Mar 11 2019
04:10 PM
- last edited on
Dec 23 2021
11:13 AM
by
TechCommunityAP
Mar 11 2019
04:10 PM
- last edited on
Dec 23 2021
11:13 AM
by
TechCommunityAP
I am looking for some guidance to configure 'least-privileged' permissions for Graph API. I'll be invoking Graph API from Microsoft Flow to provision a new Team and set its properties like Team owners & members.
I have registered an app in Azure AD and app's been assigned 'Application' level 'Groups.ReadWrite.All' & Users.Read.All permissions. These are the minimum set of permissions required.
However, this application secret is going to be visible in Flow which means any user or administrator who has access to Flow can view the secret and build an API or simply use postman to invoke API calls that do operations against all Groups resources.
Has anyone out there implemented a similar setup and could share some advice regarding the security considerations?
Mar 13 2019 03:40 AM
I had a similar challenge (but not using Flow). The Graph Security API was great but with Application permissions the scope of access was far too broad. I finally found a technote that documented an approach of implementing two Application interfaces - one to provide a Username & Password authentication and the second to provide the Graph access. - https://vincentlauzon.com/2017/01/29/authenticating-to-azure-ad-non-interactively/
This worked for me
Mar 29 2019 11:44 AM
Is this something of your interest. You can create Custom Connectors that uses Graph APIs. Later, the custom connector can directly be used within the PowerApps and/or Flow to perform the action