Skip to content

Using an API in Power Automate with Entra ID authentication

Sometimes with cloud flow, you have to do things for which there is no ready-made connector available. This is not a problem, because most modern services have an interface (API) that can also be used from the flow.

Like this.

The API can be completely open, in which case there is no need to worry about authentication. In most cases, however, you must authenticate yourself for using the API. Microsoft services use Entra ID (formerly known as Azure AD) authentication for this.

In this case, you identify yourself, either as a user or as an application, against Entra ID. Let’s look at how this can be done in different ways in Power Automate. I will use Power BI API as an example in this post.

Option 1 – HTTP action and Service Principal

The first option is to use the HTTP action and utilize the Service Principal. So we don’t identify ourselves as a user but as an application registered in Entra ID.

Here is one detailed example of this.

In short, an authorization token is created with flow for the application registered in Azure.

The generated token is then used in the actual API call for authentication.

Good

  • Flow doesn’t use the user’s password -> It is not visible to others
  • Some of the endpoints work only with application-level rights

Bad

  • If the secret of the application is stored in the flow or it is used with the Keyvault action, it can be easily dug out by other makers
  • All endpoints can’t be used with the application (authentication with delegated user rights is required)
  • The application’s secret expires sooner or later and you should remember to update it to Flow as well
  • Requires application registration on Azure

Option 2 – Using the HTTP action with the user

In the next option, we log into the Azure application as a user. In this case, the delegated access rights defined for the application are used. In practice, we can’t do anything that the used user has no permission for.

The implementation is very similar to the previous one.

Good

  • If an API can’t be used as an application, l you can make it work by identifying yourself as a user

Bad

  • Flow not only knows the secret of the application but also the user’s password. Not good.
  • A token cannot be generated if the user has MFA enabled (and why wouldn’t it be)
  • Requires application registration in Azure

Option 3 – Custom Connector

What if the API can’t be used as an application and it’s not possible to create service account in the organization without MFA?

You can package the API as a custom connector, where you define also the authentication part.

Instructions can be found online again. For example: https://learn.microsoft.com/en-us/connectors/custom-connectors/azure-active-directory-authentication

Good

  • Password is stored in the created connection and no one can dig it out for themselves
  • Used user account can have MFA enabled

Bad

  • Requires application registration in Azure
  • You get your own connector to maintain
  • The connection may expire

Option 4 – HTTP with Azure AD connector

This time I saved the treat for last. Surprisingly few are aware of Power Platform’s HTTP with Azure AD connector and its Invoke an HTTP request action. This is due to the connector’s poor documentation.

This connector can be used to make API calls to Microsoft services using Azure Entra ID as an authentication method.

And that’s what we’ve been doing here all along in different ways.

Let’s add an action to our workflow.

When creating a connection, you define which service (Base Resource URL) will be used with the connection. And this is where the citizen developer easily gets confused. Where on earth can I find the Azure AD Resource URL for, for example, Power BI’s API?

The easiest way to do it in a trendy way is with chatGPT.

That is, for the Power BI API, the values ​​are

Press “Sign In” and log in. After this, you can make API calls to the service without any authentication hassle. It’s already been done.

Works!

Good

  • The password of the used user is stored in the created connection, it cannot be dug out from there
  • The user can have MFA enabled
  • No need to register your own application in Azure
  • An excellent alternative to using Microsoft’s own services

Bad

  • Does not work with all APIs and not all endpoints
  • Poor documentation. Just have to try to see if it works for needed endpoints.
  • The connection may expire
  • The connection contains information about which service the connection is used for. Impossible to see which connection is created for which service

What APIs can actually be used with this method? During the creation phase, the connection must be given the address of the resource to be used in Azure (Azure AD Resource URL). It is probably safe to assume that the resource must also be found in Azure. Good candidates can be browsed, for example, from the API-permissions section of the application to be registered.

By the way, the much-needed Azure AD Resource URL can also be found here.

Don’t forget ready-made connectors!

All the options mentioned above require the user to have a Power Automate license. They rely on premium connectors.

Flow also has standard connectors that can be used to make calls to limited parts of Microsoft’s Graph API.

These include, for example, the following.

Unfortunately, there is no corresponding connector for Power BI API, for example.

APIEntraIdPower Automate

Leave a Reply

Your email address will not be published. Required fields are marked *