cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Anonymous
Not applicable

Feedback portal with OTP authentication

I have a use-case that requires users to fill forms for feedback, complaints or suggestions. Before seeing and submitting the form, they need to verify their identify through an OTP sent by SMS to their phones.

 

We want to use Power Apps portals for that, as we need it to be publicly accessible, but it's really not intuitive for me and the documentation doesn't help either. How would I best achieve this? The user, upon hitting the 'website', can either see a page asking them to input their phone numbers, which then sends the OTP, verifies it, and finally navigates them to another page which is the form, OR just see the form from the beginning, input all their info (including their phone numbers), and upon submitting, an OTP is sent, verified and only then, the form submits successfully.

 

I want to use Twilio for sending and verifying the OTPs. How can I link the submit or any button to its API? Do I have to use a Power Automate flow here? I've seen PA supports sending messages to SMS, would that be it or is there a separate action for OTPs?

7 REPLIES 7

Hi @Anonymous ,

This is an interesting question. If you want your user to login into the portal before accessing and submitting data one way you could achieve this would be to use Azure AD B2C as your identity provider. They natively support 2-factor auth with SMS support. If you want your portal to be accessed by any user without auth then a possible solution might be to call Power Automate (either via HTTP or while creating record in the system) that will generate some OTP code, save it in the system and send then via Twillio (or any other SMS provider) to the user. Then user enters that code that you can validate either via Read Web API or by other methods and confirms submit. You can also use custom Azure Functions instead of Power Automate or just call Twillio API directly from the portal but in the last scenario, you would need to come up with some secure way of generating and validation process which might be tricky to do on the front end.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

You for sure would need to get a Twillio API thing to come back and set the Verfied flag somewhere on the back end - as that would not happen on the Portal front-end.

 

Portal = Dataverse = Automate Cloud flow = Twillio API

Not guranteed speed

 

Portal = Custom API Front-end = Twillio API

Faster

 

Twillio API = Power Automate (does phone number matching in Dataverse = Set Dataverse table record to Verified

 

This would be all Async to the user as portal does not currently have Sync intergration pattern 

 

 

 

Anonymous
Not applicable

Thank you for the reply. What I want is for users to access the feedback form without having to login. The only authentication they have to do is verifying their phone numbers through an OTP before or when submitting the form. 

 

I created a custom Twilio API using Node.js with two routes: one that generates an OTP and sends it to the user, and another that verifies it. I then used Javascript in the Portal script code of a page to fetch the API; user clicks a button, enters their phone number and an OTP is sent; a text input appears, asking for the OTP which triggers the verify API call; if it's verified, a message appears and the user is redirected to another page; otherwise, they're asked to verify again.

 

Now, I'm assuming this isn't very safe as I basically expose the API calls on the client side/front-end, but it did seem the easiest. Any documentation on how I could use an Azure Function? What would be the trigger?

Anonymous
Not applicable

Thank you for the reply. 

 

If I use Power Automate, I'd have to first create a HTTP request trigger, which then feeds into a random number generator (if that's possible), and finally to the Twilio send SMS action. I store the OTP of that unique user in a  table. Using Javascript, I'd have to connect to the entity which is storing all the OTPs (using Liquid templating and FetchXML, I'm assuming?), and compare the OTP code the user inputs somewhere against the OTP stored in backend/db. If it's verified, I somehow either change the status or just delete the record. Am I thinking correctly here?

@Anonymous it is not unsafe if you are not exposing any secrets and passwords for your API. You can also further protect your API by using for example Azure API Management to hide actual endpoints, allow calls only from your website etc. I am not sure that there some official guide on how to get started with Azure Functions and Dataverse or Dynamics but there are plenty of blog posts. Also in your case, you might not need to connect with Dataverse at all. As a good starting point for Azure Function and Node.js see here - https://docs.microsoft.com/en-us/azure/azure-functions/functions-get-started?pivots=programming-language-javascript. Regarding the trigger - you can create HTTP trigger function and call it as a regular API endpoint.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.
Anonymous
Not applicable

I tried Azure Functions and it worked very well. I just hosted my code in a Function App and used the request url it generated with the HTTP trigger. 

