Calling Graph API from Azure Logic Apps using delegated permissions

Published Dec 30 2020 12:48 AM 5,851 Views
Microsoft

Microsoft Graph API is a powerful REST API that enables access to cloud resources and it supports two types of permissions, application and delegated permissions. 

 

Some operations do not support application permissions, it only support delegated permissions.

 

To call Graph API from Azure Logic Apps using delegated permissions, follow the steps below:

 

1. Register an app, add required delegated API permissions to your registered app and grant admin consent.

  1. Go to your Azure Active directory
  2. From left side menu, click on Manage -> App registerations
  3. Click + New registeration
  4. Specify a name for the registered app and click Register, app Overview is opened.
  5. Copy the Application (client) id and Directory (tenant) id to a text editor for later use                                                                                       Initialize.png
  6. From left side menu, click on Manage -> Certificates & secrets
  7. Under Client secrets, click + New client secret
  8. Specify a description, select an expiry duration and click Add
  9. Copy the secret value to a text editor for later use                                                                                                                                           Initialize.png
  10. From left side menu, click Manage -> API permissions
  11. Click + Add a permission
  12. From select an API, select Microsoft Graph
  13. Select Delegated permissions
  14. Select the permissions by checking the checkbox next to required permissions and click Add permissions
  15. Click Grant admin consent

2. In your Logic app, before the Graph API HTTP action, add another HTTP action to get an access token for Microsoft Graph:

  1. From Method dropdown list, select POST method
  2. For URI, enter https://login.microsoftonline.com/your tenant id/oauth2/token, for your tenant id, check step 1.e above
  3. Add header with key: Content-Type, value: application/x-www-form-urlencoded
  4. For Body, enter:

grant_type=password&resource=https://graph.microsoft.com&client_id=your client id&username=service account username&password=service account password&client_secret=client secret

 

Note that client_id (check step 1.e above) and client_secret (check step 1.i above) are for your registered App, service account username and password are for a user account in your active directory.

Initialize.png

3. Add Data operations - Parse JSON action

  1. For Content, select Body from the Dynamic content list
  2. For Schema, enter the following schema:

{

    "properties": {

        "access_token": {

            "type": "string"

        },

        "expires_in": {

            "type": "string"

        },

        "expires_on": {

            "type": "string"

        },

        "ext_expires_in": {

           "type": "string"

        },

        "not_before": {

            "type": "string"

        },

        "resource": {

            "type": "string"

        },

        "token_type": {

            "type": "string"

        }

    },

    "type": "object"

}

Initialize.png

4. Add Variables - Initialize variable action

  1. Enter name for the variable: AuthorizationHeaderValue
  2. From Type dropdown list, select String

Initialize.png

5. Add Variables - Set variable action

  1. From name dropdown list, select AuthorizationHeaderValue variable
  2. For value, enter Bearer  access_token; note that there is a single space left after Bearer, and access_token is selected from Dynamic content list

Initialize.png

6. For the last step, the HTTP action that calls Microsoft Graph API

  1. From Method dropdown list, select required method
  2. For URI, enter the graph API method you want to call
  3. Add header with key: Authorization, value: select AuthorizationHeaderValue variable

Initialize.png

 

Your workflow should look as follows:

GraphDemo.png

2 Comments
Occasional Visitor

Doesn't this leave passwords in the logs that are kept for previous runs?

Microsoft

Yes, it does; it is recommended to secure passwords by enabling secure inputs setting on the HTTP action following the steps below:

1- Go to the HTTP action HTTP - Get an access token for Microsoft Graph.

2- Click on the three dots (...) on the top right corner of the action.

3- Select Settings.

4- Click the Secure Inputs switch to turn it on.

5- Click Done.

6- Click Save to save the logic app.

 

Now passwords are secure and can not be shown for previous runs.

