cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
tfraser
Advocate II
Advocate II

Run a flow with a HTTP Request Trigger restricted to 'specific user' from another flow?

I've searched the forum and google for an answer to this and can't find anything that helps.

I've also reviewed the information here but it seems to be over complicated and intended for developers who need to run the flow from a different platform (i.e. not using another Power Automate flow). Add OAuth authentication for HTTP request triggers - Power Automate | Microsoft Learn

 

How do you run a flow with a HTTP Request Trigger restricted to 'specific user' from another flow? Is the way described in the article the only way or is there a way that is more applicable to triggering one flow from another?

 

Scenario:

  • I want to build a generic flow that can be called from other flows so I don't have to keep repeating the same steps.
  • I cannot use the 'run a child flow' step since the child flow contains external connectors.
  • I need to ensure only specific users in my tenant can request this flow.

So in my parent flow I need to run the child flow and receive a response that I can use in the parent flow.

 

HTTP Request with Azure AD

tfraser_0-1698057799811.png

I expect that it should be possible to call the child flow that requires authentication using a "HTTP Request with Azure AD" step, however I can't get this to authenticate. I get an error of:

 

 

 

Create and authorize OAuth connection failed. AADSTS500011: The resource principal named https://prod-94.westeurope.logic.azure.com:443/workflows/[REDACTED]/triggers/manual/paths/invoke?api-version=2016-06-01 was not found in the tenant named [REDACTED]. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

 

 

 

I have tried setting the HTTP Request with Azure AD Base URL and Azure AD Resource URI to various combinations with the trigger URL including using 

https://login.microsoftonline.com

as the authentication URL.

 

HTTP Step

 

I know it's possible to use the generic "HTTP" step to include Azure AD authentication parameters, however I don't want to explicitly state the parameters in my flow, and I don't know how I would find them!

 

tfraser_1-1698058076242.png

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
tfraser
Advocate II
Advocate II

Thanks to @davidyc for pointing me in the right direction with this.

The following articles explain how to get this to work in detail.

P1 - Securing "When an HTTP Request is Received" trigger in Power Automate (bythedevs.com)

P2 - Securing "When an HTTP Request is Received" trigger in Power Automate (bythedevs.com) which goes into a bit more detail on how to enable this for a specific user.

 

Also for reference: a bit more detail on triggering this from an external service found here: powerusers.microsoft.com/t5/Building-Power-Apps/New-Feature-When-a-HTTP-Request-is-Received-Trigger-...

 

Essentially if you need to be able to trigger a flow using the HTTP request trigger restricted to a specific user or users in your tenant from a step in another flow you need to:

  1. Install an App to your tenant granting permission for AAD to authenticate users to Power Automate APIs
  2. Use the 'Invoke an HTTP Request' with Azure AD connector set to the following URLs:
    1. Connection Base Resource URL [Full URL from your HTTP Trigger]&sp=%2Ftriggers%2Fmanual%2Frun - note this last bit added to the end of the URL provided by the trigger - it doesn't work for me without it
    2. Connection Azure AD Resource URI (Application ID URI): https://service.flow.microsoft.com/ (as I understand it, this is the application that you need to grant permission to in your tenant)
    3. Connector URLL [Full URL from your HTTP Trigger
  3. The 'Invoke an HTTP Request' cannot be set to 'Asynchronous'

You need to handle a flow that requires an asynchronous response differently. There's a good article on that here Pattern & implementation for making long Async Http calls in Microsoft Flow : (part 1 : polling) | S... but essentially you just need to get the 'Location' URL from the 202 response and keep calling that using a standard HTTP request in a 'do until' loop until the status is no longer 202. Also - if you need to handle a large response you may need to turn on 'chunking'.

 

It's not at all obvious that we should have to register an app in Azure AD / Entra ID for this to work, at least not for me as I've never had to do that for anything else in Power Automate - it would be great if Microsoft would start providing documentation for how to use these features!

