cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
ID3
New Member

Hot to restrict access for HTTP Request Trigger

Dear Experts,
I have simple flow based on "When a HTTP request is received" trigger.

ID3_0-1618785813479.png

Using the link from the trigger, anyone can sent HTTP request and get response from my Flow. And this is really the problem.

How I can restrict possibility to get response from my flow for anyone except certain users?

(Note: I don't want to use some kind of Passwords which I can provide because I can't control that someone of my approved users will not share this password with someone else, and I will not be able determine who exactly use this password - the user approved by me or not.)


Sincerely ID3 



16 REPLIES 16
Expiscornovus
Most Valuable Professional
Most Valuable Professional

Hi @ID3,

 

I don't know if this will work for you situation, but you might be able to check the user-agent value of the POST request and add a trigger condition to your When a HTTP request is received trigger action.

 

Below is an example of a trigger condition which only allows requests from other Power Automate flows and for instance not Windows PowerShell.

 

@startswith(triggeroutputs()['headers']['user-agent'], 'azure-logic-apps/1.0')

 triggercondition_azurelogicapps_useragent.png



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #MicrosoftCopilotStudio content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Dear Expiscornovus,

In my case all permitted to access to my Flow users are members of Office 365 groups.
Maybe it is useful information for the solution finding.

One more fact - it is quite enough to restrict the access only for HTTP request been sent from Power Query (Excel). And perhaps in this case the Power Query "Access Web content" options can be used.

ID3_0-1618822413222.png

Paulie78
Super User
Super User

I actually wrote an article on how to secure the HTTP trigger, check it out and see if it of use to you:

Secure the HTTP Request Trigger in Microsoft Power Automate 

Expiscornovus
Most Valuable Professional
Most Valuable Professional

Hi @ID3,

 

It is still a workaround based on the user agent string, but you can probably use this trigger condition to restrict only to Power Query (web.contents source)

@startswith(triggeroutputs()['headers']['user-agent'], 'Microsoft.Data.Mashup')

 

@Paulie78, nice, very useful article 🙂

However, I think ID3 wanted to avoid using a key or a password like stated in the opening post.



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #MicrosoftCopilotStudio content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Paulie78
Super User
Super User

@Expiscornovus - That will teach me not to read the question properly! Thank you for putting me straight!

ID3
New Member

Dear @Paulie78 
The article about HTTP Request Secure is realy nice. It means I am not alone who met the same problem and it is worth to work it out more.

Dear @Expiscornovus 
Your suggested Microsoft.Data.Mashup check is a good, and I think should be used in any case. 
In case of PowerQuery using with Windows or Organizational account credentials, does it mean that the data about user account (login/user name) can be taken from the trigger/Request? 

Is there any MS Services can provide information about all MS Flow transactions with more details than I can see in Power Automate Runs History?

Sincerely ID3

Expiscornovus
Most Valuable Professional
Most Valuable Professional

Hi @ID3,

 

As far as I could tell it wasn't showing any data about the account which was used.

 

Below is an example of the raw input of the received HTTP request when I was testing it with Power Query in Excel.

 

{
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip,deflate",
        "Expect": "100-continue",
        "Host": "prod-21.uksouth.logic.azure.com",
        "User-Agent": "Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=304225)",
        "Content-Length": "2",
        "Content-Type": "application/json"
    },
    "body": {}
}

 



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #MicrosoftCopilotStudio content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Dear @Expiscornovus
Here is what I have and waht I used.
Receiver:

ID3_0-1619256787006.png
And here is the data.

{
    "variables": [
        {
            "name": "Trigger",
            "type": "String",
            "value": "{\"name\":\"manual\",\"inputs\":{\"method\":\"POST\"},\"outputs\":{\"headers\":{\"Connection\":\"Keep-Alive\",\"Accept\":\"application/json\",\"Accept-Encoding\":\"gzip,deflate\",\"Expect\":\"100-continue\",\"Host\":\"prod-96.westeurope.logic.azure.com\",\"User-Agent\":\"Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=3xxx5)\",\"Content-Length\":\"39\",\"Content-Type\":\"application/json\"},\"body\":{\"Type\":\"MyData\",\"Param\":\"MyData\"}},\"startTime\":\"2021-04-24T09:25:56.997722Z\",\"endTime\":\"2021-04-24T09:25:56.997722Z\",\"trackingId\":\"4xxxxxxb-5xxx-4xxe-xxxxxxxx1\",\"clientTrackingId\":\"0XXXXXXXXXXXXXXXXXXXXXXXXXX4\",\"originHistoryName\":\"0XXXXXXXXXXXXXXXXXXXXXXX\",\"status\":\"Succeeded\"}{\"Type\":\"MyData\",\"Param\":\"MyData\"}"
        }
    ]
}

