- \n
- This one<\/a>, which is super informative on what else one can use that connector for. Heck, I even figured out how to use it for Forms and other stuff – sure, it was about 9 months ago and I have been busy with other stuff so don’t really remember it, but still…<\/li>\n
- And this one<\/a>, which is quite cool in that I use this connector to make requests to my Logic Apps.<\/li>\n<\/ul>\n
Between these two posts, I think they capture everything I know (or should know) about this connector.<\/p>\n
Anyways, a colleague wanted to use the HTTP with Azure AD connector to get reports. The account in question has the Reports Reader role, and he was trying the following URL:
https:\/\/graph.microsoft.com\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D90')<\/code><\/p>\nBut it failed:<\/p>\n
{\r\n \"error\": {\r\n \"code\": \"UnknownError\",\r\n \"message\": \"{\\\"error\\\":{\\\"code\\\":\\\"S2SUnauthorized\\\",\\\"message\\\":\\\"Invalid permission.\\\"}}\",\r\n \"innerError\": {\r\n \"date\": \"2023-08-04T09:25:01\",\r\n \"request-id\": \"364325b0-65aa-4034-ae12-53f1ac1c4ce3\",\r\n \"client-request-id\": \"364325b0-65aa-4034-ae12-53f1ac1c4ce3\"\r\n }\r\n }\r\n}<\/pre>\nIt’s not surprising it failed. The connector has a limited<\/a> set of scopes:<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.19.17.png?resize=660%2C137&ssl=1\")
<\/p>\nThat is to say, it probably doesn’t have the
Reports.Read.All<\/code> delegated permission assigned to it, so even though the account can do it the connector can’t. Bummer.<\/p>\nI could go the route of an HTTP connector, and I did spend some time fooling around with that, but eventually gave up. Using an HTTP connector has the draw back that I need to send the username and password as part of the password flow<\/a>. There are options to authenticate via OAuth 2.0 with the HTTP connector but I couldn’t quite figure out how to make it work with an App Registration I created that gives the delegated
Reports.Read.All<\/code> permissions. Could be that I was just being thick when figuring it out.<\/p>\nAnyways, using a custom connector is more fun. And reusable. Plus I can setup the connector for others in their environment, without handing over the secret to others. Way more nifty in my opinion.<\/p>\n
So here’s what I did.<\/p>\n
First, I created an App Registration. Just a standard one, but I added the delegated
Reports.Read.All<\/code> permission to it and did an admin consent.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.24.49.png?resize=660%2C180&ssl=1\")
<\/p>\nThen I created a secret, and noted that.<\/p>\n
Next, I went to Power Automate and created a custom connector.<\/p>\n
Go to Data > Custom Connectors > New custom connector.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.26.14.png?resize=564%2C146&ssl=1\")
<\/p>\nCreate from blank. Give it a name.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.29.56.png?resize=660%2C219&ssl=1\")
<\/p>\nAnd description. And change host to graph.microsoft.com.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.30.52.png?resize=660%2C411&ssl=1\")
<\/p>\nThen go to the next page, Security.<\/p>\n
I want OAuth 2.0 and Azure AD.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.32.08.png?resize=660%2C322&ssl=1\")
<\/p>\nFill in the rest of the details from the App Registration. I left the Tenant ID as common, but filled in the resource URL as
https:\/\/graph.microsoft.com<\/code> (fill that exactly; I know this experience<\/a>).<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.36.31.png?resize=660%2C510&ssl=1\")
<\/p>\nClick “Create Connector”.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.38.18.png?resize=660%2C90&ssl=1\")
<\/p>\nThat should generate a Redirect URI.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.38.38.png?resize=660%2C100&ssl=1\")
<\/p>\nI added that to the App Registration.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.39.39.png?resize=660%2C297&ssl=1\")
<\/p>\nGo to the next section, Definition.<\/p>\n
