Blog

Microsoft Power Automate HTTP Trigger and Restricting Users

Microsoft Power Automate HTTP Trigger and Restricting Users

Microsoft Power Automate, previously known as Microsoft Flow, is a cloud-based service that allows you to automate workflows and integrate various applications and services without the need for extensive coding. It enables you to create automated processes, called flows, that can be triggered by various events, including HTTP triggers.

An HTTP trigger in Microsoft Power Automate allows you to start a flow by making an HTTP request to a specific URL. This can be useful for integrating Power Automate with external systems, services, or applications that can send HTTP requests.

HTTP triggers can be secured using various authentication mechanisms to ensure the security and privacy of your workflows. However, MS just recently began rolling out a new feature that will simplify authentication! It’s not yet available in all regions, so stay tuned if you don’t see it yet in your tenant.

Restricting what users can trigger the flow

This new feature (available with new Http triggers) allows admins to restrict what users (or apps) can trigger the flow. When you first create the “When a HTTP request is received” trigger, you now have an option called “Who can trigger the flow?”. The options for this are:

  • Any user in my tenant
  • Specific users in my tenant (users or service principal object ids)
  • Anyone

The option you choose will depend on your use case, but most cases will benefit from the first option, “Any user in my tenant”.

Allowing external apps to trigger the flow

If you need an external service or app to trigger the flow, your admin should create an App Registration in your Azure Tenant for them to use. The settings required for the App Registration are:

  • Add API permissions: Power Automate User.Read . Be sure to grant admin consent for this
  • Add claims as outlined here
  • Create a secret and provide the value, Client Id, Tenant Id to the 3rd party

The 3rd party can then obtain an access token using OAuth 2.0 and a Grant Type of Client Credentials.  Access Token Url will be: https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
Scope will be: https://service.flow.microsoft.com//.default

Common errors

With the assumption that your flow is configured to allow “Any user in my tenant” to execute it, these are some common errors I’ve seen:

  • If an external app attempts to trigger the flow without OAuth, they receive a “DirectApiAuthorizationRequired” error.
  • If an external app is using an App Registration outside of your tenant and attempts to trigger the flow, they will receive a “MisMatchingOAuthClaims” error. Note that you can also see this error with App Registrations inside of the tenant if the claims or other properties were not configured correctly.

Otherwise, if the Flow is configured to allow users in the same tenant to execute it and the App Registration was configured correctly, the Flow will trigger and send a successful response to the app per your design.

If you’d like to know more about the Microsoft Power Platform, and the many options it offers for businesses such as analytics, automation, apps and bots, see our Power Platform services page.

Reach out to Beringer today!

We love to implement Microsoft Dynamics 365 and Power Platform solutions here at Beringer.  We’ve been working with Microsoft Dynamics since its inception, and we’re always finding innovative ways to implement the latest tools and help automate business processes.

Beringer Technology Group, a leading Microsoft Partner specializing in Microsoft Dynamics 365 and CRM for Distribution also provides expert Managed IT ServicesBackup and Disaster RecoveryCloud Based Computing, Email Security Implementation and Training,  Unified Communication Solutions, and Cybersecurity Risk Assessment.