For sending I used this one request

let
    urlApi="https://prod-96.westeurope.logic.......",
    Request = Json.Document(Web.Contents(urlApi, [ Headers=[#"Accept"="application/json", #"content-type" = "application/json"], Content=Text.ToBinary("{""Type"": ""SiteInfo"", ""Param"": """& Site_Param &"""}")])),
    #"Converted to Table" = Record.ToTable(Request),
    #"Renamed Columns" = Table.RenameColumns(#"Converted to Table",{{"Name", "Parameter"}}),
    #"Changed Type" = Table.TransformColumnTypes(#"Renamed Columns",{{"Value", type text}, {"Parameter", type text}})

in
#"Changed Type"

With this permissions:

ID3_1-1619257180163.png

It is pretty interesting why you have not "originHistoryName" and "clientTrackingId" but I have. Did you use POST or GET?
But however, I don't know are these values can help with my problem or not. ...



The problem is still not solved and important.

Sincerely ID3.

Hi Expiscornovus,

 I've got a question for you, is there any way to send back an error such as 400 Bad Request or 401 Forbidden if the request doesn't satisfay the conditional trigger?

A the moment if I call the https endpoint I receive a standar "202 Accepted" code...

 

Thank you,

Stefano.

Expiscornovus
Most Valuable Professional
Most Valuable Professional

Hi @ZaffaSte,

 

You can remove that trigger condition and use a condition action instead. Use that startswith expression in there and use a response action to send back a HTTP 400.

https://docs.microsoft.com/en-us/azure/connectors/connectors-native-reqres#add-a-response-action

 

Below is an example of that.

 

400response.png



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #MicrosoftCopilotStudio content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


ZaffaSte
Regular Visitor

Hi @Expiscornovus ,

 thank you for your reply: easy peasy lemon squeezy and it's true, but in this way the flow start, there's no way to default 202 reply other than start a flow?

 

Thank you so much,

Stefano

Expiscornovus
Most Valuable Professional
Most Valuable Professional

Hi @ZaffaSte,

 

I know there is a schema validation setting which you can enable in the settings which can return a HTTP 400 instead of a 200 if there is a mismatch.

 

But as far as I am aware that is only for the body, not the headers like user-agent.

 

schemavalidation_400.png



Happy to help out! 🙂

Interested in more #PowerAutomate #SharePointOnline or #MicrosoftCopilotStudio content?
Visit my blog, Subscribe to my YouTube channel or Follow me on Twitter


Thank you @Expiscornovus I knew the "Schema Validation" option, but as you wrote in your reply is all about the body of the request not the header.

PerOveSand
Frequent Visitor

You are really asking about something very important here @ID3 . I have been thinking a lot about this lately too. And my first thought was to use logic apps, Azure functions and API management. But the posts and replies here are very good and maybe there is another way. Here are my toughs.

 

The problem is if someone gets the Uri for the flow, they can trigger the flow.

The Uri is built like this:

Url parameters:
?api-version=2016-06-01
&sp=%2Ftriggers%2Fmanual%2Frun
&sv=1.0
&sig=<43 letter random generated secret>
 
If someone copies the trigger Uri and shares it, all of the above needed parameters are shared.
This can be a problem if the person misuses it or shares it with other unknown people.
 
PS! The only way to change the secret code, is to create a new flow. You cannot change the secret code on an existing flow.
 
If attackers does NOT have the URI, they need to guess the workflow GUID and the secret code for the sig parameter. This is extremely unlikely and not really a problem.
 
Risk: Sharing the Uri

An "attacker" needs the Uri for the flow itself to exploit the weakness. 

For this to happen, it requires a person with edit access to the flow and that this person shares the Uri.

Mitigations

  • Securing the edit access to a flow that contains HTTP actions, should be first priority. Use Environments and Solutions, and do not share the owner role of the flow with everyone.
  • You should store the Uri in Azure Key vault. This will stop storing of sensitive values in clear text in the flow definition code.

If these mitigation does not make the risk acceptable, the mitigations below must be evaluated.

 

Trigger Conditions

I really like the article from @Paulie78, since using trigger conditions. It can check the headers and the body for keys and values and act upon them. This is most useful for NOT running the flow at all.

 

Risk: HTTP response giving information back

The high risk is if you do not use the question mark "?" in the condition, it will reply with the value it needs. This actually gives the "attacker" everything it needs.

You need to store the conditions in clear text!

These risk are so bad I would not recommend using them, unless the mitigations in the first risk is acceptable and done. A person with edit access to the flow can expose the information.

The only good reason to use this method is if the condition can check for a non-fakeable value in the header.

Or maybe to just add an extra value that must be shared by a rouge person, making the sharing less intuitive.

