I have a power automate flow which starts when a http request is received.
To continue on, I need to have the microsoft user of the person who is calling the link. Is it possible to make a redirect to login.microsoftonline.com or something else? How can I read the users email?
UPDATE: I tried to handle this with a custom connection to the microsoft graph api. I set "enable onbehalf of login" to "true".
But now I get the following error:
Connect cannot be used to activate this flow, either because this is not a valid connection or because it is not a connection you have access permission for. Either replace the connection with a valid connection you can access or have the connection owner activate the flow, so the connection is shared with you in the context of this flow.
Related
I am trying to use Microsoft flow to retrieve Microsoft Bookings data. Im doing this by using the HTTP with azure AD connector. I have set up all permissions. it was working perfectly fine before till yesterday the connector said i'm unauthorized to retrieve the data. i can't even hit https://graph.microsoft.com/beta/bookingBusinesses/page_id/appointments anymore. Is there some issue with Microsoft ??? or is there an issue on my side.i’ve used graph explorer and im able to successfully retrieve the bookings api. could someone provide some feedback as this is becoming business critical as i need to obtain the data for reporting. Or maybe guide me on how i can retrieve an access token that never expires. It would be much appreciated if someone can really help me out. I've attached a screenshot of my flow failing.
Screenshot of HTTP with Azure AD failing . I've just also found out that i can query https://graph.microsoft.com/beta but i cant hit the BookingBusinesses api
Screen shot of https://graph.microsoft.com/beta working using connector
What i have already tried:
Deleted the connection and created it again
Created a connection using another account
Created App registrations and used the Client_id, tenant_id and client_secret to Created a connection using the HTTP request. but still doesn't work
Screenshot of HTTP Request Connector, but this still failed
App registration Permissions
For this problem, I test it by "Invoke an HTTP request" first but as I'm not familiar with this action, I didn't request it success. But we can also use "HTTP" action in microsoft flow to get the access token and use the access token to do the request as you mentioned in comments.
The reason for you failed to use the access token to request the graph api is you set the grant_type as client_credentials when you request for the access token. Since the permissions you added are "delegated" type but not "application" type, so we can not use "client_credentials" grant to get the access token. We need to use "password" as the grant_type (shown as below screenshot).
Then use "Parse JSON" action to parse the response of the "HTTP" request above to get the access token. And use the access token to request the graph api.
My guess is the flow connector lost its refresh token or something to that effect. you may need to just refresh your flow connector. either by switching accounts or smoething or deleting the azure ad connector and reconnecting it.
give that a try
We are using the KeyVaultClient library on an application in Service Fabric that calls a Key Vault to read various configuration data stored as secrets. The way the code authenticates to the vault is via an AAD principal with an SSL certificate. The code is creating a single request, but when we look at Key Vault logs, for every single request the code creates, the vault is hit twice. The first hit generates a 401 Unauthorized and then the second request is a Success.
It seems as if the library is possibly first attempting to hit the Key Vault without the credentials in our request before proceeding with the request we create. The second request works exactly as expected. This seems unnecessary. Has anyone had a similar experience?
This is expected behavior. Azure Keyvault has an authentication pattern which will always make at least one unauthenticated call to the vault. This is because some vaults have requirements that messages to them be encrypted with HSM protected keys. This information is returned in the authentication challenge from the first unauthenticated call.
For this reason each time you send a request to a vault you haven't connected to yet in that process, the sdk first sends the request with an empty body and without an Authorization header. This will result in a 401 which will have the authentication and message protocol information.
For more details, you could refer to the similar issue.
Current State: BizTalk receive message via Web Service A (hosted on the same machine). BizTalk process the message and send it to backend.
Future State: BizTalk still receive message via Web Service A. If a field inside the message matches a certain value, BizTalk needs to send the message to a different web service (Web Service) on another server. Else, proceed with existing flow.
BizTalk is required as a middleware between Application and Web Service B due to network connection. Server for Web Service B only accept TLS1.2 which Application Server yet to support.
Is it possible to reroute the message even before it enter the first orchestration?
Kindly provide best way to do it with detail guidance on changes required or point to existing question or documentation if any.
p/s: Newbie to BizTalk. Let me know if further information need to be provided.
Yes, quite possible
Promote the field that you wish to route on in the schema
Set the filter expressions on the send ports that look at this promoted property
Note: For TLS 1.2 you will need a Custom End Point behaviour on the send port to specify to use TLS 1.2.
As #Dijkgraaf says, you can use Promote field on the schema and then use filter expressions on the send ports to redirect the incoming message to the new Web Service B.
If you need an Orchestration to implement some process before send to the Web Service B, you can use Filter Expression property of the first Receive Shape, to catch the messages with the Promoted Property value that you need.
I want to create the web application (SPA with angular) with token based authentication.
It is required create the access token with short live-time, perhaps 1 hour expiration.
I want to use the SignalR for real-time communication and I have tried send the access token via query string after starting signalr connection.
If is access token expired I create the http request for refresh it and recieved it to the javascript.
How can I send the new access token if is signalr connection is running?
Is possible change the token or is necessary close the connection and create new again?
It depends on the transport technology that is used. In case of websockets you have to stop the connection, set the query-string and restart the connection. With other technologies you can directly change the query-string. You can check $.connection.hub.transport.name to learn what transport method is being used.
I have published an orchestration as a WCF web service using WCF_WSHttp bindings. I think we about the SSL certificate working. It will be open to the internet, thus anyone who knows the URL could call it and pass data; so we want to add user/pass authentication. We simply one the one client/vendor to have the ability to call this webservice, no one else.
I've been reading everywhere, and cannot find any specific steps.
I think I want something like Scenario #4 here: https://seroter.wordpress.com/biztalk-and-wcf-part-ii-security-patterns/, but I cannot see how he got the "Client Credentials" box to pop-up in BT-2010.
Best I can tell is I have to:
1) In BizTalk Admin Console - set Security Mode to TransportWithMessageCredential.
2) From here: https://msdn.microsoft.com/en-us/library/bb226482.aspx, I'm a little confused about the difference between Windows and Username. An outside vendor is calling our webservice, so they are not on our domain. Do I need to set up a service account? Or can I just make up a username and insert it here somewhere?
3) Do I have to make corresponding changes to the WCF web.config that was created by the BT-2010 "WCF Servcie Publishing Wizard"
It seems like your're looking for just Basic authentication on the transport layer? All you then have to do is to create an AD user or a local user on the BizTalk machine and set the Transport client credential type to Basic.