Logic Apps Authenticate with Microsoft API without Azure AD

Question

Hello,

We're working on a Logic App, that needs to call a Microsoft API through the HTTP action. Calling this Microsoft API provides us with JSON data through a GET request, but some parts of it are only available when we're logged in with a Microsoft account.

How do we authenticate with the Microsoft API through the Logic App's HTTP request (e.g. with our own Microsoft account)?

We've found documentation about authentication through managed identities with Azure AD, but we're not using Azure AD.

Is there a way to do this without Azure AD?

Any help is really appreciated.

Thanks,

Answer 1

Hello @mkovacs , thank you for reaching out. Microsoft Graph API is an Azure AD Protected resource, which means that in order to make a call to Microsoft Graph API, you would first need to grab an Access-Token from Azure AD. Once Azure AD provides you with a token you can submit that access-token to Microsoft Graph Endpoint and fetch the required details.

You can use your Personal Microsoft Accounts too to access Microsoft Graph api, but then you need to create an App Registration in Azure AD for your Logic Apps that would call the Graph APIs. Anything that needs to access Microsoft Graph data using the API needs to have permissions. To grant permissions, you can register an app in Azure AD.

The general auth flow looks something like:

• User access the App using browser hits on the signIn button ----> The app redirects the user to AAD and AAD provides the popup window to enter the creds
• After the user enters the Microsoft Personal Account emailId and Password, AAD authenticates this user
• After AAD authenticates this user and gives back an Id_token in return to the App for the app to know that the user is authenticated successfully.
• Once the user is back to the app after authentication, the user performs some other operation that needs to call a Microsoft Graph API, and that creates a request for AAD. This request holds the clientID, and client Secret of the app's app registration that was done in AAD and also packs the list of permissions to access the Graph API in it.
• Once this request reaches AAD, AAD issues an Access_token to access the Graph APIs based on the details mentioned in the request.
• Later this access_token is used by the Application to make the final Graph API call.

The steps remain same for logic app also, but the only point there is that Logic Apps would only use the ClientID and ClientSecret (no user auth would be involved here), to create a request for Azure AD and fetch a token from it. This type of OAuth flow is termed as client_credentials flow.

You can find more details on this here: https://pellitterisbiztalkblog.wordpress.com/2019/03/04/how-to-call-a-microsoft-graph-api-from-azure-logic-app/
[Disclaimer]: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

For this purpose, you can utilize the System managed Identities also as mentioned here.. You can also refer to the following doc for more details on App Registration in AAD.

To know more about Microsoft Personal Accounts you can refer to the following article.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.