cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
BeckyBertram
Frequent Visitor

Best way to secure HTTP call to child flow?

‎04-17-2020 12:51 PM

Although flows that are bundled in a solution can call each other natively, flows that have a SharePoint manual trigger are not allowed to be included in a Power Automate solution. That means I have to create my flow with the SharePoint trigger outside the solution, and then call the child flow (inside the solution) using an HTTP call. My question is: what's the best way to secure that call?

I've tried using the API Management service in Azure to wrap the URL, but I'm struggling because all the examples are for calling Logic Apps and are about 5 degrees away from what I'm trying to do, which is to simply add security to my HTTP call. Can anyone provide any guidance? (Am I missing something really simple?)

Savvy Technical Solutions Listen // Advise // Develop // Teach
Message 1 of 5
97 Views
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
efialttes
Dual Super User III
Dual Super User III

Re: Best way to secure HTTP call to child flow?

‎04-17-2020 07:39 PM
Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!

Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



View solution in original post

Message 2 of 5
81 Views
Reply
4 REPLIES 4
Highlighted
efialttes
Dual Super User III
Dual Super User III

Re: Best way to secure HTTP call to child flow?

‎04-17-2020 07:39 PM
Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!

Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



View solution in original post

Message 2 of 5
82 Views
Reply
Highlighted
Jcook
Super User III
Super User III

Re: Best way to secure HTTP call to child flow?

‎04-17-2020 07:43 PM
Hello @BeckyBertram

Have you tried using Secure inputs / outputs?

To enable this simply go to the action you want to apply this to.
Click the 3 dots,
Click settings,
If the action supports secure inputs and outputs you will be able to enable to enable this here.

Since Flow is on Cloud tenant in azure. You should be safe.




Did I answer your question? Mark my post as a solution!

If you like my post please hit the Thumbs Up

Proud to be a Flownaut!


Check out my blog for Power Automate tips, tricks, and guides
FlowAltDelete




Message 3 of 5
80 Views
Reply
Highlighted
BeckyBertram
Frequent Visitor

Re: Best way to secure HTTP call to child flow?

‎04-21-2020 07:00 AM

Thanks. At first I was trying to use API management but then realized all I'm doing is obfuscating the call, but that doesn't really secure things from the receiving end. I didn't really want logic inside my flow having to check any values, because by then, I've used up one of my flow runs. I like the idea of passing in a token into the trigger, and then having a trigger condition. That way, if someone attempted some sort of denial of service attack, it's Microsoft's problem and not mine, since it wouldn't count toward my flow runs and my code wouldn't execute.

Savvy Technical Solutions Listen // Advise // Develop // Teach
Message 4 of 5
54 Views
Reply
Highlighted
BeckyBertram
Frequent Visitor

Re: Best way to secure HTTP call to child flow?

‎04-21-2020 07:02 AM

Does securing the inputs and outputs do anything more than hide those inputs and outputs from the UI? I'm not so worried about people internally having access to the right stuff, but more hackers getting a hold of the flow's HTTP trigger URL and firing it.

Savvy Technical Solutions Listen // Advise // Develop // Teach
Message 5 of 5
51 Views
0 Kudos
Reply

Helpful resources

Announcements
firstImage

Super User Program Update

Three Super User rank tiers have been launched!

firstImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

firstImage

New & Improved Power Automate Community Cookbook

We've updated and improved the layout and uploading format of the Power Automate Cookbook!

thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (4,213)