How to authenticate as an application with Microsoft Graph API

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone it's benitez here welcome back to my youtube channel in today's wtf episode i'm going to share with you all how you can authenticate as an application with microsoft graph api for your flows in power automate the agenda today will be me explaining briefly what is microsoft graph api then i'm going to talk about why you would want to authenticate as an application and then we're going to jump straight into the demo what is microsoft graph api it is essentially your gateway into accessing your data in the microsoft cloud previously there were different sdks across the different services so this required their own security their own messaging their own data format requirements and these services that i'm referring to are things like onedrive for business azure active directory the discovery service other services that are offered under the office 365 so things like microsoft teams and outlook so in other words there was inconsistency and was quite a learning curve for developers fast forward microsoft graph api is essentially a centralized and standardized structure that allows different services to be built on top of as well as extend that experience and because it's in a uniform structure it makes it a lot easier for developers to be hooking into the graph api to be able to create their applications um such as mobile um web or client with the microsoft graph api to access the data in the microsoft cloud okay so in terms of why i would want to authenticate as an application with flow and power automate when you are using some of the connectors such as the office 365 users connector it is authenticating as a user account which means every time the flow is executed and this particular action is called it means that it's going to authenticate as a user account there may be scenarios where you don't necessarily want to authenticate as a user so you can authenticate as an application with other platforms such as the common data service which is now known as microsoft dataverse you could authenticate as a server's principal account and in the microsoft graph api there is essentially two types of permissions the first one is delegated permissions which is where a user needs to grant consent and the second one is application permissions where an admin needs to grant consent by the time this wtf episode has been published i would have presented a webinar with theta my employer where i was demonstrating how you can use a power platform to enable your hybrid workforce today and one of the use cases that i had demonstrated was to do with a manager that was interacting with a bot and power virtual agent within microsoft teams for microsoft dataverse for teams where the manager was asking the bot who was going to be in the office or working remotely for that particular day now in that flow it was utilizing the microsoft graph api and it was authenticating as an application so in this wtf episode that's that is what i'm going to show you okay so demo time let's get straight into it you want to create a brand new app registration in the microsoft azure portal so head over to app registrations click a new registration and give it a name for the purpose of this demo i'm going to select this first account type but in my blog post i'll give you a hyperlink where you can go and read what those different account types mean once that app registration has been created you're going to be associated a client id and a tenant id which we're going to use in our flow and power automate now there's two more steps that you need to do here before you can use it in flow and pair automate step number one is create a client secret so what you need to do is just give it a name and you can set when you want it to expire i'm going to select never this will then immediately create a new client secret copy this value here and save it somewhere secure don't save it in a notepad okay step number two is to create an api sorry add an api permission so what i mentioned earlier was in the use case that i had demonstrated in the webinar was a manager interacting with a bot where a flow was then executed to go and retrieve the employee that report to that manager so that we can display back to the manager and the bot uh who is going to be working remotely and who is going to be working in the office so that particular api request that i'm using with the microsoft graph api is called the list direct reports now one of the great things about the documentation on the docs.microsoft.com site is that every api request for the microsoft graph api we'll have a section called permissions and remember how i said there's two permission types there's delegated and application and here it's going to show you the permissions that you need to enable in the app registration so it's going to order it from least to most privilege for the purpose of this demo i'm going to use the read write all and so back in the microsoft azure portal we're going to go ahead and add that permission we select microsoft graph select application permissions paste that in there and go ahead and enable it and so the last thing that you need to do is grant the admin consent so i'm going to click this button and select yes this will now show as green ticks so now it has been granted and we can now use it in our flow so what i'll do next is head over to the power automate makers site so this connector that you're seeing on screen is the office 365 get users connector so this is the one that i had on my powerpoint side and this is where you know it's authenticating as a user so essentially if we want to replicate this but authenticate as an application one of the actions that we need to use is an http action bear in mind that this is a premium connector so you need to make sure that the licensing that you have within your organization if you want to authenticate as an application inflow and power automate allows you to use a premium con allows you to use premium connectors okay so the method that we're doing um here is called the get now in terms of this request uri again you can find this in the docs.microsoft.com article um within the graph api documentation and there's going to be a section that will explain what the different http requests are so the first one here is saying that it's going to retrieve the employees where i am the manager so in azure active directory and a user record there's a field called manager so essentially that's what the graph api is using it's going to go ahead and look at all those user records and only retrieve the users where i am the manager if you want to do it the other way around where you want to retrieve the list of users who report to a particular manager this is the api request that we need to use so in here the difference is that it's using users and in here you need to either provide the id so the id can be found in the user record in azure active directory otherwise you can use a user principal name which is essentially the email address of the user okay so what i'm going to do is just go ahead and copy and paste um the the uri value that i already set up earlier and paste it into here so i'm using a select statement so that i can keep it in line with my connector up here because what i'll do is show you side by side that the information is the same if you are using the office 365 user connector or if you're going to use the http action and you're going to authenticate as an application of the microsoft graph api so the next thing we need to do is go ahead and fill out the rest of the details within this http action so i've essentially entered my header value and for the authentication method we're going to use active directory oauth and in here is where we can enter in details that is associated with our app registration in the microsoft azure portal so head back to the overview details of the app registration and i think the first one that we needed was the tenant id yes okay and then the next value here that it's asking for is the audience so this is essentially um the base resource uri of microsoft graph which is this value so i just want to say shout out to yash agarwal uh he's the one who shared this tip with me because i was a bit confused with this and then he explained it so then i tried it out and i was like oh cool it works so yash if you are watching this thanks very much um by the way go ahead and follow him on twitter he is a microsoft mvp based in india all right so the next thing that you want to do is copy and paste the client id from your app registration and lastly we want to use the value of the secret that was generated when we created a new one earlier okay so now we can go ahead and run this flow and i'm going to show you the results side by side okay so let's go ahead and run it and i'll show you the responses real shortly okay so the flow has successfully ran so i'm gonna go ahead and copy this and put it into visual studio code so that i can show you that um the response is the same whether you authenticate as a user through the out of the box office 365 user connector and flow or authenticate as an application through the http um action and flow okay so on the right hand side is authenticated as an application on the left hand side is authenticating as a user and as you can see the details are the same it's just the way you authenticate is different on the left hand side is as a user and then on the right hand side is the application and that is it for today's wtf episode i hope you learned something useful and this will allow you to think about how you want to do authentication with your flows in terms of interacting with data in the microsoft cloud i'd like to say thank you again and please like comment and subscribe i will see you in the next wtf this let's try that again i will see you in the next wtf [Music] episode you

Info

Channel: Elaiza Benitez

Views: 58,181

Rating: undefined out of 5

Keywords: microsoft graph, microsoft 365, azure ad, microsoft graph api authentication, microsoft graph api tutorial, azure active directory, active directory, microsoft, microsoft flow, flow, automation, connector, power automate, microsoft automation, jon levesque, how to, microsoft flow tutorial, how to use power automate, power automate tutorial, jon levesque microsoft, power platform, microsoft power platform, Application authentication, microsoft authentication

Id: Z1xFjmttEvY

Channel Id: undefined

Length: 12min 13sec (733 seconds)

Published: Wed Dec 02 2020