cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Security for HTTP/API Trigger of the Flow

Hello Everyone.

 

I am creating a flow. As its trigger I took,

When a HTTP Request is received.

 

I was really concerned about the authentication and security for it. 

 

If someone has the link to it, then anyone would be able to call the flow. 

 

Anyone here who knows something about this. I googled but was not able to find anything regarding it. 

 

@Pstork1 

@ScottShearer 

@Expiscornovus 

@abm 

@RezaDorrani 

@v-qiaqi-msft 

@v-yujincui-msft 

@v-liwei-msft 

@v-jefferni 

@v-chengfen-msft 

@v-dezhili-msft 

1 ACCEPTED SOLUTION

Accepted Solutions
abm
Most Valuable Professional
Most Valuable Professional

Hi @Unknown123 

 

Yes thats correct. Anyone can run that if you have the endpoint. There is no restriction in my knowledge. You need to custom implement it. You could consider publishing under Azure APIM to add more securities around it. 

 

Here is a good article which describes about the concerns you raised.

 

Securing HTTP triggered flow in Power Automate (linkedin.com)

 

Thanks



Did I answer your question? Mark my post as a solution!

If you liked my response, please consider giving it a thumbs up


Proud to be a Flownaut!

Learn more from my blog
Power Automate Video Tutorials

View solution in original post

13 REPLIES 13
wnzn
Advocate V
Advocate V

Correct, it is a public web service endpoint. Revert to Logic Apps for network restrictions to control who can invoke or use an indirect method (such as Azure Queues or similar) to start your flow.

Pstork1
Most Valuable Professional
Most Valuable Professional

Yes, anyone can call the flow. But since that is a manual trigger the flow will run in the security context of the user who invokes it.  So the actions in the flow won't be able to do anything that the user calling the flow doesn't have permissions to do.  For example, assume the flow uses Get Items to retrieve items from a list. If the user invoking the flow doesn't have permission to access the list then the flow will error out.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
wnzn
Advocate V
Advocate V

Depends on your set-up. If you set it to 'use this connection' then that does not hold true.
Edit: this does not apply to flows with automated triggers.

Pstork1
Most Valuable Professional
Most Valuable Professional

Not sure what you mean by "use this connection".  When an HTTP request is received is a manual trigger and uses the session information from whoever invokes the trigger by sending the HTTP request.



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
wnzn
Advocate V
Advocate V

If you use a manual trigger, you can select "Run only users" and specify which connection should be used (the triggering user's or a specific one). When an HTTP request is received is an automated trigger and always uses the connection specified in the flow definition.

Pstork1
Most Valuable Professional
Most Valuable Professional

Respectfully, I disagree.  As you can see from the screenshot below the When an HTTP request is received does not include a setting for Run Only users.  Nor is it triggered by an automated event.  It is triggered when an HTTP request is received from a specific user.  So it will use the security context of the person who invokes it, not the connection embedded in the flow.  At least that is my experience.

image.png



-------------------------------------------------------------------------
If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.
abm
Most Valuable Professional
Most Valuable Professional

Hi @Unknown123 

 

Yes thats correct. Anyone can run that if you have the endpoint. There is no restriction in my knowledge. You need to custom implement it. You could consider publishing under Azure APIM to add more securities around it. 

 

Here is a good article which describes about the concerns you raised.

 

Securing HTTP triggered flow in Power Automate (linkedin.com)

 

Thanks



Did I answer your question? Mark my post as a solution!

If you liked my response, please consider giving it a thumbs up


Proud to be a Flownaut!

Learn more from my blog
Power Automate Video Tutorials

Equally respectfully, I disagree.

 


@Pstork1 wrote:

Respectfully, I disagree.  As you can see from the screenshot below the When an HTTP request is received does not include a setting for Run Only users.  Nor is it triggered by an automated event.  It is triggered when an HTTP request is received from a specific user.  So it will use the security context of the person who invokes it, not the connection embedded in the flow.  At least that is my experience.


That is quite frankly not true. If you use a 'When a HTTP request is received' trigger, it can be triggered by an anonymous POST call to the URL provided. Send a request to the URL using postman, you'll see it works without a user context and the actions are done using the connection provided in the flow definition. Note that this is NOT the same as the manual trigger you use in for instance child flows or calls from a Power App.

Thanks everyone @abm @wnzn @Pstork1 , this was quiet helpful. Mostly my posts become really controversial. hehe.

I have now shifted to scheduled flow instead of When an HTTP Request is received.

But I am still accepting @abm answer because that was I think I was looking for. 

@wnzn and @Pstork1 , what are your opinions on the link he has given? 

Sorry for the late reply. 

But still thanks everyone. 🙂

wnzn
Advocate V
Advocate V

The link is a good overview of your options. The most secure option is APIM.

Keep in mind although you do the APIM where you provide the APIM URL which is secure, the PowerAUtomate URL for the http is not protected. You can call that and will not require authentication. Security is one way but parsing JWT oAuth Bearer token would be better. 

agility1003
Regular Visitor

Perhaps we can implement self refresh token and store it in a List or Environment Variable and let it refresh every hours. Get the token first and call the api with the token.

Recently, the documentation was updated with
Add OAuth authentication for HTTP request triggers

https://learn.microsoft.com/en-us/power-automate/oauth-authentication?tabs=classic-designer
However, I'm not sure how it's supposed to work, as I'm getting the following error:

 

code: "MisMatchingOAuthClaims"
message: "One or more claims either missing or does not match with the open authentication access control policy."

 

I'm replying to this related thread in order to gain visibility, my original post on the issue is here.

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Results posted on July 24th

We are excited to announce the Summer of Solutions Challenge!    This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Community MembersNumber SolutionsSuper UsersNumber Solutions Deenuji 9 @NathanAlvares24  17 @Anil_g  7 @ManishSolanki  13 @eetuRobo  5 @David_MA  10 @VishnuReddy1997  5 @SpongYe  9JhonatanOB19932 (tie) @Nived_Nambiar  8 @maltie  2 (tie)   @PA-Noob  2 (tie)   @LukeMcG  2 (tie)   @tgut03  2 (tie)       Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 2: Community MembersSolutionsSuper UsersSolutionsPower Automate  @Deenuji  12@ManishSolanki 19 @Anil_g  10 @NathanAlvares24  17 @VishnuReddy1997  6 @Expiscornovus  10 @Tjan  5 @Nived_Nambiar  10 @eetuRobo  3 @SudeepGhatakNZ 8     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 3:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji32ManishSolanki55VishnuReddy199724NathanAlvares2444Anil_g22SudeepGhatakNZ40eetuRobo18Nived_Nambiar28Tjan8David_MA22   Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Week 4:Community MembersSolutionsSuper UsersSolutionsPower Automate Deenuji11FLMike31Sayan11ManishSolanki16VishnuReddy199710creativeopinion14Akshansh-Sharma3SudeepGhatakNZ7claudiovc2CFernandes5 misc2Nived_Nambiar5 Usernametwice232rzaneti5 eetuRobo2   Anil_g2   SharonS2  

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages

Users online (4,030)