Calling an Azure Function from Freshservice Workflow Automator using OAuth2.0 authentication

I have to call an Azure Function from Freshservice Workflow Automator. (Workflow Automator is their automation service. Think Logic Apps, but worse. Way worse. Nothing wrong with it functionally, but that it’s a very v0.3 product).

First things first, I created an App Registration in Entra ID. Just a standard one, generate a client secret and keep it handy. This will represent Freshservice in Entra ID, so name it accordingly (e.g. “Freshservice Workflow Automator SPN”).

I won’t go into how the Azure Function is setup. It requires Entra ID authentication. Enabling this creates an App Registration in Entra ID (let’s call this “Function App Authentication” to keep things simple in this blog post). We have to allow the “Freshservice Workflow Automator” access to “Function App Authentication”. To do this one needs to create an App Role in “Function App Authentication”.

The app role name etc. doesn’t matter. Here’s what I created (which you can see as “3” above).

Go to “Freshservice Workflow Automator” > API Permissions > “Add a permission”.

 

In the box that opens up click on “APIs my organization uses” and search for the Function App App Registration.

Click on it and then:

That’s all.

On the Function App side add the client Id of “Freshservice Workflow Automator”.

On the Fresh side, go to the Admin portal and search for Credentials. Create a new one.

Here’s what I filled:

  • In Credential Name put some text to identify this credential in Fresh.
  • Leave App Name empty/ default.
  • Type is “OAuth 2.0”.
  • Grant Type is “Client Credentials”.
  • Access Token URL is https://login.microsoftonline.com/<replaceWithTenantId>/oauth2/v2.0/token
  • Client ID is the client id of the App Registration “Freshservice Workflow Automator”.
  • Put in the client secret.
  • Scope is api://<clientIdOfFunctionAppAppRegistration>/.default
    • Press tab after entering this.
  • Client Authentication is to send client credentials in body.

That’s all. Click Generate Token & Save.

Later, when creating a new Web Request I can select the credential object I created above.

That’s all! Looks like Fresh exchanges the token behind the scenes with the Function App middleware, so I don’t have to do all that.

Update (later that day): Something frustrating.

If you want to make OAuth 2.0 authenticated calls against other Function Apps too, you must add their scopes also in the Credentials section in Fresh and generate a new token.

Failure to do this will result in an error from Azure Functions.

However, this does not work. When generating a token Fresh complains!

It seems to fail if I add multiple regular scopes like openid and profile too. But that could be a geniune case of the App Registration not having those scopes in its permissions list, so I don’t know… (an example from this forum post seems to indicate adding multiple scopes works).

What if I create separate credentials in Fresh, using the same App Registration but with different scopes? Nope, fails again when generating a token! Same error. Looks like I can’t reuse the App Registration across credentials?

I ended up creating a new App Registration for Fresh – basically, separate App Registration for Fresh for each Function App it needs to talk to – and created separate Credentials for each of these. This too was a bit iffy, but it works… it looks like Fresh caches the Client ID somewhere, and during some testing I had used this new App Registration in the existing Credential and even though I wasn’t using it there any more Fresh wouldn’t let me create a new Credential object with that. Finally I created yet another App Registration for Fresh and that worked.