Add an action.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.57.54.png?resize=660%2C658&ssl=1\")
<\/p>\nUpdate<\/strong>: Later, I changed the above to be like this:<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.16.23.png?resize=660%2C424&ssl=1\")
<\/p>\nThat’s because I realized there’s no way to take an input of the number of days, so I might as well create separate ones.<\/em><\/p>\n
And a request, for that action.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-13.58.16.png?resize=660%2C659&ssl=1\")
<\/p>\nThe URL is
https:\/\/graph.microsoft.com\/v1.0\/reports\/getOffice365GroupsActivityDetail<\/code><\/p>\nUpdate<\/strong>: Later, I changed the URL to be
https:\/\/graph.microsoft.com\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D90')<\/code> to match the updated name above<\/p>\nClick on Response, add a default response,\u00a0 and I added the following:<\/p>\n
Content-Type: text\/plain\r\nLocation: https:\/\/reports.office.com\/data\/download\/JDFKdf2_eJXKS034dbc7e0t__XDe<\/pre>\n
I got this from the API documentation<\/a>.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.01.47.png?resize=660%2C771&ssl=1\")
<\/p>\nThis one’s a bit odd in that the response is the headers.<\/p>\n
And that’s it, save\/ update the connector.<\/p>\n
Now in my Power Automate, I can call this custom connector.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.19.27.png?resize=660%2C289&ssl=1\")
<\/p>\nAfter selecting I can see the action I created.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.19.12.png?resize=660%2C256&ssl=1\")
<\/p>\nSave, and test\/ run it.<\/p>\n
On the face of it, it throws an error.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.20.35.png?resize=660%2C162&ssl=1\")
<\/p>\nBut that’s misleading, because the headers show the content I want:<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.21.18.png?resize=660%2C172&ssl=1\")
<\/p>\nSo I create a Compose action after this connector, and use the Location as input.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.23.32.png?resize=660%2C296&ssl=1\")
<\/p>\nAnd set it to run even after the connector has failed.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.24.13.png?resize=660%2C205&ssl=1\")
<\/p>\nRun it now, and the flow succeeds. \ud83d\ude42<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/rakhesh.com\/wp-content\/uploads\/2023\/08\/Screenshot-2023-08-04-at-14.24.57.png?resize=660%2C426&ssl=1\")
<\/p>\nI downloaded the JSON and added more actions to it.<\/p>\n
{\r\n \"swagger\": \"2.0\",\r\n \"info\": {\r\n \"title\": \"Graph API - Reports\",\r\n \"description\": \"Gets reports from Graph API\",\r\n \"version\": \"1.0\"\r\n },\r\n \"host\": \"graph.microsoft.com\",\r\n \"basePath\": \"\/\",\r\n \"schemes\": [\r\n \"https\"\r\n ],\r\n \"consumes\": [],\r\n \"produces\": [],\r\n \"paths\": {\r\n \"\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D7')\": {\r\n \"get\": {\r\n \"responses\": {\r\n \"default\": {\r\n \"description\": \"default\",\r\n \"schema\": {\r\n \"type\": \"string\"\r\n },\r\n \"headers\": {\r\n \"Content-Type\": {\r\n \"description\": \"Content-Type\",\r\n \"type\": \"string\"\r\n },\r\n \"Location\": {\r\n \"description\": \"Location\",\r\n \"type\": \"string\"\r\n }\r\n }\r\n }\r\n },\r\n \"summary\": \"Get O365 Groups Activity Details - 7 days\",\r\n \"description\": \"Get O365 Groups Activity Details - 7 days\",\r\n \"operationId\": \"GetOffice365GroupsActivityDetail7\",\r\n \"parameters\": []\r\n }\r\n },\r\n \"\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D30')\": {\r\n \"get\": {\r\n \"responses\": {\r\n \"default\": {\r\n \"description\": \"default\",\r\n \"schema\": {\r\n \"type\": \"string\"\r\n },\r\n \"headers\": {\r\n \"Content-Type\": {\r\n \"description\": \"Content-Type\",\r\n \"type\": \"string\"\r\n },\r\n \"Location\": {\r\n \"description\": \"Location\",\r\n \"type\": \"string\"\r\n }\r\n }\r\n }\r\n },\r\n \"summary\": \"Get O365 Groups Activity Details - 30 days\",\r\n \"description\": \"Get O365 Groups Activity