In this #PowerShot, I will demo how to configure a setup that will help you secure your Power Automate Cloud Flows that use the "When an HTTP Request is Received" trigger.
A newly released feature, now allows you to select "Who can trigger the flow" for the When an HTTP Request is Received trigger as shown in the screenshot below:
This post is a continuation of my previous post where we saw how to setup the trigger so that all users in the tenant can trigger the flow. In this one, we will take a look at the next option "Specific users in my tenant" where we can specify users that can trigger the flow. Note: the "Anyone" option is the one which was the default configuration before this newly released feature. Check out the previous post here.
Let's Get Started
Cloud Flows in Power Automate with the When an HTTP Request is Received trigger are widely used for various applications and use cases where the Flow acts as a service that gets invoked when a request is made, performs all the actions as per the logic and provides the response. Before the Who can trigger the flow option was released, using security keys, Azure key vault, tokens etc. were commonly used to authenticate the requests. Let's take a look at how we can configure a secure Power Automate Cloud Flow that uses the When an HTTP Request is Received trigger with the Specific users in my tenant as an option.
Azure Application Registration
We will first create an Application Registration in the Microsoft Entra ID (previously Azure Active Directory) for setting up the OAuth authentication.
Step 1: Navigate to portal.azure.com and click on the hamburger icon to access the nav bar and click on Microsoft Entra ID. If you do not have access, you will have to request your IT admin for support in creating the app registration.
Step 2: On the Microsoft Entra ID page, click on App Registrations and then click on + New Registration. Provide a name for the app registration and select the supported account types as required and click on Register.
Step 3: Once the app registration is created, click on API Permissions -> +Add a permission -> Select Power Automate and then check the "User" check box and click on Add permission as shown in the screenshot below:
Step 4: Once the api permissions are added, generate a secret and save the details as those will be required while setting up the HTTP action in the flow.
Flow 1 (When an HTTP Request is Received)
In this section, we will create a flow that will act as the service and will be called using an HTTP action from another flow. We will create a simple flow that will accept a user name as an input and provide a success message as a response.
Step 1: Flow trigger: When an HTTP request is received: Select the When an HTTP request is received trigger and select the Specific users in my tenant option for Who can run this flow.
Provide the email addresses or the object IDs of the users that you want to provide access to for this flow.
For the request body JSON schema, we will configure the schema to accept an email address. You can use the below code for the JSON schema and once the items in the action are configured, the trigger should look like the screenshot below.
JSON Schema:
{
"type": "object",
"properties": {
"userName": {
"type": "string"
}
}
}
Step 2: Action - Compose: to compose a text that will be returned as a response.
Step 3: Action - Response: to return the response.
Step 4: Save the flow.
Once the flow is saved, the HTTP POST URL is generated. Copy this URL so it can be used in the next flow.
Flow 2
In this section, we will create a flow that will call the Flow 1 using an HTTP action and the Invoke an HTTP Request using Azure AD action. We will create a simple flow that will be manually triggered, call the Flow 1 using the two actions and display the response.
Step 1: Flow trigger: Manual - to manually trigger the flow.
Step 2: Action - Invoke an HTTP Request using Azure AD:
For the Base Resource URL, provide the HTTP POST URL and append "&sp=%2Ftriggers%2Fmanual%2Frun" at the end of the URL copied when the Flow 1 was saved.
For the Azure AD Resource URI, provide the input as https://service.flow.microsoft.com/
The authentication on the action looks like the screenshot below.
Once successfully authenticated,
Provide the URI of the request as the HTTP POST URL copied when the Flow 1 was saved.
For this example, I have provided the below body:
Request Body:
{
"userName":"@{triggerOutputs()['headers']['x-ms-user-name-encoded']}"
}Once all the inputs are provided, the action looks like the screenshot below:
Step 3: Save the flow.
Note: If you want to call the HTTP triggered flow using Power Automate but without using the Invoke an HTTP request with Azure AD, it will be difficult to generate the token that identifies the unique user context and the request will fail. Therefore, you can create a custom connector to achieve this. If you want to call the flow from a third party application, you can use OAuth as the security provider and use the app registration along with it. Below is the setup for creating a custom connector to call the When an HTTP request is received flow with Specific users in my tenant as the selected option.
Custom Connector
Step 1: Navigate to the custom connector design page in the environment you want to create the custom connector in.
Step 2: Click on + New Custom Connector and then select Create from blank option. Provide a name for the custom connector and click on continue.
Step 3: In the General tab, provide all the details as required. In the Host field, provide the URL from the HTTP triggered flow in the format as shown below.
https://prod-17.centralindia.logic.azure.com:443
/workflows/xxxxxxxxxxx/triggers/manual/paths/invoke?api-version=2016-06-01
Step 4: In the security tab, select OAuth 2.0 as the authentication type and then select Azure Active Directory for Identity Provider. Provide the Client ID and Client Secret from the app registration and use https://service.flow.microsoft.com/ as the Resource URL. Click on create connector to get the Redirect URL. Once all this information is provided, the security tab looks like the screenshot below:
Copy the redirect URL and add it to the app registration in the Azure Active Directory.
Step 5: In the definition tab, click on + New Action to start creating a new action. Provide the Summary and Operation ID. Click + Import from sample to start configuring the request. Select the verb as Post and provide the URL from the HTTP trigger in the URL field. Use the below sample as body:
{
"userName":"Test"
}Once you provide these inputs, the definition looks like the screenshot below:
Verify all the details and click on import and then click on Update connector.
Step 6: Now switch to the test tab and click on + New Connection to create a new connection. Authenticate using your credentials and select the connection. Provide the API version as
2016-01-01and then provide a test body as shown in the screenshot below:
Step 7: Click on test operation and verify the result as shown in the screenshot below:
In this post, we saw how to configure a setup for securing the When an HTTP Request is Received triggered flow with the Specific users in my tenant option. Check out my previous post to configure the setup with Any user in my tenant option.
I hope you found this interesting and it helped you. Thank you for reading!