Secure Microsoft Entra ID connector

Andrew GrischenkoPower Apps1 year ago20 Views

(This post was updated on 27th Nov to clarify the set of required permissions).

I needed to create a Power Automate flow to create Microsoft Entra ID (previously Azure Active Directory) security groups and assign members to them. I was going to use the provided standard Microsoft Entra ID connector until I found that it requires application permissions scope to be “Directory.ReadWrite.All“. This gives the application access to any operation on the directory – including creating and deleting users and assigning permission. It’s too much from the minimum required permissions principle, so I needed a more secure Microsoft Entra ID connector.

In addition, this standard connector doesn’t offer (as of November 2023) the ability to use Service Principal credentials and allows only delegated sign as a user.

So, I needed to create a custom connector:

with limited operation and strictly necessary permissions;
allowing service principal credentials authentication.

How it was done

Luckily, we have Microsoft Azure Active Directory Connector on GitHub available to leverage, and Microsoft Graph API is well-documented anyway. So, I forked the repository and redefined a few things:

Remove the operations that I don’t need, so I left only these 6 in apiDefinition.swagger.json:
- Create a new security group with owners and members.
- List members of an existing security group.
- Add members to an existing security group.
- Remove members from an existing security group.
- Get an existing security group by Id.
- Find an existing security group by a criteria (e.g. name).
Redefine OAuth scopes required in apiProperties.json to “Group.ReadWrite.All” and “GroupMember.ReadWrite.All” and “User.Read.All”, which is sufficient for those operations (plus “offline_access” for refresh token retrieval).
Add a new Service Principal Connection option in the apiProperties.json.
I have also modified an operation interface for the creation of security group operation:
- Limited group creation to only security groups (not office 265 groups) by defaulting and hiding some parameters.
- Added owner(s) as required and member(s) as optional parameters, so everything is set up with one operation.

The resulting connector, which you are free to use, is published here: https://github.com/andrew-grischenko/azure-groups-limited-connector

Read the remaining post for details on installing and using the connector.

Register an application in Azure Entra ID

Go to portal.azure.com
Find your Microsoft Entra ID service
Select App registrations on the left menu and New registration at the top.
Enter a name for your application.
Select “Accounts in this organizational directory only (Single tenant)” from the Supported account types section.
In the Redirect URI section select Web and enter the redirect URL: https://australia-001.consent.azure-apim.net/redirect (or another one related to your region)
Select API permissions on the left menu and click Add a permission in the Configured permissions section.
Select Microsoft Graph in the Microsoft APIs section and select Application permissions.
In the list below, find and select “Group.ReadWrite.All”, “Group.Member.ReadWrite.All” and “User.Read.All” and click Add permission.
Click Grant admin consent for [organisation name]
Select Certificates & secrets on the left menu and click New client secret. Copy down the secret value temporarily, as you’ll need it to create the connection.

We are done setting up the application registration and ready to install the custom connector in the environment of your choice.

Install the secure Microsoft Entra ID connector

Next, you need to install the custom connector into your Power Platform environment.

Clone the repository https://github.com/andrew-grischenko/azure-groups-limited-connector to a local machine or your Azure cloud console and navigate to that directory by cd azure-groups-limited-connector.
Follow the Installing steps to set up Microsoft Power Platform Connectors CLI.
Login the Power Platform CLI by running the paconn login command and following the prompts in the command line. Open the URL and enter the code from the command line, then log in with your credentials with the System Administrator role in the environment.
Run the following command to install the connector. Replace the [The OAuth2 client secret for the connector] with the registered application secret you saved from the previous steps.

paconn create -s settings.json --secret [The OAuth2 client secret for the connector]

Usage of the connector

In the Power Automate cloud flow that you want to use the connector, or in a new flow, add a new action. Select the Custom tab on the connectors list, and you should see the newly installed connector “AzureGroupsLimited” – select it.

In the list of operations, select the one you need, e.g. Create a security group:

The first time you use the secure active directory connector, it will ask you to create a new connection. Select the “Service principal” option and enter the details from the application registration:

Your organisation Tenant id (found in the Azure Entra ID overview tab)
The application Id and secret created during the application registration

Once the connection is created successfully, enter your group name and description.

For the owners and members, you need to know id of the user record. Construct it as https://graph.microsoft.com/v1.0/users/<user guid> where <user guid> is the user’s ID in Active Directory. You can also add members during the group creation:

Click save and run the flow to verify that the group has been created successfully. You should see in Microsoft Entra ID a new group and the owner(s) as selected.

Please note, that this secure Microsoft Entra ID connector is intentionally scoped to the security groups only and doesn’t allow the creation of Office 365 groups.

To find an existing group by name, use the “Find group” action and specify the filtering criteria (see an example here for more information):