Blog Post

Azure Integration Services Blog
2 MIN READ

Calling Graph API from Azure Logic Apps using delegated permissions

talsaifi's avatar
talsaifi
Icon for Microsoft rankMicrosoft
Dec 30, 2020

Microsoft Graph API is a powerful REST API that enables access to cloud resources and it supports two types of permissions, application and delegated permissions. 

 

Some operations do not support application permissions, it only support delegated permissions.

 

To call Graph API from Azure Logic Apps using delegated permissions, follow the steps below:

 

1. Register an app, add required delegated API permissions to your registered app and grant admin consent.

  1. Go to your Azure Active directory
  2. From left side menu, click on Manage -> App registerations
  3. Click + New registeration
  4. Specify a name for the registered app and click Register, app Overview is opened.
  5. Copy the Application (client) id and Directory (tenant) id to a text editor for later use                                                                                       
  6. From left side menu, click on Manage -> Certificates & secrets
  7. Under Client secrets, click + New client secret
  8. Specify a description, select an expiry duration and click Add
  9. Copy the secret value to a text editor for later use                                                                                                                                           
  10. From left side menu, click Manage -> API permissions
  11. Click + Add a permission
  12. From select an API, select Microsoft Graph
  13. Select Delegated permissions
  14. Select the permissions by checking the checkbox next to required permissions and click Add permissions
  15. Click Grant admin consent

2. In your Logic app, before the Graph API HTTP action, add another HTTP action to get an access token for Microsoft Graph:

  1. From Method dropdown list, select POST method
  2. For URI, enter https://login.microsoftonline.com/your tenant id/oauth2/token, for your tenant id, check step 1.e above
  3. Add header with key: Content-Type, value: application/x-www-form-urlencoded
  4. For Body, enter:

grant_type=password&resource=https://graph.microsoft.com&client_id=your client id&username=service account username&password=service account password&client_secret=client secret

 

Note that client_id (check step 1.e above) and client_secret (check step 1.i above) are for your registered App, service account username and password are for a user account in your active directory.

3. Add Data operations - Parse JSON action

  1. For Content, select Body from the Dynamic content list
  2. For Schema, enter the following schema:

{

    "properties": {

        "access_token": {

            "type": "string"

        },

        "expires_in": {

            "type": "string"

        },

        "expires_on": {

            "type": "string"

        },

        "ext_expires_in": {

           "type": "string"

        },

        "not_before": {

            "type": "string"

        },

        "resource": {

            "type": "string"

        },

        "token_type": {

            "type": "string"

        }

    },

    "type": "object"

}

4. Add Variables - Initialize variable action

  1. Enter name for the variable: AuthorizationHeaderValue
  2. From Type dropdown list, select String

5. Add Variables - Set variable action

  1. From name dropdown list, select AuthorizationHeaderValue variable
  2. For value, enter Bearer  access_token; note that there is a single space left after Bearer, and access_token is selected from Dynamic content list

6. For the last step, the HTTP action that calls Microsoft Graph API

  1. From Method dropdown list, select required method
  2. For URI, enter the graph API method you want to call
  3. Add header with key: Authorization, value: select AuthorizationHeaderValue variable

 

Your workflow should look as follows:

Updated Dec 30, 2020
Version 2.0
  • dustinrasener's avatar
    dustinrasener
    Copper Contributor

    Doesn't this leave passwords in the logs that are kept for previous runs?

  • Yes, it does; it is recommended to secure passwords by enabling secure inputs setting on the HTTP action following the steps below:

    1- Go to the HTTP action HTTP - Get an access token for Microsoft Graph.

    2- Click on the three dots (...) on the top right corner of the action.

    3- Select Settings.

    4- Click the Secure Inputs switch to turn it on.

    5- Click Done.

    6- Click Save to save the logic app.

     

    Now passwords are secure and can not be shown for previous runs.

  • D_gigabyte-consultancy 

     

    - Service account and password are required for delegated permission types.

    - You can access Graph API only with service principal if the Graph API supports application permission type. 

  • So I was attempting to use this pattern for the the following feature from the Graph API:
    Resumable file upload - Microsoft Graph v1.0 | Microsoft Docs
    But appear to have run into an issue where the requirements for the PUT operation, include the 'Content-Range' header,
    which appears to be automatically omitted by Logic Apps: Call service endpoints by using HTTP or HTTPS - Azure Logic Apps | Microsoft Docs
    Am I correct in putting those pieces together, to determine that this functionality isn't possible via a Logic App?

  • Hi Tareq ,

     

    Thanks for the explanation.

    Why do we need to include service account and password to create the HTTP connection ? 

    What if we want to access Graph API only with service principal? 

  • SjoerdV's avatar
    SjoerdV
    Iron Contributor

    talsaifi Just to be sure, the service account used in the resource owner flow can *not* have MFA enabled for the Logic App to run unattended, right?

  • Walio5's avatar
    Walio5
    Copper Contributor

    1) I have registered the app as mentioned above. Do I need a separate service account as well? If needed then which service account should I create from the below list:

    a. Managed Identities
    b. Service Principals
    c. and User Based Service accounts.

     

    2) Please describe this part below how can I create the account and password and use it here
    username=service account username&password=service account password

    Thank you.