Dear Experts,
I have simple flow based on "When a HTTP request is received" trigger.
Using the link from the trigger, anyone can sent HTTP request and get response from my Flow. And this is really the problem.
How I can restrict possibility to get response from my flow for anyone except certain users?
(Note: I don't want to use some kind of Passwords which I can provide because I can't control that someone of my approved users will not share this password with someone else, and I will not be able determine who exactly use this password - the user approved by me or not.)
Sincerely ID3
Hi @ID3,
I don't know if this will work for you situation, but you might be able to check the user-agent value of the POST request and add a trigger condition to your When a HTTP request is received trigger action.
Below is an example of a trigger condition which only allows requests from other Power Automate flows and for instance not Windows PowerShell.
@startswith(triggeroutputs()['headers']['user-agent'], 'azure-logic-apps/1.0')
Dear Expiscornovus,
I agree with common idea of your approach - the checking of triggeroutputs properties. Now need to understand how to get information about the user who is owner of application (like ms flow) or who launch some application (like Excel) which sent the request in such format to be able to compare it with predefined list inside the Flow.
In my case all permitted to access to my Flow users are members of Office 365 groups.
Maybe it is useful information for the solution finding.
One more fact - it is quite enough to restrict the access only for HTTP request been sent from Power Query (Excel). And perhaps in this case the Power Query "Access Web content" options can be used.
However, I would like to highlight that I will be glad for any ideas about other possible approaches to solve the main post issue too.
Sincerely ID3
I actually wrote an article on how to secure the HTTP trigger, check it out and see if it of use to you:
Hi @ID3,
It is still a workaround based on the user agent string, but you can probably use this trigger condition to restrict only to Power Query (web.contents source)
@startswith(triggeroutputs()['headers']['user-agent'], 'Microsoft.Data.Mashup')
@Paulie78, nice, very useful article 🙂
However, I think ID3 wanted to avoid using a key or a password like stated in the opening post.
@Expiscornovus - That will teach me not to read the question properly! Thank you for putting me straight!
Dear @Paulie78
The article about HTTP Request Secure is realy nice. It means I am not alone who met the same problem and it is worth to work it out more.
Dear @Expiscornovus
Your suggested Microsoft.Data.Mashup check is a good, and I think should be used in any case.
In case of PowerQuery using with Windows or Organizational account credentials, does it mean that the data about user account (login/user name) can be taken from the trigger/Request?
Is there any MS Services can provide information about all MS Flow transactions with more details than I can see in Power Automate Runs History?
Sincerely ID3
Hi @ID3,
As far as I could tell it wasn't showing any data about the account which was used.
Below is an example of the raw input of the received HTTP request when I was testing it with Power Query in Excel.
{
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip,deflate",
"Expect": "100-continue",
"Host": "prod-21.uksouth.logic.azure.com",
"User-Agent": "Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=304225)",
"Content-Length": "2",
"Content-Type": "application/json"
},
"body": {}
}
Dear @Expiscornovus,
Here is what I have and waht I used.
Receiver:
And here is the data.
{
"variables": [
{
"name": "Trigger",
"type": "String",
"value": "{\"name\":\"manual\",\"inputs\":{\"method\":\"POST\"},\"outputs\":{\"headers\":{\"Connection\":\"Keep-Alive\",\"Accept\":\"application/json\",\"Accept-Encoding\":\"gzip,deflate\",\"Expect\":\"100-continue\",\"Host\":\"prod-96.westeurope.logic.azure.com\",\"User-Agent\":\"Microsoft.Data.Mashup,(https://go.microsoft.com/fwlink/?LinkID=3xxx5)\",\"Content-Length\":\"39\",\"Content-Type\":\"application/json\"},\"body\":{\"Type\":\"MyData\",\"Param\":\"MyData\"}},\"startTime\":\"2021-04-24T09:25:56.997722Z\",\"endTime\":\"2021-04-24T09:25:56.997722Z\",\"trackingId\":\"4xxxxxxb-5xxx-4xxe-xxxxxxxx1\",\"clientTrackingId\":\"0XXXXXXXXXXXXXXXXXXXXXXXXXX4\",\"originHistoryName\":\"0XXXXXXXXXXXXXXXXXXXXXXX\",\"status\":\"Succeeded\"}{\"Type\":\"MyData\",\"Param\":\"MyData\"}"
}
]
}
For sending I used this one request
let
urlApi="https://prod-96.westeurope.logic.......",
Request = Json.Document(Web.Contents(urlApi, [ Headers=[#"Accept"="application/json", #"content-type" = "application/json"], Content=Text.ToBinary("{""Type"": ""SiteInfo"", ""Param"": """& Site_Param &"""}")])),
#"Converted to Table" = Record.ToTable(Request),
#"Renamed Columns" = Table.RenameColumns(#"Converted to Table",{{"Name", "Parameter"}}),
#"Changed Type" = Table.TransformColumnTypes(#"Renamed Columns",{{"Value", type text}, {"Parameter", type text}})
in
#"Changed Type"
With this permissions:
It is pretty interesting why you have not "originHistoryName" and "clientTrackingId" but I have. Did you use POST or GET?