 

One thing though; what I currently do is generate an OTP through a POST request, and then verify the OTP (all through Twilio). If the OTP is verified, it redirects the user to another page (form page). But users can just bypass the OTP page and go to the form page directly. Is there a way to prevent that? I thought of the page level permissions but they depend on authentication like Azure AD or the support third parties, not something custom like the OTP. How would I be able to restrict the user who hasn't verified their OTP, to go directly to the form page, and only be able to go there when they verify?

 

I know I can do all of this in one page, but they want two separate pages for some reason.

 

Thanks.

@Anonymous interesting question. Well, this might be overkill, but the first thing that came to my mind is when you send an OTP to the user save it to the Dataverse and then when the user is redirected to the new page include that OTP in the request URL and use liquid to validate that this OTP indeed exists and didn't expire and show page content otherwise show an error. It sounds like a double verification (and it is ) but I don't see anything else straight away for two-page approach. If I will get another idea will reply again.

----------------------------------------------------
If you find this post helpful consider marking it as a solution to help others find it.

Helpful resources

Announcements

Are you ready to SUIT UP and become a Super User? Find out how TODAY!

We can’t imagine our communities without the amazing work of our Super Users! They are the most active members of our community, offering incredible solutions, providing answers to questions across the forum, and working closely with the Microsoft Power Platform Community team to find new ways to engage our communities around the world.   If you are interested in becoming a Super User, today at #MPPC23, we annoucned a new way for you to “SUIT” up and earn your Super User badge! The new “Super User in Training” initiative is a great way for you to begin building your solution rate, engage with other community members, and find out what it takes to truly be SUPER.   Become a “super solver” across the Power Platform communities, whether you’re an expert in Power Apps or just getting started with Power Pages. No matter where you are on your Power Platform journey, we are here to encourage YOU to discover YOUR superpower! Don't sell your self short, even as a newcomer to Power Platform or Dynamics 365 you are on a journey of discovery.  In fact in my experience people that are just starting out are often the ones that can solve some of the  most challenging problems because the research they are doing to get ramped up is exactly what the person asking for help is seeking!   Find out more about the SUIT program for “Super Users in Training” at the Power Platform Community Lounge at #MPPC23. Not at the Conference, just click this link to find out how to sign up today: aka.ms/suit

Back to Basics: Tuesday Tip #2: All About Community Ranks

This weekly series is our way of helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we will feature new areas of content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!   Have you ever wondered how your fellow community members earn the different ranks available? What is the difference between an Advocate and a Helper, a Solution Sage and a Community Champion? In today's #TuesdayTip, we share the secrets and tips to help YOU keep your ranking growing--and why it's so important to our communities. What are community ranks? - Power Platform Community (microsoft.com)   Get the details in this Knowledge Base article that shows you what ranks are, how they are achieved, and what they mean to you as you engage with other community members on a regular basis. Once you start your journey in the community, ranking up, you'll find the benefits. So get busy with those kudos, solutions, and more! We can't wait to see how you rank!That's it for this week. Tune in for more Tuesday Tips next Tuesday and join the community as we continue to get "Back to Basics."

It's #MPPC23 Week! Check Out the Community Sessions and Events Happening in Vegas

After all the planning and preparing, the annual Microsoft Power Platform Conference is finally here! We are excited to see so many of our community in Las Vegas this week. To help make sure you don't miss any of the workshops, sessions, and events we have planned, make sure to check out this handy Community One-Sheet, and download the pdf today! Make sure to stop by the Community Lounge to meet @hugobernier, @EricArcher, @heaher_italent, and @AshleyFelts from our team!    

