I want to put a PowerApp (or Flow, not exactly sure which yet) into SharePoint. Essentially I want to select an item in a list and do something with it's metadata.
The something I want to do involves POST’ing to a REST endpoint belonging to a web-app which is integrated with AzureAD for authentication.
I am struggling to work out how to authenticate with my PowerApp.
I have created an AppRegistration in AzureAd and enabled the ‘user_impersonation’ API, and Granted Trust to it.
The App is configured as a PublicClient.
So now, when I am *not* using PowerApps
The Access Token I am retrieving is a Bearer Token.
I use that Bearer Token to authenticate my called to the web-application’s REST endpoint.
When I am coming in from PowerApps (SharePoint), how do I:
1. Get the user currently signed in to Office365 (optional I guess)
2. Pass the details to AzureAD to Retrieve a token
The same coding paradigms I use above (loading MSAL.dll) does apply here, so what do I do?
Solved! Go to Solution.
Hi @whats_my_name ,
Do you want to use MSAL (Microsoft Authentication Library) in your canvas app?
Thanks for feedback. Unfortunately, the MSAL (Microsoft Authentication Library) is not supported in PowerApps canvas app currently. I afraid that the needs that you want to achieve has not been released in PowerApps.
If you would like this feature to be released and this feature to be in Roadmap, please consider submit an idea to PowerApps Ideas Forum:
Have you tried using a custom connector? With custom connector you can connect to a custom API secured using AAD authentication.
Please have a look at this blog post and try this out. Do reach out if you need help. Thanks.
I read through the blog post and got to the point where I felt it is not the answer.
When the blogger defined a custom connector, they supply a clientId and secret.
It's possible I am misunderstanding, but that is not the same as 'this' user (is it?). I need to generate a jwt bearer token for (for example) firstname.lastname@example.org and perform actions on the api as that user.
Is the clientId/secret allowing some kind of pass-through authentication? ... even so, I don't see where I can get my jwt token to attach it to my api request...?
(edit: fixed horrible autocorrect typos)
Thank you for the response.
During this process you will be asked to login and consent to the (delegated) permissions. We aren't using app permissions here. You can then login with the ID you mentioned. The token returned will be in the context of the userid that you used to sign-in. I suggest you try this out and see if it works for you. Thanks.
Hi @whats_my_name ,
Do you want to get a Access_Token for current sign in user in your canvas app?
If you want to get a Access_Token for current sign in user in your canvas app, I afraid that there is no way to achieve your needs in PowerApps currently.
In addition, there is no function function supported in PowerApps to send HTTP request to acquire Access Token for current sign in user.
If you would like this feature to be added in PowerApps, please submit an idea to PowerApps Ideas Forum:
Hi @v-xida-msft ,
I think this is the (disappointing) answer.
"In addition, there is no function function supported in PowerApps to send HTTP request to acquire Access Token for current sign in user."
What about if I skip the requirement to use the 'current sign-in user' and put username/password boxes on my form? Can I hit in AppRegistration in AAD and get an access token that way?
Hi @whats_my_name ,
Based on the needs that you mentioned, I think I have understood your needs correctly.
You mean you want to type Username and Password manually in your canvas app Text Box, and acquire the Access Token, right? I guess you want to send a HTTP request to your target server (e.g. AAD Identity Provider Server) along with the entered Username and Password, and get a access token from the server, is it right?
But within PowerApps, there is no direct function supported in PowerApps to send an HTTP request to target server. If you just want to send an HTTP request to your Target Server along with the entered Username and Password to get access token, as an alternative solution, I think the combination of PowerApps and Power Automate could achieve your needs.
You could consider fire a Power Automate flow from your canvas app, pass your entered Username and Password to the flow. Within the flow, you could add a "HTTP" action to send HTTP request to your Target Server to acquire Access Token, then you could return the acquired access token back to your canvas app.
The Flow's configuration may look like below:
Within your flow, you need to define two parameters using "Ask in PowerApps" dynamic content to receive the passed Username and Password value from your canvas app (just like above screenshot).
Within your canvas app, you need to create a connection to above flow, then set the OnSelect property of a button to following:
Set(AccessToken,'Your Flow Name'.Run(UsernameTextBox.Text, PasswordTextBox.Text).access_token)
After that, when press the button to fire your flow along with the entered Username and Password, the returned access token value would be stored in the AccessToken variable in your app, you could reference the access token value through the variable directly in your app.
More details about firing a flow from a canvas app, please check the following video:
(MS has signed me in as a different user - same person)
I think you are on the right track, you're suggesting more-or-less what I am asking. I appreciate the detailed walk-through, I have basically built the steps you describe in a lab previously.
Where I am stuck on is how to actually get an access token from AAD. I mean the *real* mechanics of what to post where.
When I do this in other apps/languages, I can use the MS ADAL libraries, but in PowerAutomate/Flow/PowerApps/etc, I can't use them (can I?) - so what do I do.
Hi @bananabread ,
Based on the issue that you faced, I think the following article would help in your scenario:
The above article explain the *real* mechanics about how to acquire Access Token from AAD Identify Provider.
As far as I can see, all other those scenarios use the MSAL libraries for authentication.
Let's clear up a fundamental question: Is it possible to use the MSAL libraries from within the Power Platform?
As I have thought through this, the idea of supplying a username and password form is not viable as the majority of AAD implementations use some for of MFA, so we also have to solve the problem of opening the MFA forms for the user and capturing their additional factors.
Surely this is not an unsolved problem? It seems like a pretty generic use-case.
Learn how to create your own user groups today!
Check out the new Power Platform Community Connections gallery!
Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.