February 4, 2021

How to Run Power Automate with Admin Consent from Power Apps?

Introduction

We recently converted the InfoPath forms to Power Apps forms for an Engineering & Construction company located in Boston, Massachusetts, United States. In one of the forms we converted, the requirement was to populate a dropdown list with the members of a SharePoint Group as values. 

Problem Statement

To populate a dropdown in Power Apps with SharePoint group users, we added Microsoft Power Automate to our Power Apps application with “Send an HTTP request to SharePoint” action. But when a user who is not a part of the group nor has Full Control permission opens the form, the flow would fail. 

Error in Power Apps:


Error in Power Automate (MS Flow): 

Error: Access denied. You do not have permission to perform this action or access this resource.

Root Cause:

Flows started by Power Apps run in the context of the user who is running the Power Apps. So the problem occurs when a user who is not a part of the SharePoint Group nor has Full Control permission opens the form. In this case, the flow would fail.
  

Resolution

So we decided to run the flow in the context of SharePoint Add-ins. When the add-in-only policy is used, SharePoint checks only the permissions of the add-in principal. Authorization checks succeed only if the current add-in has sufficient permissions to perform the action in question, regardless of the permissions of the current user (if any).
The entire procedure covers the following steps:
  1. Register SharePoint Add-ins 
  2. Create Power Automate flow to get users from SharePoint Group
  3. Configure flow in PowerApps

Step-1: Register SharePoint Add-ins
Please check This Article which describes the steps to register App in SharePoint. Client ID and Client Secret availed from this process will be used in Step 2.
 
Step-2: Microsoft Flow to get SharePoint Users
  1. Create an instant cloud flow with Power Apps trigger as shown in the below picture.

  2. Now, instead of “Send an HTTP request to SharePoint” action we will be using “HTTP” action.

    In the HTTP action fill the details as per below:
    • Method: Post
    • Replace the Tenant ID in the URI.
      URI: https://accounts.accesscontrol.windows.net/TenantID/tokens/OAuth/2
    • Replace the highlighted content in the body.
      Body: grant_type=client_credentials&client_id=ClientID@TenantID&client_secret=ClientSecret&resource=00000003-0000-0ff1-ce00-000000000000/TenantName.sharepoint.com@TenantID
    • Headers:
      Key: Content-Type
      Value: application/x-www-form-urlencoded

  3. Now in the next step, we will use Compose action. Pass the access token that we get from the HTTP action in the inputs.Formula: body(‘HTTP’)[‘access_token’]

  4. In the next step, we will again use the HTTP action.

  5. In the HTTP 2 action fill the details as per below:
    • Method: Get
    • Replace the highlighted content in URI. Set the group name to the SharePoint Group of which you want the users.
      URI: https://tenantname.sharepoint.com/sites/sitename/_api/web/sitegroups/getbyname('GroupName')/users
      • Headers:
        Key: Accept; Value: application/json;odata=verbose
        Key: Authorization; Value: Bearer and the output of compose action as shown in the above image. 

      1. Now we will use the Select action to get only the specific properties from all the elements of the array and form a new array as shown in the below picture.
        • Pass the results of “HTTP 2” action in the From as body('HTTP 2')['d']['results'].
        • We need to map the properties to make the array format as required in Power Apps. You can check the properties from the json generated in the HTTP 2 action. Pass the keys as shown in the image and values as item()?['PropertyName'].



      2. The last step of the Flow is Response action. Here we pass the output of the Select Action.

      3. Click on Show advance option and select Generate from sample. Here, we need to insert a sample JSON payload. Add the following JSON structure:
         [  
          {  
           "Email": "",  
           "Claims": "",  
           "DisplayName": "",  
           "Department": "",  
           "JobTitle": "",  
           "Picture": ""  
          }  
         ]  
        

      Step-3: Configure the Flow in Power Apps
      1. Now we will store the response generated by the flow in a collection by passing ClearCollect(CollectionName,'FlowName'.Run()); on the “OnVisible” property of the “FormScreen”.

      2. Pass the collection on the “Items” property of the DataCardValue as shown in the below picture.

      Conclusion

      This is how we can call our Power Automate flow with admin consent from PowerApps.

      If you have any questions you can reach out to our SharePoint Consulting team here.

      No comments:

      Post a Comment