You’re offline. This is a read only version of the page.
Announcements
2
Hi,
I'm building a web app that uses the Microsoft Identity Platform for authentication (specifically, it's modelled after the "Entra ID app" part of this sample: https://github.com/Azure-Samples/ms-identity-python-webapp). This is going great - users can sign in using their tenant Microsoft account without issue.
This web app has several API endpoints, protected by the same authentication as the rest of the app. I'd like to access these endpoints using a custom Power Automate connector, but I've run into some issues.
I followed these two guides:
- https://learn.microsoft.com/en-us/connectors/custom-connectors/define-blank
- https://learn.microsoft.com/en-us/connectors/custom-connectors/azure-active-directory-authentication
I currently have two App Registrations in Entra:
- one for the webapp sign-in process, with a Redirect URI of "https://myapp.com/auth_response" (an endpoint that I handle in my webapp backend) and a delegated API permission of User.Read; and
- one for the Power Automate connector, with a Redirect URI of "https://global.consent.azure-apim.net/redirect/myapp-<some-guid>" (provided by Power Automate when I created the custom connector) and a delegated API permission of user_impersonation.
(This makes sense, I think, because in another scenario it could be two different people or organisations building the webapp and the Power Automate connector.)
Unfortunately, when I test my freshly created custom connector, I get the following message:
I should mention at this point that I read through this thread but didn't have any luck with anything posted there.
I've had this message for around a day on my first attempt and a few hours on a second attempt (I tried making a new one as suggested in the above thread). Everything has been done according to the two articles I linked earlier.
I noticed that the latter of these articles has some pretty old screenshots and says to use https://management.core.windows.net/ for the Resource URL. I came across a (non-Microsoft) article from 2020 (here) that says to copy the App Registration's client ID into the Resource URL, which I also tried to no avail.
My question, then, is in two parts:
- Is there something more I need to do on the webapp end to make it play nicely with Power Automate's auth?
- Am I missing something that was not mentioned in those articles in my custom connector setup?
Thanks in advance,
Max
I managed to figure this one out. The issue was mainly the fact that the web app/API didn't consider the Authorization header - specifically, Power Automate sends its authorization as a Authorization: Bearer token according to this spec.
It also turned out that the Resource URL should be the client ID of the Entra App Registration for the actual web app (i.e. not the Power Automate connector's App Registration). It sends that as the "aud" (audience) claim, which the web app should verify (among other things).
Finally, I also needed to "Expose an API" and add a scope from the webapp's App Registration, then I needed to add this scope to the "API permissions" section of the PA connector's App Registration (and of course, get admin consent from a global admin).
Hopefully this helps someone else in a similar situation.
Edit: I should also add that the "Test" section of the custom connector setup/edit wizard wasn't very hepful - if it's giving you strange errors (like the one in the subject line of this post), try using your connector in a flow to test instead and you'll probably get better error messages.
Share
Report
All responses (
Answers (