Details - 30 days\",\r\n \"operationId\": \"GetOffice365GroupsActivityDetail30\",\r\n \"parameters\": []\r\n }\r\n },\r\n \"\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D90')\": {\r\n \"get\": {\r\n \"responses\": {\r\n \"default\": {\r\n \"description\": \"default\",\r\n \"schema\": {},\r\n \"headers\": {\r\n \"Content-Type\": {\r\n \"description\": \"Content-Type\",\r\n \"type\": \"string\"\r\n },\r\n \"Location\": {\r\n \"description\": \"Location\",\r\n \"type\": \"string\"\r\n }\r\n }\r\n }\r\n },\r\n \"summary\": \"Get O365 Groups Activity Details - 90 days\",\r\n \"description\": \"Get O365 Groups Activity Details - 90 days\",\r\n \"operationId\": \"GetOffice365GroupsActivityDetail90\",\r\n \"parameters\": []\r\n }\r\n },\r\n \"\/v1.0\/reports\/getOffice365GroupsActivityDetail(period='D180')\": {\r\n \"get\": {\r\n \"responses\": {\r\n \"default\": {\r\n \"description\": \"default\",\r\n \"schema\": {\r\n \"type\": \"string\"\r\n },\r\n \"headers\": {\r\n \"Content-Type\": {\r\n \"description\": \"Content-Type\",\r\n \"type\": \"string\"\r\n },\r\n \"Location\": {\r\n \"description\": \"Location\",\r\n \"type\": \"string\"\r\n }\r\n }\r\n }\r\n },\r\n \"summary\": \"Get O365 Groups Activity Details - 180 days\",\r\n \"description\": \"Get O365 Groups Activity Details - 180 days\",\r\n \"operationId\": \"GetOffice365GroupsActivityDetail180\",\r\n \"parameters\": []\r\n }\r\n }\r\n },\r\n \"definitions\": {},\r\n \"parameters\": {},\r\n \"responses\": {},\r\n \"securityDefinitions\": {\r\n \"oauth2-auth\": {\r\n \"type\": \"oauth2\",\r\n \"flow\": \"accessCode\",\r\n \"authorizationUrl\": \"https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize\",\r\n \"tokenUrl\": \"https:\/\/login.windows.net\/common\/oauth2\/authorize\",\r\n \"scopes\": {\r\n \"Reports.Read.All\": \"Reports.Read.All\"\r\n }\r\n }\r\n },\r\n \"security\": [\r\n {\r\n \"oauth2-auth\": [\r\n \"Reports.Read.All\"\r\n ]\r\n }\r\n ],\r\n \"tags\": []\r\n}<\/pre>\nThese are all the valid “period” options for that call. I wish there was some way to take an input for GET operations. There is, if I switch to POST, but that’s not what I need.<\/p>\n
Update<\/strong>: Later in the day, when Googling on something else, I came across this blog post<\/a> from Microsoft. It’s a good one. And worth noting this point:<\/p>\n
Custom connectors are supported by Microsoft Azure API Management infrastructure. When a connection to the underlying API is created, the API Management gateway stores the API credentials or tokens, depending on the type of authentication used, on a per-connection basis in a token store. This solution enables authentication at the connection level.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
It always impresses and scares me when I am trying to figure something out and while Googling I come across one of my own blog posts. Impressive, coz “wow I was so smart a few months ago and had figured this out!” but scary coz “shit, I’ve forgotten I ever did this”. \ud83d\ude35\u200d\ud83d\udcab Case in … Continue reading getOffice365GroupsActivityDetail and S2SUnauthorized and custom connectors<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[887],"tags":[182,982,1065,1046,1037],"jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7314"}],"collection":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/comments?post=7314"}],"version-history":[{"count":3,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7314\/revisions"}],"predecessor-version":[{"id":7342,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/posts\/7314\/revisions\/7342"}],"wp:attachment":[{"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/media?parent=7314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/categories?post=7314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rakhesh.com\/wp-json\/wp\/v2\/tags?post=7314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- And this one<\/a>, which is quite cool in that I use this connector to make requests to my Logic Apps.<\/li>\n<\/ul>\n