 

Mitigations

  • Same mitigations as the risk of sharing the Uri.
  • + Manual and automatic checks for the ? mark in the condition.
  • Use ONLY conditions on header values that cannot be "faked" from the client using the Uri. (Do they exist?) A user agent header can easily be faked.
  • Turn on "Suppress workflow headers" to avoid sending information back to the client.

 

Conditions in Actions

@Expiscornovus suggest a solution using conditions as actions.

This can mitigate the problem with the flow sending secrets to the client as a response.

It will not mitigate the problem stopping an user with edit access to send the needed information.

It will mitigate the risk that secrets are in clear text in the flow definition, since it can pull those secrets from Azure Key Vault.

It will also add a second layer of security check, using a secret that can be changed frequently.

It will not stop an attacker from starting a flow run, consuming runs and causing throttling.

 

I am sure there is more possibilities and that I am missing something to consider. 

 

Please comment and correct me! 🙂

clh
Advocate I
Advocate I

Would there be an option to implement IP restrictions?  I'm not an expert in HTTP, so I don't know.  Is source IP address available in the headers, or some other way that could be used in a trigger condition?

Although, if wanting to restrict to being called from other Power Automates, what is the IP range for MS365/Power Automate as a source?  (I'm thinking, use IP filtering on top of the agent that was mentioned in a previous post.)

zolle04
Advocate II
Advocate II

Helpful resources

Announcements

Exclusive LIVE Community Event: Power Apps Copilot Coffee Chat with Copilot Studio Product Team

It's time for the SECOND Power Apps Copilot Coffee Chat featuring the Copilot Studio product team, which will be held LIVE on April 3, 2024 at 9:30 AM Pacific Daylight Time (PDT).     This is an incredible opportunity to connect with members of the Copilot Studio product team and ask them anything about Copilot Studio. We'll share our special guests with you shortly--but we want to encourage to mark your calendars now because you will not want to miss the conversation.   This live event will give you the unique opportunity to learn more about Copilot Studio plans, where we’ll focus, and get insight into upcoming features. We’re looking forward to hearing from the community, so bring your questions!   TO GET ACCESS TO THIS EXCLUSIVE AMA: Kudo this post to reserve your spot! Reserve your spot now by kudoing this post.  Reservations will be prioritized on when your kudo for the post comes through, so don't wait! Click that "kudo button" today.   Invitations will be sent on April 2nd.Users posting Kudos after April 2nd at 9AM PDT may not receive an invitation but will be able to view the session online after conclusion of the event. Give your "kudo" today and mark your calendars for April 3, 2024 at 9:30 AM PDT and join us for an engaging and informative session!

Tuesday Tip: Unlocking Community Achievements and Earning Badges

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!     THIS WEEK'S TIP: Unlocking Achievements and Earning BadgesAcross the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. These badges each signify a different achievement--and all of those achievements are available to any Community member! If you're a seasoned pro or just getting started, you too can earn badges for the great work you do. Check out some details on Community badges below--and find out more in the detailed link at the end of the article!       A Diverse Range of Badges to Collect The badges you can earn in the Community cover a wide array of activities, including: Kudos Received: Acknowledges the number of times a user’s post has been appreciated with a “Kudo.”Kudos Given: Highlights the user’s generosity in recognizing others’ contributions.Topics Created: Tracks the number of discussions initiated by a user.Solutions Provided: Celebrates the instances where a user’s response is marked as the correct solution.Reply: Counts the number of times a user has engaged with community discussions.Blog Contributor: Honors those who contribute valuable content and are invited to write for the community blog.       A Community Evolving Together Badges are not only a great way to recognize outstanding contributions of our amazing Community members--they are also a way to continue fostering a collaborative and supportive environment. As you continue to share your knowledge and assist each other these badges serve as a visual representation of your valuable contributions.   Find out more about badges in these Community Support pages in each Community: All About Community Badges - Power Apps CommunityAll About Community Badges - Power Automate CommunityAll About Community Badges - Copilot Studio CommunityAll About Community Badges - Power Pages Community