 

It took me a while to figure out because I had the 'asyncrhonous' setting turned on for the connector and kept getting an error

 

{
  "error": {
    "code""DirectApiInvalidAuthorizationScheme",
    "message""The provided authentication token is not valid. Only 'basic' or 'bearer' type of token is supported."
  }
}
 
Once I turned off asynchronous responses everything worked!

 

View solution in original post

11 REPLIES 11

I haven't used this action myself, but other developers in my company have used it and say it works well. You want to use the trigger When a HTTP request is received, which was recently updated so you can specify who can trigger it.

David_MA_0-1698083938608.png

You can read more at Deeper control over HTTP invocation of flows | Power Automate Blog (microsoft.com)

tfraser
Advocate II
Advocate II

Hi @David_MA , thanks for your input.

Yes, my question is specifically about how to use that trigger and get it to run from another flow with a specific user specified. How are the other developers in your company triggering this trigger?

I can get it to work with 'anyone' specified but not a 'specific user'.

Thanks,

Thomas

Based on your screen shots, you are not using the same HTTP action as I showed above. When you configure this action, it will generate a URL so your other flow can call a post action to the URL generated to start the workflow. I don't know what you mean by "'anyone' specified but not a 'specific user'". If you are specifying someone, they are by definition a specific user. In addition to specific users in your tenant, you can configure it to accept requests from anyone, and anyone in your tenant.

 

Here is a blog post showing how to use the action: Power Automate: When an HTTP request is received Trigger - Manuel T. Gomes (manueltgomes.com)

tfraser
Advocate II
Advocate II

@David_MA I appreciate your efforts to help with this. I will add some detail to make my question clearer.

 

My original question did not include a screenshot of the trigger of the flow I am trying to trigger. The screenshots show steps from another flow that I'm trying use to call the flow with the HTTP trigger from.

 

I.e. when I Run Flow 1 -> send an HTTP Request to Flow 2 with HTTP Trigger

 

For completeness, here is the trigger I am trying to trigger from another flow. It's currently set to be triggerable by 'Anyone' but I want to set it to 'Specific users in my tenant'

tfraser_0-1698152920598.png

As you can see, you can select 'anyone' which allows anyone with the flow URL and signature key to trigger the flow by simply calling the URL. I don't want to select that as it's not as secure as I need it to be.

 

The question I'm asking is how you trigger this from another flow, when you select 'specific users in my tenant' since that requires authentication

 

I can't find anywhere that explains how to do that in simple terms.

 

The only place I've found that goes into any detail is here: Add OAuth authentication for HTTP request triggers - Power Automate | Microsoft Learn and I'm left with more questions than answers, since it doesn't seem to be geared around triggering one flow with the HTTP trigger from another flow with a HTTP request step.

 

Especially around the following 'claims' that need including in the request from Flow 1 to the Trigger of flow 2:

 

  • "iss": <Issuer of the requestor>

What should this be set to?

 

Secondly, where in my HTTP request in Flow 1 should the claims be specified in order to successfully trigger the HTTP trigger of Flow 2?

 

Using some simplified examples to fill in for Flow 1 and Flow 2:

 

Flow 2 Using the HTTP Trigger

tfraser_5-1698154760848.png

 

 

If I try to call Flow 2 from Flow 1 I get the following error:

 

Flow 1 using a HTTP Request to Trigger Flow 2

tfraser_1-1698154131278.png

{
  "error": {
    "code": "DirectApiAuthorizationRequired",
    "message": "The OAuth authorization scheme is required. Please add authentication scheme and try again."
  }
}

 

I can change my HTTP request to use Active Directory OAuth:

tfraser_2-1698154241608.png

But in that case what should be specified as the Client ID and Client Secret? Is the secret a static value and how do I find out what this is? This seems insecure.

 

Given it seems to be trying to use Azure AD for Authentication, it seems it should be possible to trigger the trigger using an 'Invoke HTTP Request with Azure AD' step, which would then add a connection using my credentials to the flow without having to explicitly state a secret - which seems like a more secure and simpler option.

