Graph API permissions and protecting secrets

Gurdev Singh · ‎Mar 11 2019

I am looking for some guidance to configure 'least-privileged' permissions for Graph API. I'll be invoking Graph API from Microsoft Flow to provision a new Team and set its properties like Team owners & members.

I have registered an app in Azure AD and app's been assigned 'Application' level 'Groups.ReadWrite.All' & Users.Read.All permissions. These are the minimum set of permissions required.

However, this application secret is going to be visible in Flow which means any user or administrator who has access to Flow can view the secret and build an API or simply use postman to invoke API calls that do operations against all Groups resources.

Has anyone out there implemented a similar setup and could share some advice regarding the security considerations?

mdowens · ‎Mar 13 2019

I had a similar challenge (but not using Flow). The Graph Security API was great but with Application permissions the scope of access was far too broad. I finally found a technote that documented an approach of implementing two Application interfaces - one to provide a Username & Password authentication and the second to provide the Graph access. - https://vincentlauzon.com/2017/01/29/authenticating-to-azure-ad-non-interactively/

This worked for me

ainnani · ‎Mar 29 2019

@Gurdev Singh

Is this something of your interest. You can create Custom Connectors that uses Graph APIs. Later, the custom connector can directly be used within the PowerApps and/or Flow to perform the action

PowerApps – Custom Connectors

Graph API permissions and protecting secrets

Graph API permissions and protecting secrets

Re: Graph API permissions and protecting secrets

Re: Graph API permissions and protecting secrets

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Graph API permissions and protecting secrets