cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
BeckyBertram
Frequent Visitor

Best way to secure HTTP call to child flow?

Although flows that are bundled in a solution can call each other natively, flows that have a SharePoint manual trigger are not allowed to be included in a Power Automate solution. That means I have to create my flow with the SharePoint trigger outside the solution, and then call the child flow (inside the solution) using an HTTP call. My question is: what's the best way to secure that call?

I've tried using the API Management service in Azure to wrap the URL, but I'm struggling because all the examples are for calling Logic Apps and are about 5 degrees away from what I'm trying to do, which is to simply add security to my HTTP call. Can anyone provide any guidance? (Am I missing something really simple?)

Savvy Technical Solutions Listen // Advise // Develop // Teach
1 ACCEPTED SOLUTION

Accepted Solutions
efialttes
Super User
Super User

Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!


Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



View solution in original post

4 REPLIES 4
efialttes
Super User
Super User

Hi!
IMHO one of the bests questions posted this month. The problem you describe happens also when implementing Open.URL actions in Adaptive Cards to call Flows (dirty trick, I know)

Some interesting approaches in the following links:
https://www.about365.nl/2018/11/13/securing-your-http-request-trigger-in-flow/

https://community.dynamics.com/365/b/theressomethingaboutdynamics365/posts/secure-the-receiving-flow...

http://ratsubsharewall.blogspot.com/2019/11/secure-http-request-to-msflow.html?m=1

Feel free to discuss pros and cons, or suggest any other approach
Thanx!


Each time you click on any of our inspiring answers 'Thumb up' icon...
...an ewok scapes from the stormtroopers.

Be grateful, Thumbs up! Save the Galaxy for free!


Escribo sobre Power Automate en:
https://medium.com/anyone-can-automate/

Proud to be a Flownaut!



Jcook
MVP

Hello @BeckyBertram

Have you tried using Secure inputs / outputs?

To enable this simply go to the action you want to apply this to.
Click the 3 dots,
Click settings,
If the action supports secure inputs and outputs you will be able to enable to enable this here.

Since Flow is on Cloud tenant in azure. You should be safe.

Did I answer your question? Mark my post as a solution!

If you like my post please hit the Thumbs Up


Proud to be a Flownaut!


Check out my blog for Power Automate tips,
tricks, and guides
FlowAltDelete





Thanks. At first I was trying to use API management but then realized all I'm doing is obfuscating the call, but that doesn't really secure things from the receiving end. I didn't really want logic inside my flow having to check any values, because by then, I've used up one of my flow runs. I like the idea of passing in a token into the trigger, and then having a trigger condition. That way, if someone attempted some sort of denial of service attack, it's Microsoft's problem and not mine, since it wouldn't count toward my flow runs and my code wouldn't execute.

Savvy Technical Solutions Listen // Advise // Develop // Teach

Does securing the inputs and outputs do anything more than hide those inputs and outputs from the UI? I'm not so worried about people internally having access to the right stuff, but more hackers getting a hold of the flow's HTTP trigger URL and firing it.

Savvy Technical Solutions Listen // Advise // Develop // Teach

Helpful resources

Announcements
Power Platform Conf 2022 768x460.jpg

Join us for Microsoft Power Platform Conference

The first Microsoft-sponsored Power Platform Conference is coming in September. 100+ speakers, 150+ sessions, and what's new and next for Power Platform.

New Ideas Forum MPA.jpg

A new place to submit your Ideas for Power Automate

Announcing a new way to share your feedback with the Power Automate Team.

MPA Virtual Workshop Carousel 768x460.png

Register for a Free Workshop

Learn to digitize and optimize business processes and connect all your applications to share data in real time.

365 EduCon 768x460.png

Microsoft 365 EduCon

Join us for two optional days of workshops and a 3-day conference, you can choose from over 130 sessions in multiple tracks and 25 workshops.

Users online (4,598)