be passed through the API call.
encodeUriComponent(variables('ClientSecret'))
Now it’s time to authenticate with the Microsoft Graph. We use our variables we initialized earlier, and our encoded Client Secret.
https://login.microsoft.com/variables('TenantID')/oauth2/v2.0/token
{
"Content-Type": "application/x-www-form-urlencoded"
}
client_id=variables('ClientID')&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=outputs('Compose_-_Encode_ClientSecret')&grant_type=client_credentials
We then parse the returned JSON to make it easier to use the bearer token in subsequent API calls. To make it easier, I have included the schema you can paste into your Parse JSON action.
{
"type": "object",
"properties": {
"token_type": {
"type": "string"
},
"expires_in": {
"type": "integer"
},
"ext_expires_in": {
"type": "integer"
},
"access_token": {
"type": "string"
}
}
}
You are now free to make calls to the Microsoft Graph or Azure Active Directory Graph using your bearer token. Make sure you include the Authorization header. If you are getting access denied, it might be that your Azure app does not have the correct API permissions. Look into what data you are trying to retrieve and grant permissions to your app based on those requirements.
{
"Authorization": "body('Parse_JSON')?['token_type'] body('Parse_JSON')?['access_token']"
}
One Reply to “Authenticating with Microsoft Graph using Power Automate”