As you could have read in my previous post, I have been spending some time lately with Power Automate, Logic Apps and everything related. To connect Power Automate or Logic Apps to Microsoft Graph I used HTTP actions, as we don`t have predefined actions available. But there are reasons to set up a custom connector to connect to Microsoft Graph, instead of using an HTTP action. A reason for this is the lack of support for some Graph API calls for Application permissions. This can be overcome by using a custom connecter as this connector supports Delegated permissions instead.
In this post I describe how a Custom Connector is setup in Azure. I also show how the App Registration is setup, which we need to use for authentication in the Custom Connector.
Create an Azure App Registration
- Sign in to the Azure portal
- Open the service App Registrations
- Select New registration
- Enter a (display) Name for the App Registration
- Make your choice for the Supported account types (mostly the default option works fine)
- Click Create
On the Overview tab, we find the Application (client) ID, which we needed later when we set up our Custom connector.
- Open the Certificates & Certificates tab
- Click New client secret
- Enter a Name for the secret
- Choose when this secret will expire
- Click Add
Note the Value of the client secret in a secure place. The secret will only be shown directly after the creation of the secret and we need it later in the custom connector.
Browse to the API Permissions tab. On this tab, we add permissions which we need to perform actions using Graph. Which permissions are needed can be found on Microsoft Docs. For example, here is information found related to device actions.
- Click Add a permissions, to add the required permissions.
- Select Microsoft Graph
- Select Delegated permissions
- Search for the permissions you need to assign
- Select the required permissions (below is just an example)
- Click Add permissions
- Select Grant admin consent for Klapwijk
- Select Yes
The App Registration is in-place. During the setup of the Custom Connector, we get a Redirect URL, which we need to add to this App Registration.
Create a Logic Apps Custom Connector
After creating the App Registration, we are now ready to set up the custom connector. Open the Logic Apps Custom Connector service in the Azure portal. Yes, this is a separate service and isn`t found under the Logic Apps service itself.
- Click Create
- Choose the correct Subscription
- Choose a Resource group (or create a new resource group)
- Enter a Custom connector name
- Choose the Region
- Click Review + Create
- When the creation of the connector is finished, open it
- Click Edit
As I don`t use, for example Postman to setup my connector, I leave this part default.
- Upload a connector icon (optional)
- Enter a Description (optional)
- As Host enter graph.microsoft.com
- As base URL enter a forward slash
- Click Security (on the bottom right corner)
- Choose OAuth 2.0 as Authentication type
- Choose Azure Active Directory as Identity Provider
- Enter the Client ID from the App Registration created earlier
- Enter the Client Secret
- The Login URL is pre-filled: https://login.windows.net
- Enter the Resource URL: https://graph.microsoft.com
- Click Update connector
- The Redirect URL is created
- Copy the URL
- Switch back to the previously created App Registration
- Browse to the Authentication tab
- Click Add a platform
- Select Web
- Enter the Redirect URL of the Custom Connector
- Click Configure
We now need to define all the actions we want to use in our Logic Apps by using this Custom connector. Below is an example to run a Get query to ‘get the properties and relationships of a device object‘ by using the device ObjectID.
- Switch back to the Custom Connector
- Open the Definitions page
- Click New action
- Enter a Summary
- Enter a Description
- Open an Operation ID
- Click Import from sample
Here we need to make a choice for the Verb (Method).
In the URL box, we enter the URL which we would use when we run the same action (query) by using Graph Explorer. After the forward slash, we put our variable in between brackets.
Click Import
After the import, the variable is shown under Path.
Click Update connector, to finish the creation of the connector.
It`s always possible to add extra actions to the connector at a later time. If you do, don`t forget to add the required permissions to the App registration.
How to use the Custom Connector in Logic Apps
Now let`s see how we can use the new Custom Connector.
- Create a new Logic App, or open an existing Logic App
- Add a New action to the flow
- Choose the Custom tab
- Choose the Custom Connector
- Choose the custom action
- Click Sign in
- Authenticate
The custom action is added to the flow. As you can see the variable is shown on the left and reminds us of what variable we need to put in the box.
Here the ObjectID is added, which I get from a previous action.
I hope this post is of any help to you.
Thanks for reading. And if you have any input on this topic, just leave a comment. I`m also happy to learn from you guys (or girls 😉 )!
1 Comment
Nice article. However a custom connector can only use delegeted permissions and not application permissions if you use OAuth 2.0. This means that the logged in user from the Logic App flow should have access to the resource to be accessed from Microsoft Graph.
So this is not very useful. Using an HTTP request in the flow can use application permissions.