HTTP Connector Power Automate
Manish Solanki  

How to secure HTTP request end point for external or 3rd party application?

Full demo video is available at:

Use Case

It is common scenario to exchange data between applications. In power platform, we have the “HTTP” request trigger that supports exchange of data with 3rd party applications, but the end point should be secured to prevent breach. In this article, I will demonstrate

  • How we can secure the end point using Azure AD app.
  • How we can securely push data from another tenant using HTTP connector
  • How to consume HTTP request end point from postman

Scenario

Our main focus is on securing & calling the HTTP request end point so we will take a simple flow that accepts a message string and respond back with a string.

Solution

1. First step is to create Azure AD app. Navigate to Azure portal and go to Manage Microsoft Entra ID. Choose “App registrations” from left navigation menu and click “New registration”:

Next, enter the appropriate name of the application, here I have taken is as ‘ThirdPartyAppServicePrincipal’. Leave default value in supported account types “Accounts in this organization directory only” and click ‘Register’ button

Now, go to “API permission” tab & click “Add a permission” from sub menu:

Select “Power Automate” from the API and select “User” permission from the list. Click “Add permissions” button:

Following that, Grant admin consent to the API on returning to the application page:

After that, go to “Certificates & secrets” tab from the left navigation & create a client secret by clicking ‘New client secret’ button:

Set the description & expiry period as required and click “Add” button:

Note: Pls copy the secret key value as it will be visible only on creation. Keep this handy as we need this secret key when calling the HTTP request end point.

Copy Application Id and tenant Id as these are required later while consuming the API

We also need the object id of the service principal to configure the HTTP request trigger. To get that Id, navigate to “Enterprise applications” on left navigation and get the object id from the grid:

2. Second step is to create a flow for http trigger ‘When a HTTP request is received’. Here, I have created a simple flow that accepts a string as input in the body and respond back with “Hello” string combined with the input string.

Create an automate cloud flow & choose trigger as ‘When a HTTP request is received’. Select ‘Specific users in my tenant’ from the drop down for ‘Who can trigger the flow?’ parameter. In “Allowed users” parameter, we need to set the object id of the azure AD app which we have noted from “Enterprise application” tab in Azure AD portal

Add the below code in the request body JSON schema:

{
    "type": "object",
    "properties": {
        "message": {
            "type": "string"
        }
    }
}

Note: The HTTP post URL will be generated when you save the flow.

Add response action & set the body as per the requirement, here I have just combined the input string with ‘Awesome, ‘ string:

Copy & save the HTTP post URL generated in trigger which would be required in calling this flow.

Consume from different Azure AD (tenant)

Add HTTP action to call the API endpoint and configure it as shown below. Click here to know more about value of different audiences:

Method: POST
URI: <HTTP post URL generated from HTTP trigger>

Headers: 
Key - Content-Type
value - application/json

Body: 
{
"message":"calling from different power platform environment"
}

Authentication: Active Directory OAuth
Tenant: <Azure AD tenant id>
Audience: https://service.flow.microsoft.com/
Client ID: <Azure AD app Client Id> 
Credential Type: Secret
Secret: <Azure AD app secret>

Output:

Calling from Postman:

Firstly, we will get the authorization token from Azure AD by calling the token endpoint:

URI: https://login.microsoftonline.com/<tenant id>/oauth2/token

Body: 
Key                   value
grant_type            client_credentials
client_id             <Azure AD app client Id>
client_secret         <Azure AD app secret>
resource              https://service.flow.microsoft.com/

Collect the access token from the response of the token end point. Take the value from the ‘access_token’ object:

Copy the token value which would be need in calling HTTP end point:

URI: <POST URL generated from Http request trigger>
Token: <access token value generated from the previous step>

In body, pass the JSON code to get the response:

{
  "message": "calling from postman"
}

Output:

Conclusion:

As you have seen how easy it is to secure the HTTP endpoints for exchanging data between third party application. We have also seen that we could call the secured endpoint from different tenant or using postman.

2 thoughts on “How to secure HTTP request end point for external or 3rd party application?

  1. Expiscornovus

    Nice article Manish. Useful to see a couple of examples for this new security feature in that HTTP trigger action, thanks for sharing 🙂

    1. Manish Solanki

      Thanks, Expiscornovus for encouraging words. I am keen follower of your blogs too :). You write really well!

Leave A Comment