But however, I don't know are these values can help with my problem or not. ...
The problem is still not solved and important.
Sincerely ID3.
I've got a question for you, is there any way to send back an error such as 400 Bad Request or 401 Forbidden if the request doesn't satisfay the conditional trigger?
A the moment if I call the https endpoint I receive a standar "202 Accepted" code...
Thank you,
Stefano.
Hi @ZaffaSte,
You can remove that trigger condition and use a condition action instead. Use that startswith expression in there and use a response action to send back a HTTP 400.
https://docs.microsoft.com/en-us/azure/connectors/connectors-native-reqres#add-a-response-action
Below is an example of that.
Hi @Expiscornovus ,
thank you for your reply: easy peasy lemon squeezy and it's true, but in this way the flow start, there's no way to default 202 reply other than start a flow?
Thank you so much,
Stefano
Hi @ZaffaSte,
I know there is a schema validation setting which you can enable in the settings which can return a HTTP 400 instead of a 200 if there is a mismatch.
But as far as I am aware that is only for the body, not the headers like user-agent.
Thank you @Expiscornovus I knew the "Schema Validation" option, but as you wrote in your reply is all about the body of the request not the header.
You are really asking about something very important here @ID3 . I have been thinking a lot about this lately too. And my first thought was to use logic apps, Azure functions and API management. But the posts and replies here are very good and maybe there is another way. Here are my toughs.
The problem is if someone gets the Uri for the flow, they can trigger the flow.
The Uri is built like this:
An "attacker" needs the Uri for the flow itself to exploit the weakness.
For this to happen, it requires a person with edit access to the flow and that this person shares the Uri.
Mitigations
If these mitigation does not make the risk acceptable, the mitigations below must be evaluated.
Trigger Conditions
I really like the article from @Paulie78, since using trigger conditions. It can check the headers and the body for keys and values and act upon them. This is most useful for NOT running the flow at all.
Risk: HTTP response giving information back
The high risk is if you do not use the question mark "?" in the condition, it will reply with the value it needs. This actually gives the "attacker" everything it needs.
You need to store the conditions in clear text!
These risk are so bad I would not recommend using them, unless the mitigations in the first risk is acceptable and done. A person with edit access to the flow can expose the information.
The only good reason to use this method is if the condition can check for a non-fakeable value in the header.
Or maybe to just add an extra value that must be shared by a rouge person, making the sharing less intuitive.
Mitigations
Conditions in Actions
@Expiscornovus suggest a solution using conditions as actions.
This can mitigate the problem with the flow sending secrets to the client as a response.
It will not mitigate the problem stopping an user with edit access to send the needed information.
It will mitigate the risk that secrets are in clear text in the flow definition, since it can pull those secrets from Azure Key Vault.
It will also add a second layer of security check, using a secret that can be changed frequently.
It will not stop an attacker from starting a flow run, consuming runs and causing throttling.
I am sure there is more possibilities and that I am missing something to consider.
Please comment and correct me! 🙂
Would there be an option to implement IP restrictions? I'm not an expert in HTTP, so I don't know. Is source IP address available in the headers, or some other way that could be used in a trigger condition?
Although, if wanting to restrict to being called from other Power Automates, what is the IP range for MS365/Power Automate as a source? (I'm thinking, use IP filtering on top of the agent that was mentioned in a previous post.)
