![\"Power](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/Power-Automate.jpg\")
<\/p>\n<\/p>\n
When working with workflows triggered by HTTP requests, you may face a common challenge, i.e., ensuring that only authorized users can start the workflow. In many cases, you might need to restrict access so that only specific users within your organization can trigger it.<\/p>\n
When a workflow is triggered by an HTTP request, controlling who can access it is crucial. Without proper security in place, anyone with the request URL could start the workflow, leading to unauthorized users gaining access to critical business processes or sensitive data. This could pose serious security risks to your organization, potentially leading to data breaches, process disruptions, or compliance issues.<\/p>\n
To resolve this, you need a reliable way to manage authentication. One effective approach is OAuth authentication, which allows you to limit access to specific users within your organization. By implementing OAuth, you can ensure that only approved users have permission to trigger the workflow, while unauthorized users are blocked. This not only strengthens security but also ensures that workflows are used only by the right people, improving efficiency and protecting vital business information.<\/p>\n
By setting up OAuth authentication for the “When an HTTP request is received” trigger, your company can:<\/p>\n
This security enhancement protects sensitive data and ensures workflows are triggered only by the right people, reducing the risk of unauthorized actions.<\/p>\n
Prerequisites: <\/strong>Before setting up OAuth authentication for HTTP request triggers in Power Automate<\/a>, ensure you have:<\/p>\n How to Configure: \u00a0<\/strong>First go to Home – Microsoft Azure<\/a> and select Microsoft Entra ID.<\/p>\n Now go to App registration > <\/strong>New registration.<\/p>\n And give a name to the Application and add a redirect URL if you want and click on Register.<\/p>\n Once you click on register you will be Redirected to Newly created apps Overview tab. As Shown below copy the Application (Client) ID and Directory (Tenant) ID store it somewhere.<\/p>\n Now go to API Permissions and select the Power Automate and give Delegated permission as below.<\/p>\n Also check the check box as below and hit Add permissions button.<\/p>\n Give Admin consent as shown below, and status should look like below.<\/p>\n Now go to Certificates and Secrets tab and create the new client secret as shown below. Write Description and expiration date for the secret and click on Add.<\/p>\n Once you click on add, copy the value and store it somewhere, as it gets encrypted after some time.<\/p>\n Once you’ve completed the above steps, you will need the Application (Client) ID and Client Secret value. To obtain them, go to the App overview, click on Endpoint, and copy the API endpoint as shown below to generate user-specific tokens.<\/p>\n Now open any API testing tool here I am using Postman to perform the API request.<\/p>\n In the body, include the following data. Here, client_id and client_secret refer to the Application (Client) ID and the Certificates & Secrets value, as mentioned earlier.<\/p>\n Note<\/strong>: Using the request above, we will obtain a user-specific token based on the username and password provided. If you do not require a user-specific token, set grant_type to “client_credentials” and remove the username and password fields. In this case, the token will be generated for the app associated with the provided App ID and client secret. Additionally, ensure that the scope of the token is set to: https:\/\/service.flow.microsoft.com\/\/.default<\/a> Once, we are done with the above steps, we can proceed with Flow configuration and the logic that we want to execute through our Power Automate Flow for that, you can use Power Apps or Power Automate here I am using Power Apps to configure the Flow<\/p>\n Select New flow > Instant cloud flow, give name to the flow and select \u201cWhen an HTTP request is received\u201d trigger. Then hit the Create button.<\/p>\n Select the \u201cWho can trigger the flow?\u201d <\/strong>option you can select.<\/p>\n We will not select “Anyone” as it follows the legacy behaviour of this trigger, allowing anyone with access to the HTTP URL and JSON schema to use it. Instead, we will explore the other two options. In the first case, I have selected “Any user in my tenant”. Now, generate a JSON schema based on the data you want to pass through the HTTP URL. For testing, I am using the following dummy data:<\/p>\n \u201c[{ “customerName”: “Robert Carlson”, “billingAddress”: “Florida”, “email”: “test@gmail.com”, “customerType”: “Premium”, “orderHistory”: [ { “orderId”: “ORD12345”, “orderDate”: “2024-02-18”, “totalAmount”: 5000}]}]\u201d.<\/p>\n Once this is completed, add the next action and save the flow. This will generate the HTTP URL. Copy the URL and paste it into an API testing tool. Then, add the Authorization header with the access token obtained in the previous step, as shown below.<\/p>\n Once you have the authority to trigger the flow, you will receive a “202 Accepted” response, and the flow will be triggered immediately if the access token belongs to a user within the same tenant.<\/p>\n Now, let’s test the “Specific user in my tenant” option by attempting to trigger the flow with a user who is not included in the Allowed user list.<\/p>\n Note:<\/strong> In the Allowed user list, you can specify both user email addresses and Azure app object IDs, separated by a semicolon (;). If an HTTP request is made using an access token from a user or application not listed in the Allowed user list, the flow will not be triggered.<\/p>\n For example, if an attempt is made to trigger the flow using the user token of Carter, who is part of the tenant but not included in the Allowed user list, the request will be denied.<\/p>\n By using OAuth authentication, I was able to set up the workflow so that only specific users with their unique access tokens could trigger it. This means that no one outside the approved list can access or run the workflow meant for certain tasks. Now, with OAuth in place, only authorized users with the correct access tokens can interact with the workflow. This improves security and ensures that important business processes stay protected and under control. By adding OAuth authentication, I made it easier to secure my HTTP-triggered workflows while still allowing the right users to use them without any issues.<\/p>\n","protected":false},"excerpt":{"rendered":" When working with workflows triggered by HTTP requests, you may face a common challenge, i.e., ensuring that only authorized users can start the workflow. In many cases, you might need to restrict access so that only specific users within your organization can trigger it. When a workflow is triggered by an HTTP request, controlling who\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":15,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1985,2361],"tags":[1975],"class_list":["post-40525","post","type-post","status-publish","format-standard","hentry","category-power-automate","category-technical","tag-power-automate"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts\/40525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/comments?post=40525"}],"version-history":[{"count":0,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/posts\/40525\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/media?parent=40525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/categories?post=40525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inogic.com\/blog\/wp-json\/wp\/v2\/tags?post=40525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/1OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/2OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/3OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/4OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/5OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/6OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/7OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/8OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/9OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/10OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/11OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/12OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/13OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n
\nOtherwise, you may encounter an “invalid scope” error. You can also decode and verify the token using tools like JSON Web Tokens – jwt.io<\/a>.<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/14OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n\n
![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/15OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/16OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/17OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/18OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/19OAuth-Authentication-in-Power-Automate.png\")
<\/p>\n![\"OAuth](\"https:\/\/www.inogic.com\/blog\/wp-content\/uploads\/2025\/03\/20OAuth-Authentication-in-Power-Automate.png\")
<\/p>\nConclusion<\/strong><\/h2>\n