App permission for deleting Planner Task from Power Automate

Question

App permission for deleting Planner Task from Power Automate

GUIOT Nicolas 20

Hello,

I'm trying to create a Power Automate flow to delete Planner tasks from a list, by calling an HTTP request (method: DELETE). My issue is about the access-token to give to the call.

I registered an App in my Azure Portal, and granted some permissions to Microsoft Graph, in particular Tasks.ReadWrite.

But I get the following error :

You do not have the required permissions to access this item, or the item may not exist.

What's wrong?

Thanks

Kr,

Nicolas

CarlZhao-MSFT 46,376 Reputation points

2023-12-20T07:58:45.61+00:00

Hi @GUIOT Nicolas

Please use jwt.ms to decode your access token and share a screenshot.

GUIOT Nicolas 20

Hello, here is the decoded token I received from Azure :

{
  "typ": "JWT",
  "nonce": "aA734lt6P6EDlD6Lu5wGyz_eBneDVus4F0KaIH60Ajo",
  "alg": "RS256",
  "x5t": "5B3nRxtQ7ji8eNDc3Fy05Kf97ZE",
  "kid": "5B3nRxtQ7ji8eNDc3Fy05Kf97ZE"
}.{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8b87af7d-8647-4dc7-8df4-5f69a2011bb5/",
  "iat": 1703845844,
  "nbf": 1703845844,
  "exp": 1703849744,
  "aio": "E2VgYPBcXb19wX9mvaDGuZ1X/b7vAAA=",
  "app_displayname": "Planner Internal Control",
  "appid": "413e2fbe-0160-4099-bbac-4fa2a6135cd6",
  "appidacr": "1",
  "idp": "https://sts.windows.net/8b87af7d-8647-4dc7-8df4-5f69a2011bb5/",
  "idtyp": "app",
  "oid": "7c21d810-a522-4a44-a1bd-44943ab1129c",
  "rh": "0.AQIAfa-Hi0eGx02N9F9pogEbtQMAAAAAAAAAwAAAAAAAAAACAAA.",
  "sub": "7c21d810-a522-4a44-a1bd-44943ab1129c",
  "tenant_region_scope": "EU",
  "tid": "8b87af7d-8647-4dc7-8df4-5f69a2011bb5",
  "uti": "KPnA-EMfLUqlrZV7Qr1IAQ",
  "ver": "1.0",
  "wids": [
    "0997a1d0-0d1d-4acb-b408-d5ca73121e90"
  ],
  "xms_tcdt": 1329993729,
  "xms_tdbr": "EU"
}.[Signature]

GUIOT Nicolas 20 Reputation points

2023-12-29T10:40:12.47+00:00

And a screenshot from Azure :
GUIOT Nicolas 20 Reputation points

2023-12-29T10:42:43.8833333+00:00

App permissions in Azure :
GUIOT Nicolas 20 Reputation points

2023-12-29T10:58:55.3333333+00:00

Which authentication method should I use in the call HTTP DELETE ? Should I use again the Active Directory OAuth, or None of them as I already have a valid token (passed via the Header Authorization property)?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-12-29T23:05:00.0366667+00:00

Hello @GUIOT Nicolas , the shared token looks like an ID token which is should not be used for API/service authorization. Please share your access token.
GUIOT Nicolas 20 Reputation points

2024-01-02T08:04:17.6633333+00:00

Hello @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , this is maybe the error cause. Do you mean the ID token I get first should be used to only get an access token then? In other words, should I call two times the Azure API before getting a valid token for the API/service I target with my DELETE HTTP request?
GUIOT Nicolas 20 Reputation points

2024-01-02T08:08:18.67+00:00

This is the Azure call I do:

Accepted answer

0 additional answers

Your answer

CarlZhao-MSFT 46,376 Reputation points

2023-12-20T07:58:45.61+00:00

Hi @GUIOT Nicolas

Please use jwt.ms to decode your access token and share a screenshot.
GUIOT Nicolas 20 Reputation points

2023-12-29T10:38:59.0966667+00:00

Hello, here is the decoded token I received from Azure :