Hi there,
I think is an helpful article
Deeper control over HTTP invocation of flows | Power Automate Blog (microsoft.com)
As we continue to grow and learn together, it's important to reflect on the valuable insights we've shared. For today's #TuesdayTip, we're excited to take a moment to look back at the last 10 tips we've shared in case you missed any or want to revisit them. Thanks for your incredible support for this series--we're so glad it was able to help so many of you navigate your community experience! Getting Started in the Community An overview of everything you need to know about navigating the community on one page! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Community Ranks and YOU Have you ever wondered how your fellow community members ascend the ranks within our community? We explain everything about ranks and how to achieve points so you can climb up in the rankings! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Powering Up Your Community Profile Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile. Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Community Blogs--A Great Place to Start There's so much you'll discover in the Community Blogs, and we hope you'll check them out today! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Unlocking Community Achievements and Earning Badges Across the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. Check out some details on Community badges--and find out more in the detailed link at the end of the article! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Blogging in the Community Interested in blogging? Everything you need to know on writing blogs in our four communities! Get started blogging across the Power Platform communities today! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Subscriptions & Notifications We don't want you to miss a thing in the community! Read all about how to subscribe to sections of our forums and how to setup your notifications! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Getting Started with Private Messages & Macros Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member! Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Community User Groups Learn everything about being part of, starting, or leading a User Group in the Power Platform Community. Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Update Your Community Profile Today! Keep your community profile up to date which is essential for staying connected and engaged with the community. Community Links: ○ Power Apps ○ Power Automate ○ Power Pages ○ Copilot Studio Thank you for being an integral part of our journey. Here's to many more Tuesday Tips as we pave the way for a brighter, more connected future! As always, watch the News & Announcements for the next set of tips, coming soon!
This month's Community Ambassador call is on May 9th at 9a & 3p PDT. Please keep an eye out in your private messages and Teams channels for your invitation. There are lots of exciting updates coming to the Community, and we have some exclusive opportunities to share with you! As always, we'll also review regular updates for User Groups, Super Users, and share general information about what's going on in the Community. Be sure to register & we hope to see all of you there!
We're pleased to share the April Community Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members. If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date with all the news from across Microsoft Power Platform and beyond. COMMUNITY HIGHLIGHTS Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, kudos, and providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, follow these awesome community members to see what they do! Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzDeenujialexander2523ragavanrajanLaurensMManishSolankiMattJimisonLucas001AmikcapuanodanilostephenrobertOliverRodriguestimlAndrewJManikandanSFubarmmbr1606VishnuReddy1997theMacResolutionsVishalJhaveriVictorIvanidzejsrandhawahagrua33ikExpiscornovusFGuerrero1PowerAddictgulshankhuranaANBExpiscornovusprathyooSpongYeNived_Nambiardeeksha15795apangelesGochixgrantjenkinsvasu24Mfon LATEST NEWS Business Applications Launch Event - On Demand In case you missed the Business Applications Launch Event, you can now catch up on all the announcements and watch the entire event on-demand inside Charles Lamanna's latest cloud blog. This is your one stop shop for all the latest Copilot features across Power Platform and #Dynamics365, including first-hand looks at how companies such as Lenovo, Sonepar, Ford Motor Company, Omnicom and more are using these new capabilities in transformative ways. Click the image below to watch today! Power Platform Community Conference 2024 is here! It's time to look forward to the next installment of the Power Platform Community Conference, which takes place this year on 18-20th September 2024 at the MGM Grand in Las Vegas! Come and be inspired by Microsoft senior thought leaders and the engineers behind the #PowerPlatform, with Charles Lamanna, Sangya Singh, Ryan Cunningham, Kim Manis, Nirav Shah, Omar Aftab and Leon Welicki already confirmed to speak. You'll also be able to learn from industry