Skip to main content
sekureco42
  1. Posts/

Graph API with Logic App

·710 words·4 mins· loading · loading · ·
English Graph API Azure Logic App Expert
rOger Eisenecher
Author ::..
rOger Eisenecher
> 12 years leading and building a SOC for MSSP • > 20 years working in security • > 40 years working with IT • 100% tech nerd.
Table of Contents
Graph API - This article is part of a series.
Part 1: Graph API Introduction
Part 2: Graph API with PowerShell
Part 3: This Article

In the first part of this serie we checked the basics of the Graph API. Now in this part we will use Logic App to query the API. This opens new way to automate tasks.

Introduction

In the last article of this series we saw how to query Graph API with PowerShell. NAn alternative way to query Graph API is to use Logic App. This article is not an introduction into Logic App but could be helpful to start using Graph API with Logic App.

Compared to the post Graph API with PowerShell we will query the API for all users with their userPrincipalName.

As we learned we can use Graph Explorer to find out which Graph API URI we have to call to achieve this goal: https://graph.microsoft.com/v1.0/users?$select=userPrincipalName

Implementation

Implementation looks straight forward. In this example I used Occurence as the starting point of the Logic App. For accessing Graph API we use the block type HTTP and fill in the required information:

logic-app-create-http-part2.png
HTTP block with corresponding parameters.

To test your Logic App hit now on Run TriggerRun. The result will be s

logic-app-run-result-part1.png
As can be seen the workflow failed.

To discover the reason why the run failed hit on the message and open the flow:

logic-app-run-result-part2.png
Detail where and why the workflow failed.

The issue: Unauthorized

As clearly stated in the screenshot the Logic App is not authorized to use the Graph API. All requests to Graph API have to be done with corresponding access token. For this purpose also the Logic App has to be authenticated. From here there are two possibilities:

  1. Use an App registration
  2. Use a Managed Identity

App registrations are easy. To learn something new I decided to go the way with Managed Identity. Change to Identity and activate there the System assigned variant of managed identity by setting Status to On and hit Save.

logic-app-managed-identity-part2.png
Enable managed identity by setting status to on (marked with 1).

As soon as you save your settings, an object is created in your Azure AD and gets an Object ID (marked as “2”), in our case 6969ae25-c660-4a29-a17f-ec221804b99f.

Now we have to change our HTTP block to use this managed identity for authentication. For this you select your HTTP block, check Authentication and you get additional fields you can fill in:

logic-app-create-http-part4-isolated.png
Authentication specification in HTTP block in Logic App designer.

Now let’s try again our Logic App to see if it is working now. Unfortunatly it does not. You will get something similar to this:

logic-app-run-result-part3.png
Error message: Insufficient privileges to complete the operation.

The 2nd issue: Forbidden

Now we are a step closer to our desired goal to fetch data from the Graph API. As it looks like we are able to authenticate but still not able to fetch data from the API. If you think about it is clear: You need permission on the API to use it - or in this scenario the managed identity needs the right permissions. We want to assign the permission Directory.Read.All to the managed identity. When this is done we should be able to query the Graph API.

Unfortunatly there is no GUI to assign appropriate permissions to the managed identity. For this you have to use some PowerShell magic.

Connect-MgGraph -Scopes 'Application.ReadWrite.All,AppRoleAssignment.ReadWrite.All'
$graph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$permission = $graph.AppRoles `
    | where Value -Like "Directory.Read.All" `
    | Select-Object -First 1

$msi = Get-MgServicePrincipal -Filter "Id eq '6969ae25-c660-4a29-a17f-ec221804b99f'"

New-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $msi.Id `
    -AppRoleId $permission.Id `
    -PrincipalId $msi.Id `
    -ResourceId $graph.Id

Final result

After all if you hit now Run on the Logic App you will see that the workflow completes without an error:

logic-app-run-result-part4.png
Workflow succesfull finished.

Of course this workflow does not make sense. It just shows how to connect to the Graph API to fetch data from a Logic App. This are the key take aways:

  • Create Logic App
  • Create Managed Identity (System Assigned)
  • Grant API permission to Managed Identity with PowerShell
  • Use HTTP block to access Graph API with proper settings for authentication incl. audience part

Further Reading

As usual there are many resources available if you are interested to learn more about Logic App. Here are some links:

Graph API - This article is part of a series.
Part 1: Graph API Introduction
Part 2: Graph API with PowerShell
Part 3: This Article