cancel
Showing results for 
Search instead for 
Did you mean: 

Security - restrict HTTP - Request trigger by IP address, tenant, group, users

I want to secure my flows by restrict IP address, tenant, group, users for HTTP - Request trigger.

 

My scenario:

1. Restrict in my company ipaddress to use my flows which trigger by HTTP - Request.

2. Restrict in my users of our Office 365 group to use my flows which the trigger by HTTP - Request and use from SharePoint - Flow menu.

 

Secure:

Current, Anyone who know HTTP POST URL of the trigger, can use our Flows.

At SharePoint, When create Flow by template 'Complete a custom action for the selected item', the new flow by trigger HTTP - Request, and can use anyone who know HTTP POST URL.

 

Regards,

Yoshihiro Kawabata

 

 

 

 

Status: Under Review

Thank you for the idea, we will evaulate this.

Comments
SamPo
Power Participant

@Jotad710 That's really not an alternative for the issue here. The issue is we have no way of securing our flows that are called by external services. For example I can't create a flow that takes some action on 365 without knowing that I can secure the incoming HTTP request and currently there's no way of doing that with flows.

Anonymous
Not applicable

This is very crucial for our Power Automate adoption process. Security control related to HTTP Requests is mandatory. Please consider implementing this soon. 

VincentWong
New Member

May I ask if there is any update for this idea?

My organization have similar use case and concern.

SamPo
Power Participant

@VincentWong The solution here is to use Azure Logic Apps instead for any flow that requires this restriction. Would be great if they add this to PA as well but doesn't seem like its happening any time soon

dapug
New Member

I simply cannot believe this has not been addressed. 

I had a major project that really needed to use Power Automate, but it was denied after a security review with my team.  Awesome MS.  Lack of security is not AT ALL like you.  I've always looked to MS for good security practices, but not today.

SamPo
Power Participant

@dapug See my above comment, you can get this functionality with LogicApps instead. All the same features as Power Automate just with extra settings and security.

dapug
New Member

@SamPo thanks, I did see that, but unfortunately it is not a viable resolution.

 

Without going into too much elaboration, Logic Apps requires an Azure subscription, and PowerAutomate does not.  I love Azure, and we can use it for other things, but in this particular scenario and department of my company, we can only use our enterprise o365 platform for this particular project and not Azure.

 

Even if PA didn't have an Active Directory tie-in, an IP restriction setting at the least would have helped the cause.  Even better would be some OAuth ability.