Tuesday Tips: Powering Up Your Community Profile

TUESDAY TIPS are our way of communicating helpful things we've learned or shared that have helped members of the Community. Whether you're just getting started or you're a seasoned pro, Tuesday Tips will help you know where to go, what to look for, and navigate your way through the ever-growing--and ever-changing--world of the Power Platform Community! We cover basics about the Community, provide a few "insider tips" to make your experience even better, and share best practices gleaned from our most active community members and Super Users.   With so many new Community members joining us each week, we'll also review a few of our "best practices" so you know just "how" the Community works, so make sure to watch the News & Announcements each week for the latest and greatest Tuesday Tips!   This Week's Tip: Power Up Your Profile!  🚀 It's where every Community member gets their start, and it's essential that you keep it updated! Your Community User Profile is how you're able to get messages, post solutions, ask questions--and as you rank up, it's where your badges will appear and how you'll be known when you start blogging in the Community Blog. Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile.     Password Puzzles? No Problem! Find out how to sync your Azure AD password with your community account, ensuring a seamless sign-in. No separate passwords to remember! Job Jumps & Email Swaps Changed jobs? Got a new email? Fear not! You'll find out how to link your shiny new email to your existing community account, keeping your contributions and connections intact. Username Uncertainties Unraveled Picking the perfect username is crucial--and sometimes the original choice you signed up with doesn't fit as well as you may have thought. There's a quick way to request an update here--but remember, your username is your community identity, so choose wisely. "Need Admin Approval" Warning Window? If you see this error message while using the community, don't worry. A simple process will help you get where you need to go. If you still need assistance, find out how to contact your Community Support team. Whatever you're looking for, when it comes to your profile, the Community Account Support Knowledge Base article is your treasure trove of tips as you navigate the nuances of your Community Profile. It’s the ultimate resource for keeping your digital identity in tip-top shape while engaging with the Power Platform Community. So, dive in and power up your profile today!  💪🚀   Community Account Support | Power Apps Community Account Support | Power AutomateCommunity Account Support | Copilot Studio  Community Account Support | Power Pages

Super User of the Month | Chris Piasecki

In our 2nd installment of this new ongoing feature in the Community, we're thrilled to announce that Chris Piasecki is our Super User of the Month for March 2024. If you've been in the Community for a while, we're sure you've seen a comment or marked one of Chris' helpful tips as a solution--he's been a Super User for SEVEN consecutive seasons!   Since authoring his first reply in April 2020 to his most recent achievement organizing the Canadian Power Platform Summit this month, Chris has helped countless Community members with his insights and expertise. In addition to being a Super User, Chris is also a User Group leader, Microsoft MVP, and a featured speaker at the Microsoft Power Platform Conference. His contributions to the new SUIT program, along with his joyous personality and willingness to jump in and help so many members has made Chris a fixture in the Power Platform Community.   When Chris isn't authoring solutions or organizing events, he's actively leading Piasecki Consulting, specializing in solution architecture, integration, DevOps, and more--helping clients discover how to strategize and implement Microsoft's technology platforms. We are grateful for Chris' insightful help in the Community and look forward to even more amazing milestones as he continues to assist so many with his great tips, solutions--always with a smile and a great sense of humor.You can find Chris in the Community and on LinkedIn. Thanks for being such a SUPER user, Chris! 💪 🌠  

Find Out What Makes Super Users So Super

We know many of you visit the Power Platform Communities to ask questions and receive answers. But do you know that many of our best answers and solutions come from Community members who are super active, helping anyone who needs a little help getting unstuck with Business Applications products? We call these dedicated Community members Super Users because they are the real heroes in the Community, willing to jump in whenever they can to help! Maybe you've encountered them yourself and they've solved some of your biggest questions. Have you ever wondered, "Why?"We interviewed several of our Super Users to understand what drives them to help in the Community--and discover the difference it has made in their lives as well! Take a look in our gallery today: What Motivates a Super User? - Power Platform Community (microsoft.com)

March User Group Update: New Groups and Upcoming Events!

  Welcome to this month’s celebration of our Community User Groups and exciting User Group events. We’re thrilled to introduce some brand-new user groups that have recently joined our vibrant community. Plus, we’ve got a lineup of engaging events you won’t want to miss. Let’s jump right in: New User Groups   Sacramento Power Platform GroupANZ Power Platform COE User GroupPower Platform MongoliaPower Platform User Group OmanPower Platform User Group Delta StateMid Michigan Power Platform Upcoming Events  DUG4MFG - Quarterly Meetup - Microsoft Demand PlanningDate: 19 Mar 2024 | 10:30 AM to 12:30 PM Central America Standard TimeDescription: Dive into the world of manufacturing with a focus on Demand Planning. Learn from industry experts and share your insights. Dynamics User Group HoustonDate: 07 Mar 2024 | 11:00 AM to 01:00 PM Central America Standard TimeDescription: Houston, get ready for an immersive session on Dynamics 365 and the Power Platform. Connect with fellow professionals and expand your knowledge. Reading Dynamics 365 & Power Platform User Group (Q1)Date: 05 Mar 2024 | 06:00 PM to 09:00 PM GMT Standard TimeDescription: Join our virtual meetup for insightful discussions, demos, and community updates. Let’s kick off Q1 with a bang! Leaders, Create Your Events!  Leaders of existing User Groups, don’t forget to create your events within the Community platform. By doing so, you’ll enable us to share them in future posts and newsletters. Let’s spread the word and make these gatherings even more impactful! Stay tuned for more updates, inspiring stories, and collaborative opportunities from and for our Community User Groups.   P.S. Have an event or success story to share? Reach out to us – we’d love to feature you!

Users online (5,839)