Join Us for the First-Ever Biz Apps Community User Group Meeting: Live from MPPC23

      Join us for the first-ever the Biz Apps Community User Group meeting live from the Power Platform Conference! This one hour user group meeting is all about discovering the value and benefits of User Groups! Discover how you can find a group in your local area or about specific topics where you can learn new skills and meet like-minded people as a user group member.   Hear from User Group leaders about why they do what they do and what resources they receive to help them succeed as community ambassadors. If you have never attended a User Group meeting before, this will be a great introduction! We hope you are inspired to find a group that meets your unique interests!   October 5th at 2:15 pm Pacific time   If you're attending #MPPC23 in Las Vegas, join us in person! Find out more here: https://powerplatformconf.com/#!/session/Biz%20Apps%20Community%20User%20Group%20Meeting%20-%20Live%20from%20MPPC/6172   Not at MPPC23? Attend vvirtually by registering here: https://aka.ms/MPPCusergroupmeeting2023    If you can't attend this meeting live, don't worry! We will record this meeting and share it with the Community at powerusers.microsoft.com 

Back to Basics: Tuesday Tip #1: All About YOUR Community Account

We are excited to kick off our new #TuesdayTIps series, "Back to Basics." This weekly series is our way of helping the amazing members of our community--both new members and seasoned veterans--learn and grow in how to best engage in the community! Each Tuesday, we will feature new areas of content that will help you best understand the community--from ranking and badges to profile avatars, from Super Users to blogging in the community. Our hope is that this information will help each of our community members grow in their experience with Power Platform, with the community, and with each other!     This Week's Tips: Account Support: Changing Passwords, Changing Email Addresses or Usernames, "Need Admin Approval," Etc.Wondering how to get support for your community account? Check out the details on these common questions and more. Just follow the link below for articles that explain it all.Community Account Support - Power Platform Community (microsoft.com)   All About GDPR: How It Affects Closing Your Community Account (And Why You Should Think Twice Before You Do)GDPR, the General Data Protection Regulation (GDPR), took effect May 25th 2018. A European privacy law, GDPR imposes new rules on companies and other organizations offering goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. GDPR applies no matter where you are located, and it affects what happens when you decide to close your account. Read the details here:All About GDPR - Power Platform Community (microsoft.com)   Getting to Know You: Setting Up Your Community Profile, Customizing Your Profile, and More.Your community profile helps other members of the community get to know you as you begin to engage and interact. Your profile is a mirror of your activity in the community. Find out how to set it up, change your avatar, adjust your time zone, and more. Click on the link below to find out how:Community Profile, Time Zone, Picture (Avatar) & D... - Power Platform Community (microsoft.com)   That's it for this week. Tune in for more Tuesday Tips next Tuesday and join the community as we get "Back to Basics."

Announcing the MPPC's Got Power Talent Show at #MPPC23

Are you attending the Microsoft Power Platform Conference 2023 in Las Vegas? If so, we invite you to join us for the MPPC's Got Power Talent Show!      Our talent show is more than a show—it's a grand celebration of connection, inspiration, and shared journeys. Through stories, skills, and collective experiences, we come together to uplift, inspire, and revel in the magic of our community's diverse talents. This year, our talent event promises to be an unforgettable experience, echoing louder and brighter than anything you've seen before.    We're casting a wider net with three captivating categories:  Demo Technical Solutions: Show us your Power Platform innovations, be it apps, flows, chatbots, websites or dashboards... Storytelling: Share tales of your journey with Power Platform. Hidden Talents: Unveil your creative side—be it dancing, singing, rapping, poetry, or comedy. Let your talent shine!    Got That Special Spark? A Story That Demands to Be Heard? Your moment is now!  Sign up to Showcase Your Brilliance: https://aka.ms/MPPCGotPowerSignUp  Deadline for submissions: Thursday, Sept 28th    How It Works:  Submit this form to sign up: https://aka.ms/MPPCGotPowerSignUp  We'll contact you if you're selected. Get ready to be onstage!  The Spotlight is Yours: Each participant has 3-5 minutes to shine, with insightful commentary from our panel of judges. We’re not just giving you a stage; we’re handing you the platform to make your mark.     Be the Story We Tell: Your talents and narratives will not just entertain but inspire, serving as the bedrock for our community’s future stories and successes.    Celebration, Surprises, and Connections: As the curtain falls, the excitement continues! Await surprise awards and seize the chance to mingle with industry experts, Microsoft Power Platform leaders, and community luminaries. It's not just a show; it's an opportunity to forge connections and celebrate shared successes.    Event Details:  Date and Time: Wed Oct 4th, 6:30-9:00PM   Location: MPPC23 at the MGM Grand, Las Vegas, NV, USA  

Users online (2,306)