HTTP With Microsoft Entra ID

Use the HTTP connector to fetch resources from various Web services, authenticated by Microsoft Entra ID, or from an on-premise web service.

This connector is available in the following products and regions:

Service	Class	Regions
Logic Apps	Standard	All Logic Apps regions except the following:      -   US Department of Defense (DoD)
Power Automate	Premium	All Power Automate regions
Power Apps	Premium	All Power Apps regions

Contact
Name	Microsoft
URL	Microsoft LogicApps Support Microsoft Power Automate Support Microsoft Power Apps Support

Connector Metadata
Publisher	Microsoft

Known Issues and Limitations

1. For the ‘HTTP with Microsoft Entra ID’ connector to successfully retrieve data from another service, the app used by the connector must be granted access to the required scope. For details on how to grant the required access to the app, refer to Authorize the app to act on behalf of a signed-in user. If the required access is not granted, you may receive one of the following errors when you attempt to create the connection:

   Consent Required: To enable the HTTP With Microsoft Entra ID connector to access resources on behalf of a signed-in user, grant consent to this application.
   

   

   If a scope (permission) has been granted but not all of the required scopes are included, the creation of the connection will succeed but you will encounter a Forbidden (403) error at runtime. The error details may include additional information such as:

   "code": "Authorization_RequestDenied"
   "message": "Insufficient privileges to complete the operation." 
   

2. The connector encodes the request body into base64 encoding, hence it should be used to call backend services which expect the request body in this format. You cannot use this connector to call a backend service that expects the request body in raw binary format.

3. The connector is based on multi-tenant application registration. The application cannot tell what tenant the user is from until the user signs into it. Therefore, we only support specifying resources under users' default tenant ('common').

4. Resources based on ADFS SSO (Microsoft Entra ID Federation Services for Single Sign-On) are not supported. As a workaround, please use the "HTTP" connector.

5. When using this connector in a national cloud environment the resource must be their national cloud endpoint equivalent. Attempts to try to connect to public cloud (https://graph.microsoft.com, https://bing.com for example) from most national cloud environments will fail with a pre-authorization error.

   • GCC and Fairfax environments can continue to use public cloud endpoints (https://graph.microsoft.com, for example).
   • GCC-High resource example: https://graph.microsoft.us.
   • China resource example: https://microsoftgraph.chinacloudapi.cn.

6. The use of cookie authorization request header is not supported in case of on-premises data gateway enabled connection.

7. The asynchronous pattern based on the response Location header is not supported. Please use Azure Resource Manager connector instead if applicable.

8. The "Get File Content" action is not available in this connector because because it closely resembles the "Invoke HTTP" action. The only distinction between the two is that the former action encodes the response. Therefore, to obtain the base64-encoded response, you can simply transfer your response from the "Invoke HTTP" action to one of the available encoding actions.

9. Removing or adding preauthorizations can take up to 1 hour to reflect for connections existing prior to the update. However, new connections should reflect the updated authorizations instantly.

Authorize the connector to act on behalf of a signed-in user

As a user with the Global Administrator role, you need to create oAuth2PermissionGrants to approve the necessary permissions (scopes) for the required service.

For example, if you are using Microsoft Graph (https://graph.microsoft.com) and need to read calendar information, you can follow the Graph documentation to identify the permissions required (Calendar.Read). By granting the app (used by the connector) the Calendar.Read scope, it will allow the app to access this data from the service on behalf of the user. One important thing to note is that the data that can be accessed by the app is still limited to the data the user has access to in the service. It is not possible to use the Azure Portal to grant consent to this app. For this reason, a PowerShell script has been created by Microsoft to simplify granting consent to the app used by the HTTP with Microsoft Entra ID connector.

Important

PowerShell version 7 or later needs to be installed to run this script.

1. Download the required PowerShell script from here.

2. Right-click on the downloaded ManagePermissionGrant.ps1 file and then click Properties.

3. Click the Unblock checkbox and then click OK.

   

   If you do not check the Unblock checkbox, you will receive an error indicating the script cannot be loaded because it is not digitally signed.

4. Open a PowerShell command window.

5. Change the path to the location where you downloaded the script.

6. Type the following command and press Enter:

   .\ ManagePermissionGrant.ps1
   

   

7. You will be prompted to choose whether to authenticate to Azure Global (recommended) or to select from a list (advanced). If you are not connecting to subscriptions in US Gov, US Gov DoD, China, or Germany, press Enter.

   

8. If you have not already, you may be prompted to authenticate to the Microsoft identity platform in a new browser window. Authenticate as a user with the Global Administrator role.

9. To grant consent to some of the most used services such as Microsoft Graph or SharePoint, press Enter. If the service you need to consent to is not on the list of commonly used apps, use option A.

   

10. A dialog will appear. Select the application you want to consent to allowing the connector to act on behalf of a user. You can use the textbox at the top to filter the results.

    

11. Click OK.

12. Select one or more scopes (permissions) you want to consent to and then click OK. Multiple scopes can be selected by pressing and holding the CTRL key while selecting rows.

13. In the PowerShell window you will be prompted to choose the consent type. You can choose whether to allow the app to act on behalf of any logged in user or if you want to limit the consent to a specific user. If you want to provide consent for all users, press Enter. If you want to provide consent for only a specific user, type N and then press Enter. If you choose to consent for a specific user, you will be prompted to select the user.

14. If consent for any scopes already exist for the selected resource, you will be prompted to choose if you want to delete the existing grants first. If you want to delete existing grants, type Y and press Enter. If you want to keep the existing grants, press Enter.

15. A summary of the scopes you selected will be displayed in the PowerShell window. If you want to proceed with granting the selected scopes, type Y and then press Enter.

16. If the script can grant the consent successfully, you will see a message that script execution completed.

Creating a connection

The connector supports the following authentication types:

Default	Parameters for creating connection.	All regions	Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name	Type	Description	Required
Microsoft Entra ID Resource URI (Application ID URI)	string	The identifier used in Microsoft Entra ID to identify the target resource. For SharePoint Online and OneDrive for Business, use https://{contoso}.sharepoint.com. Usually, it is the base URL of your resource.	True
Base Resource URL	string	Specify the base URL of the HTTP resources or Application (client) ID in the form of the GUID you want to connect to.	True
Username	securestring	Username credential
Password	securestring	Password credential
Authentication Type	string	Authentication type to connect to your on-premise HTTP resource
Gateway	gatewaySetting	On-prem gateway (see https://docs.microsoft.com/data-integration/gateway for more details

Throttling Limits

Name	Calls	Renewal Period
API calls per connection	100	60 seconds

Actions

Invoke an HTTP request

Invokes an HTTP endpoint.

Invoke an HTTP request

Operation ID:

InvokeHttp

Invokes an HTTP endpoint.

Parameters

Name	Key	Required	Type	Description
Method	method	True	string	One of the known HTTP verbs: GET, DELETE, PATCH, POST, PUT.
Url of the request	url	True	string	A full or relative URL to the resource. If it is a full URL , it must match the base resource URL set in the connection.
Headers	headers		object	The request headers.
Body of the request	body		byte	Body of the request when the method requires it.

Returns

The content of the response.

Body

string