%3CLINGO-SUB%20id%3D%22lingo-sub-1997666%22%20slang%3D%22en-US%22%3ECalling%20Graph%20API%20from%20Azure%20Logic%20Apps%20using%20delegated%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1997666%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20Graph%20API%20is%20a%20powerful%20REST%20API%20that%20enables%20access%20to%20cloud%20resources%20and%20it%20supports%20two%20types%20of%20permissions%2C%20application%20and%20delegated%20permissions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20operations%20do%20not%20support%20application%20permissions%2C%20it%20only%20support%20delegated%20permissions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20call%20Graph%20API%20from%20Azure%20Logic%20Apps%20using%20delegated%20permissions%2C%20follow%20the%20steps%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Register%20an%20app%2C%20add%20required%20delegated%20API%20permissions%20to%20your%20registered%20app%20and%20grant%20admin%20consent.%3C%2FP%3EGo%20to%20your%20Azure%20Active%20directory%20From%20left%20side%20menu%2C%20click%20on%20Manage%20-%26gt%3B%20App%20registerations%20Click%20%2B%20New%20registeration%20Specify%20a%20name%20for%20the%20registered%20app%20and%20click%20Register%2C%20app%20Overview%20is%20opened.%20Copy%20the%20Application%20(client)%20id%20and%20Directory%20(tenant)%20id%20to%20a%20text%20editor%20for%20later%20use%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20From%20left%20side%20menu%2C%20click%20on%20Manage%20-%26gt%3B%20Certificates%20%26amp%3B%20secrets%20Under%20Client%20secrets%2C%20click%20%2B%20New%20client%20secret%20Specify%20a%20description%2C%20select%20an%20expiry%20duration%20and%20click%20Add%20Copy%20the%20secret%20value%20to%20a%20text%20editor%20for%20later%20use%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20From%20left%20side%20menu%2C%20click%20Manage%20-%26gt%3B%20API%20permissions%20Click%20%2B%20Add%20a%20permission%20From%20select%20an%20API%2C%20select%20Microsoft%20Graph%20Select%20Delegated%20permissions%20Select%20the%20permissions%20by%20checking%20the%20checkbox%20next%20to%20required%20permissions%20and%20click%20Add%20permissions%20Click%20Grant%20admin%20consent%3CP%3E2.%20In%20your%20Logic%20app%2C%20before%20the%20Graph%20API%20HTTP%20action%2C%20add%20another%20HTTP%20action%20to%20get%20an%20access%20token%20for%20Microsoft%20Graph%3A%3C%2FP%3EFrom%20Method%20dropdown%20list%2C%20select%20POST%20method%20For%20URI%2C%20enter%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fddec1-0-en-ctp.trendmicro.com%252Fwis%252Fclicktime%252Fv1%252Fquery%253Furl%253Dhttps%25253a%25252f%25252flogin.microsoftonline.com%25252fyour%25252520tenant%25252520id%25252foauth2%25252ftoken%2526umid%253D819406bc-0a81-454e-8265-cd84dd9c204f%2526auth%253Db6670b9751c5c90ededae23711566d84a7ddb070-c0014488dcebb5b1327c1e1645d379b8a7bb9922%26amp%3Bdata%3D02%257C01%257Ctalsaifi%2540microsoft.com%257C6605afdad4cb45f73d1d08d8648ce38f%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C637369903598702102%26amp%3Bsdata%3DqYktJ4dGBiQhTZjG5GvJDxOhA6ZWN%252F7zQxNxSHdyTAY%253D%26amp%3Breserved%3D0%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fyour%20tenant%20id%2Foauth2%2Ftoken%3C%2FA%3E%2C%20for%20your%20tenant%20id%2C%20check%20step%201.e%20above%20Add%20header%20with%20key%3A%20Content-Type%2C%20value%3A%20application%2Fx-www-form-urlencoded%20For%20Body%2C%20enter%3A%3CP%3Egrant_type%3Dpassword%26amp%3Bresource%3D%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%26amp%3Bclient_id%3D%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%26amp%3Bclient_id%3D%3C%2FA%3Eyour%20client%20id%26amp%3Busername%3Dservice%20account%20username%26amp%3Bpassword%3Dservice%20account%20password%26amp%3Bclient_secret%3Dclient%20secret%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20that%20client_id%26nbsp%3B(check%20step%201.e%20above)%20and%20client_secret%26nbsp%3B(check%20step%201.i%20above)%20are%20for%20your%20registered%20App%2C%20service%20account%20username%20and%20password%20are%20for%20a%20user%20account%20in%20your%20active%20directory.