Accessing Graph API from Microsoft Flow using application permissions

In this article we will go through all the necessary but easy steps to create Azure AD Application and a Microsoft Flow to access Microsoft Graph API to fulfill necessary business requirements. Because we are not using user permissions or asking the user consent, we need to use administrator account and permissions to be able to go through the necessary configuration.

While researching for this article I found the following resources extremely useful. I recommend you look at them as well as they might cover an aspect that I have overlooked.

Extend Microsoft Flow with the Microsoft Graph ...and 0 code! by Serge Luca

Using Microsoft Graph API inside Microsoft Flow in Office 365 by Iegor Tsvietkov from Infopulse

The actual business requirements vary greatly. In the following steps we are going to create a Flow that gather the necessary user inputs, call to Azure AD authentication and Microsoft Graph Group endpoints using HTTP Connector to create an Office 365 Group and assign a user as an owner for that group. We will use two other connectors as well: Office 365 Users connector is used to retrieve ID of the owner while Office 365 Outlook connector is used to send an email for the owner.

Creating Azure AD Application

Open Application Registration Portal (https://apps.dev.microsoft.com/) and sign-in with your administrator credentials. You will see a list of applications, assuming you have already created a few. Click Add an app, and give your Azure AD application a name and click Create.

My first try to create animated gif is quite hillarious - hope you like it!

At this point copy Application Id into a text editor or OneNote file, you will need it later.

Click Generate New Password and when a dialog pops up, copy password as well. This is actually the only time you can access it, but you can create another password if you loose one.

Next click Add platform button and select Web.

For redirect url type something like https://localhost/testgraphapi and for the logout url https://localhost/testgraphapi/logout. These urls don't need to be actual working web app urls.

Click Add button next to Application Permissions heading. Select the permissions you need.

Note: These are going to be strong application permissions, so don't select anything you don't need. To find out what you do need, refer to Microsoft Graph documentation for the given method you are using. For example to create a group you need Application permission Group.ReadWrite.All as detailed in the documentation. To be able to get Team site url address, we need Sites.Read.All and Sites.ReadWrite.All application permissions as detailed in the documentation.

Next, for the Home page url type something like https://localhost/testgraphapi, Terms of Service url could be https://localhost/testgraphapi/tos and for the privacy statement type https://localhost/testgraphapi/privacy. Again, these urls don't need to point to actually working resources and that is why I prefer localhost as domain.

Click Save to save changes to the Azure AD application.

Giving administrator consent to Azure AD application

Creating Azure AD application is quite easy, but is not enough. You must give administrator consent to the application to actually to be able to use Graph endpoints you configured the permissions. There is no link in Application Registration Portal to give the consent but fortunately it is quite easy.

To give consent, modify the following url and open it on web browser.

https://login.microsoftonline.com/TENANTID/adminconsent?client_id=APPLICATIONID &redirect_uri=APPLICATIONHOMEURL

If you don't know the tenant id, you can get it via Azure AD PowerShell Preview commandlets. All you need to do is connect to Azure AD. Connect-AzureAD

You are required to login with an administrator account and the presented a dialog which details the permissions of the app. Give consent by clicking Accept. After that Azure AD will redirect your browser to the application home page, which will give you an error unless you actually have a web app. Again, you don't need to create any web services for this Azure AD application and you can safely ignore this error.

Creating a Flow

As noted before, the actual business requirements differ, so the Flow detailed below is not exactly what you want. For your requirements it might be more reasonable to create a SharePoint list, possibly with PowerApps integration, to initiate the flow after the request comes in. In the following example we are using Flow button for mobile trigger to collect a few user inputs and initiate the Flow.

Login to https://flow.microsoft.com and create a new Flow. Select Flow button for mobile as trigger and fill in the following parameters.
Manually trigger a flow

Authenticating to Microsoft Graph from Flow

Next, add an HTTP action. Select POST as the method, for the following url.

https://login.microsoft.com/TENANTID/oauth2/v2.0/token

As headers use Content-Type with application/x-www-form-urlencoded. For the body use the following parameter set.

client_id=APPLICATIONID &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default &client_secret=APPLICATIONPASSWORD &grant_type=client_credentials

HTTP action to authenticate

Call to Azure AD authentication endpoint will give you OAuth 2.0 authorization bearer token which will be used in the HTTP calls to Microsoft Graph endpoints. However, you need to parse the response first using Data operations - Parse JSON action.

However, parsing JSON requires that we know the schema or we have a sample payload of the returned JSON. An easy way to get sample payload is to run the Flow at this point. Do this, and then dig into the Flow execution details using Run history, look for the return value of the HTTP action as shown below.

HTTP action output

What you need to do, is copy the value of Body and paste it as sample payload for Parse JSON action.

Parse JSON using sample payload

Calling Microsoft Graph API from Flow

Finally we are ready to make the actual HTTP call to Graph endpoint to add a new Group. In this case we select POST as method and url of the endpoint is https://graph.microsoft.com/v1.0/groups. In the header section we add a header called Authorization and use parsed values token_type (which is actually always bearer) and access_token which will be different every time. Body is important because it is used to describe the new Group we are creating. Look for the documentation of individual Graph endpoints to find out what you need to insert to the body and test your body contents using Graph Explorer.

Call Graph API from Flow

At this point your Flow is capable of creating new Office 365 Group.

Getting Team site url of the newly created Office 365 Group

In this example, our requirements include adding a owner to the Group and sending an email with Team site url to the owner.

Test the Flow and again, copy the body of the output of this HTTP action and paste that as sample payload for another Parse JSON action. You need to do this in order to get the Id of the newly created Group. When you are adding another Parse JSON action, ensure that Content parameter value in body is from the correct HTTP action.

Parse JSON

In order to get the Team site url, we need to make another Graph API call to endpoint documented here. But here is the thing: that call will fail with 404 and error description that the site is still being provisioned. That's why we need do some special Flow-fu acrobatics to repeat the HTTP call until it is no longer 404.

Do until not 404

The actual call to Microsoft Graph follows the same pattern as before. This time the method is GET so the parameters on body are no longer needed. Instead we insert Group Id on the url as detailed below. Same authorization pattern in headers is always needed when you make calls to Graph API.

Getting team site information

Next we are using again the same pattern as before for parsing the JSON return value of the HTTP action, and to get user's Id we are making using Office 365 Users connector's Get user profile (V2) action passing the email value which we collected in the trigger.

Parse team site information and get user profile

Now we are ready to add owner to the newly created Group. To do this we form the url to Graph endpoint using the Id of newly created group as part of it. In body, we add the required information, owner Id, in the JSON format as detailed below.

Add owner to the group using Graph API

And as a final step we are sending an email to the owner of the new group using Send email action.

Send email to the owner