 

tfraser_3-1698154489300.png

However, if it's possible to trigger the http trigger this way - what should be specified as the Base URL and Azure AD Resource URI in the connection settings? As you can see in my original question, I've tied various values here but failed.

tfraser_4-1698154566482.png

 

To specify the users, you choose specific users in my tenant and then enter their e-mail addresses separated by semicolons:

David_MA_0-1698159123781.png

This is a premium connector, so the run users must have a premium Power Automate license to run it.

tfraser
Advocate II
Advocate II

Hi David, yes I understand that.

 

In my tests I have added my email address to the list of allowed users.

 

The question is how do I run this flow from another flow by, for example, using a step which sends a HTTP request using the trigger URL?

 

I am able to do this with 'Anyone' as the selected option, but not when I select 'Specific Users' and add my email address.

They are using it by sending an HTTP post request to the URL generated from this action with the JSON data needed to process the request. As I mentioned in my original post, I have not used as I haven't had a need, so I am not familiar with all the ins and outs of it. Other folks in my company are using it instead of using the Call a child flow action or using an action with trigger conditions. Hopefully someone else will see your post who has used this action and can provide more assistance.

tfraser
Advocate II
Advocate II

Thanks to @davidyc for pointing me in the right direction with this.

The following articles explain how to get this to work in detail.

P1 - Securing "When an HTTP Request is Received" trigger in Power Automate (bythedevs.com)

P2 - Securing "When an HTTP Request is Received" trigger in Power Automate (bythedevs.com) which goes into a bit more detail on how to enable this for a specific user.

 

Also for reference: a bit more detail on triggering this from an external service found here: powerusers.microsoft.com/t5/Building-Power-Apps/New-Feature-When-a-HTTP-Request-is-Received-Trigger-...

 

Essentially if you need to be able to trigger a flow using the HTTP request trigger restricted to a specific user or users in your tenant from a step in another flow you need to:

  1. Install an App to your tenant granting permission for AAD to authenticate users to Power Automate APIs
  2. Use the 'Invoke an HTTP Request' with Azure AD connector set to the following URLs:
    1. Connection Base Resource URL [Full URL from your HTTP Trigger]&sp=%2Ftriggers%2Fmanual%2Frun - note this last bit added to the end of the URL provided by the trigger - it doesn't work for me without it
    2. Connection Azure AD Resource URI (Application ID URI): https://service.flow.microsoft.com/ (as I understand it, this is the application that you need to grant permission to in your tenant)
    3. Connector URLL [Full URL from your HTTP Trigger
  3. The 'Invoke an HTTP Request' cannot be set to 'Asynchronous'

You need to handle a flow that requires an asynchronous response differently. There's a good article on that here Pattern & implementation for making long Async Http calls in Microsoft Flow : (part 1 : polling) | S... but essentially you just need to get the 'Location' URL from the 202 response and keep calling that using a standard HTTP request in a 'do until' loop until the status is no longer 202. Also - if you need to handle a large response you may need to turn on 'chunking'.

 

It's not at all obvious that we should have to register an app in Azure AD / Entra ID for this to work, at least not for me as I've never had to do that for anything else in Power Automate - it would be great if Microsoft would start providing documentation for how to use these features!

 

It took me a while to figure out because I had the 'asyncrhonous' setting turned on for the connector and kept getting an error

 

{
  "error": {
    "code""DirectApiInvalidAuthorizationScheme",
    "message""The provided authentication token is not valid. Only 'basic' or 'bearer' type of token is supported."
  }
}
 
Once I turned off asynchronous responses everything worked!

 

Awesome thanks! I got this working in GCCH

ForIllinois
Regular Visitor

After trying to trigger a flow using specific users in my tenant via PowerShell and having no luck, I discovered a YouTube video that should essentially be included in Microsoft’s documentation. Since it isn’t, here’s the title and the link to it:

Screenshot 2024-03-18 162314.png

Title: OAuth Authentication for Power Automate HTTP Request Trigger | Dynamic Bites

Link: https://youtu.be/U1qykshQxRY?feature=shared

Hi, do you perhaps also know how to setup a webhook using the 'Plugin Registration Tool'? All the examples use the 'signature' parameter which should be generated in the URL, but I only get the 'api-version' parameter.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (898)