{ "typ": "JWT", "nonce": "aA734lt6P6EDlD6Lu5wGyz_eBneDVus4F0KaIH60Ajo", "alg": "RS256", "x5t": "5B3nRxtQ7ji8eNDc3Fy05Kf97ZE", "kid": "5B3nRxtQ7ji8eNDc3Fy05Kf97ZE" }.{ "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/8b87af7d-8647-4dc7-8df4-5f69a2011bb5/", "iat": 1703845844, "nbf": 1703845844, "exp": 1703849744, "aio": "E2VgYPBcXb19wX9mvaDGuZ1X/b7vAAA=", "app_displayname": "Planner Internal Control", "appid": "413e2fbe-0160-4099-bbac-4fa2a6135cd6", "appidacr": "1", "idp": "https://sts.windows.net/8b87af7d-8647-4dc7-8df4-5f69a2011bb5/", "idtyp": "app", "oid": "7c21d810-a522-4a44-a1bd-44943ab1129c", "rh": "0.AQIAfa-Hi0eGx02N9F9pogEbtQMAAAAAAAAAwAAAAAAAAAACAAA.", "sub": "7c21d810-a522-4a44-a1bd-44943ab1129c", "tenant_region_scope": "EU", "tid": "8b87af7d-8647-4dc7-8df4-5f69a2011bb5", "uti": "KPnA-EMfLUqlrZV7Qr1IAQ", "ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ], "xms_tcdt": 1329993729, "xms_tdbr": "EU" }.[Signature]
GUIOT Nicolas 20 Reputation points

2023-12-29T10:40:12.47+00:00

And a screenshot from Azure :
GUIOT Nicolas 20 Reputation points

2023-12-29T10:42:43.8833333+00:00

App permissions in Azure :
GUIOT Nicolas 20 Reputation points

2023-12-29T10:58:55.3333333+00:00

Which authentication method should I use in the call HTTP DELETE ? Should I use again the Active Directory OAuth, or None of them as I already have a valid token (passed via the Header Authorization property)?
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2023-12-29T23:05:00.0366667+00:00

Hello @GUIOT Nicolas , the shared token looks like an ID token which is should not be used for API/service authorization. Please share your access token.
GUIOT Nicolas 20 Reputation points

2024-01-02T08:04:17.6633333+00:00

Hello @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA , this is maybe the error cause. Do you mean the ID token I get first should be used to only get an access token then? In other words, should I call two times the Azure API before getting a valid token for the API/service I target with my DELETE HTTP request?
GUIOT Nicolas 20 Reputation points

2024-01-02T08:08:18.67+00:00

This is the Azure call I do:

Answer 1

CarlZhao-MSFT 46,376

Hi @GUIOT Nicolas

This is not an id token, but an app-only token. Delegated permissions you grant to the calling app are not synced into the app-only token.

You should request a delegated access token using the delegated authentication flow. Don't forget to grant user consent for your permissions when logging in the user.

https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=code
&redirect_uri={redirect url}
&response_mode=query
&scope=Tasks.ReadWrite
&state=12345

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

GUIOT Nicolas 20 Reputation points

2024-01-02T11:04:03.3966667+00:00

Hello, thank for your help. I'm a bit lost as I thought that I was already identified in my Power Automate flow while calling the HTTP request for the access token. By the way, as I'm in a flow (and not in a Brower app), I don't need any redirection after authentication. Is that authorize call absolutely required before getting a Delegated permission to Graph Explorer API (scope Tasks.ReadWrite added to the delegated permissions in the portal)?

Thanks
CarlZhao-MSFT 46,376 Reputation points

2024-01-03T03:07:33.9+00:00

Hi @GUIOT Nicolas

If you cannot grant user consent for the permission in browser interaction, then you must grant admin consent in the portal. I noticed that you are not yet an admin for your tenant, so please contact your global admin to grant consent for your permissions. After that, use the delegated ROPC flow to request an access token. Note that the ROPC flow authenticates your users through silent login, which requires you to provide a username/password.

If your context does not support hardcoding user passwords, continue to use the current client credentials flow, but this requires you to grant the Tasks.ReadWrite.All application permission to the calling app.
GUIOT Nicolas 20 Reputation points

2024-01-03T07:31:17.41+00:00

Hi CarlZhao-MSFT,

Thank you for your reply. That's a pity I need an explicit consent while calling the API. I'm gonna content an admin to (hopefully) get the consent to grant app-permission.

Thank you

Kr,

Nicolas
CarlZhao-MSFT 46,376 Reputation points

2024-01-03T07:51:04.9766667+00:00

Hi @GUIOT Nicolas

Application permissions are tenant-scope, so it must be granted consent by a global admin.

--please don't forget to Accept as answer if the reply is helpful--

Share via

App permission for deleting Planner Task from Power Automate

0 additional answers

Your answer