experts and Microsoft MVPs who are dedicated to bridging the gap between humanity and technology. These include the likes of Lisa Crosbie, Victor Dantas, Kristine Kolodziejski, David Yack, Daniel Christian, Miguel Félix, and Mats Necker, with many more to be announced over the coming weeks. Click here to watch our brand-new sizzle reel for #PPCC24 or click the image below to find out more about registration. See you in Vegas! Power Up Program Announces New Video-Based Learning Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram. These include a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the image below to find out more! UPCOMING EVENTS Microsoft Build - Seattle and Online - 21-23rd May 2024 Taking place on 21-23rd May 2024 both online and in Seattle, this is the perfect event to learn more about low code development, creating copilots, cloud platforms, and so much more to help you unleash the power of AI. There's a serious wealth of talent speaking across the three days, including the likes of Satya Nadella, Amanda K. Silver, Scott Guthrie, Sarah Bird, Charles Lamanna, Miti J., Kevin Scott, Asha Sharma, Rajesh Jha, Arun Ulag, Clay Wesener, and many more. And don't worry if you can't make it to Seattle, the event will be online and totally free to join. Click the image below to register for #MSBuild today! European Collab Summit - Germany - 14-16th May 2024 The clock is counting down to the amazing European Collaboration Summit, which takes place in Germany May 14-16, 2024. #CollabSummit2024 is designed to provide cutting-edge insights and best practices into Power Platform, Microsoft 365, Teams, Viva, and so much more. There's a whole host of experts speakers across the three-day event, including the likes of Vesa Juvonen, Laurie Pottmeyer, Dan Holme, Mark Kashman, Dona Sarkar, Gavin Barron, Emily Mancini, Martina Grom, Ahmad Najjar, Liz Sundet, Nikki Chapple, Sara Fennah, Seb Matthews, Tobias Martin, Zoe Wilson, Fabian Williams, and many more. Click the image below to find out more about #ECS2024 and register today! Microsoft 365 & Power Platform Conference - Seattle - 3-7th June If you're looking to turbo boost your Power Platform skills this year, why not take a look at everything TechCon365 has to offer at the Seattle Convention Center on June 3-7, 2024. This amazing 3-day conference (with 2 optional days of workshops) offers over 130 sessions across multiple tracks, alongside 25 workshops presented by Power Platform, Microsoft 365, Microsoft Teams, Viva, Azure, Copilot and AI experts. There's a great array of speakers, including the likes of Nirav Shah, Naomi Moneypenny, Jason Himmelstein, Heather Cook, Karuana Gatimu, Mark Kashman, Michelle Gilbert, Taiki Y., Kristi K., Nate Chamberlain, Julie Koesmarno, Daniel Glenn, Sarah Haase, Marc Windle, Amit Vasu, Joanne C Klein, Agnes Molnar, and many more. Click the image below for more #Techcon365 intel and register today! For more events, click the image below to visit the Microsoft Community Days website.
It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community. We're excited to announce that updating your community profile has never been easier! Keeping your profile up to date is essential for staying connected and engaged with the community. Check out the following Support Articles with these topics: Accessing Your Community ProfileRetrieving Your Profile URLUpdating Your Community Profile Time ZoneChanging Your Community Profile Picture (Avatar)Setting Your Date Display Preferences Click on your community link for more information: Power Apps, Power Automate, Power Pages, Copilot Studio Thank you for being an active part of our community. Your contributions make a difference! Best Regards, The Community Management Team
Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp
We're thrilled to announce that Ahmed Salih is our Super User of the Month for April 2024. Ahmed has been one of our most active Super Users this year--in fact, he kicked off the year in our Community with this great video reminder of why being a Super User has been so important to him! Ahmed is the Senior Power Platform Architect at Saint Jude's Children's Research Hospital in Memphis. He's been a Super User for two seasons and is also a Microsoft MVP! He's celebrating his 3rd year being active in the Community--and he's received more than 500 kudos while authoring nearly 300 solutions. Ahmed's contributions to the Super User in Training program has been invaluable, with his most recent session with SUIT highlighting an incredible amount of best practices and tips that have helped him achieve his success. Ahmed's infectious enthusiasm and boundless energy are a key reason why so many Community members appreciate how he brings his personality--and expertise--to every interaction. With all the solutions he provides, his willingness to help the Community learn more about Power Platform, and his sheer joy in life, we are pleased to celebrate Ahmed and all his contributions! You can find him in the Community and on LinkedIn. Congratulations, Ahmed--thank you for being a SUPER user!
User | Count |
---|---|
21 | |
20 | |
17 | |
11 | |
9 |
User | Count |
---|---|
41 | |
27 | |
23 | |
21 | |
18 |