%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E3.%20Add%20Data%20operations%20-%20Parse%20JSON%20action%3C%2FP%3EFor%20Content%2C%20select%20Body%20from%20the%20Dynamic%20content%20list%20For%20Schema%2C%20enter%20the%20following%20schema%3A%3CP%3E%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22properties%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22access_token%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22expires_in%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22expires_on%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22ext_expires_in%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22not_before%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22resource%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22token_type%22%3A%26nbsp%3B%7B%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22string%22%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22type%22%3A%26nbsp%3B%22object%22%3C%2FP%3E%3CP%3E%7D%3C%2FP%3E%3CP%3E%3C%2FP%3E%3CP%3E4.%20Add%20Variables%20-%20Initialize%20variable%20action%3C%2FP%3EEnter%20name%20for%20the%20variable%3A%20AuthorizationHeaderValue%20From%20Type%20dropdown%20list%2C%20select%20String%3CP%3E%3C%2FP%3E%3CP%3E5.%20Add%20Variables%20-%20Set%20variable%20action%3C%2FP%3EFrom%20name%20dropdown%20list%2C%20select%20AuthorizationHeaderValue%20variable%20For%20value%2C%20enter%20Bearer%20%26nbsp%3Baccess_token%3B%20note%20that%20there%20is%20a%20single%20space%20left%20after%20Bearer%2C%20and%20access_token%20is%20selected%20from%20Dynamic%20content%20list%3CP%3E%3C%2FP%3E%3CP%3E6.%20For%20the%20last%20step%2C%20the%20HTTP%20action%20that%20calls%20Microsoft%20Graph%20API%3C%2FP%3EFrom%20Method%20dropdown%20list%2C%20select%20required%20method%20For%20URI%2C%20enter%20the%20graph%20API%20method%20you%20want%20to%20call%20Add%20header%20with%20key%3A%20Authorization%2C%20value%3A%20select%20AuthorizationHeaderValue%20variable%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYour%20workflow%20should%20look%20as%20follows%3A%3C%2FP%3E%3CP%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1997666%22%20slang%3D%22en-US%22%3E%3CP%3E%3C%2FP%3E%3CP%3ECalling%20Graph%20API%20from%20Azure%20Logic%20Apps%20using%20delegated%20permissions%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1997666%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELogic%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2261208%22%20slang%3D%22en-US%22%3ERe%3A%20Calling%20Graph%20API%20from%20Azure%20Logic%20Apps%20using%20delegated%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2261208%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it%20does%3B%20it%20is%20recommended%20to%20secure%20passwords%20by%20enabling%20secure%20inputs%20setting%20on%20the%20HTTP%20action%20following%20the%20steps%20below%3A%3C%2FP%3E%0A%3CP%3E1-%20Go%20to%20the%20HTTP%20action%20%3CSTRONG%3EHTTP%20-%20Get%20an%20access%20token%20for%20Microsoft%20Graph%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E2-%20Click%20on%20the%20three%20dots%20(%3CSTRONG%3E...%3C%2FSTRONG%3E)%20on%20the%20top%20right%20corner%20of%20the%20action.%3C%2FP%3E%0A%3CP%3E3-%20Select%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E4-%20Click%20the%20%3CSTRONG%3ESecure%20Inputs%3C%2FSTRONG%3E%20switch%20to%20turn%20it%20on.%3C%2FP%3E%0A%3CP%3E5-%20Click%20%3CSTRONG%3EDone%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E6-%20Click%20%3CSTRONG%3ESave%3C%2FSTRONG%3E%20to%20save%20the%20logic%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%20passwords%20are%20secure%20and%20can%20not%20be%20shown%20for%20previous%20runs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2260018%22%20slang%3D%22en-US%22%3ERe%3A%20Calling%20Graph%20API%20from%20Azure%20Logic%20Apps%20using%20delegated%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2260018%22%20slang%3D%22en-US%22%3E%3CP%3EDoesn't%20this%20leave%20passwords%20in%20the%20logs%20that%20are%20kept%20for%20previous%20runs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 30 2020 02:37 AM
Updated by: