Skip to content

How to build a PowerApp – Temporary Access Pass Manager – Part 4

Part 4: Build a custom connector based on the Graph API

This article is part of a series.


Now that we know the basics, as discussed in previous parts, it’s time to build the custom connector. This custom connector is going to use the Graph API. Before we start building, make sure you have these things at hand:

  1. The appliation ID and secret of the app registration (part 2)
  2. The Graph Explorer, and the sample queries (part 3)
  3. A test user in Azure Active Directory
  4. A license to user PowerApps/Power Automate. Click here to start a trial if you don’t have a license

Important!

Both the name of the connector and the actions (operation ID) are going to be used in the PowerApp later on. It’s recommended to use the same name convention as the example, so you don’t have to change all the queries manually later.

ItemName operation ID
Name of the custom connector TemporaryAccessPass
Action to create Temporary Access Pass CreateTemporaryAccessPass
Action to list Temporary Access Pass ListTemporaryAccessPass
Action to get Temporary Access Pass GetTemporaryAccessPass
Action to delete Temporary Access Pass DeleteTemporaryAccessPass

Custom connector

Go to https://make.powerapps.com and under the data section, go to customer connectors. Click + New custom connector to get started. Select Create from blank to build the connector from scratch.

Let’s give the connector a proper name. Be aware that you need the name of the connector in the next part of the series when we are using it with PowerApps. In my example, I use TemporaryAccessPass as the name of the connector.

Enter the details in the first screen of the wizard.

  1. Upload a logo if you like. Download the one from the example from here.
  2. As background color I use white (#ffffff) You can pick any color you like.
  3. Enter a brief description for your connector
  4. Use HTTPS (default)
  5. Enter graph.microsoft.com as your host URL

Next, click Security -> to move to the next screen.

In the next screen, fill out the security information in order to authenticate to Azure AD. Here is where the app registration is making it’s entrance.

  1. Choose OAuth 2.0
  2. Select Azure Active Directory
  3. Enter the client ID / Application ID of the app registration (captured in part 2)
  4. Enter the secret that we created earlier (captured in part 2) If you forgot to save this secret, create a new one, and delete the old one.
  5. Use https://graph.microsoft.com as you resource URL.

After this, click Create connector! This will save the configuration so far. After that, move to the next screen: Definition.

Definition

In this screen, we are going to define four actions: create, list, get, and delete Temporary Access Pass. Let’s start with the first one. Fill in the summary, description, and operation ID. For both summary and operation ID, I use CreateTemporaryAccessPass. Description can be anything.

After that, click + Import from sample.

Choose POST for the Verb, and use this URL*:

https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods

*Here we are creating a variable for the UserPrincipalName by using {UPN} in the URL. Use this exact URL; you don’t have to replace the UPN with your test users’ UPN here.

Enter this value in the body, and click Import.

{"JSON":""}

Now, we need to configure some additional steps for the body parameter. These are important!

Edit the body parameter
Set ‘Is required’ to Yes and edit the JSON body
Add the two brackets as the default value and set ‘Is required’ to Yes

After changing the JSON/body parameters, click <– back twice to return to the ‘home screen.
After that, click + Add default response, and use this as the body:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('AdeleV%40M365x583104.OnMicrosoft.com')/authentication/temporaryAccessPassMethods/$entity",
    "id": "42cf61da-0b54-4b61-b6cd-362343f41a0e",
    "temporaryAccessPass": "Q$wSrZ3R",
    "createdDateTime": "2021-08-07T13:02:07.5740124Z",
    "startDateTime": "2021-08-07T13:02:06.2614145Z",
    "lifetimeInMinutes": 60,
    "isUsableOnce": false,
    "isUsable": true,
    "methodUsabilityReason": "EnabledByPolicy"
}

To create the response sample yourself, simply use the Graph Explorer to create the queries and copy the response. You can also use the sample response from the documentation for this.

When you click on the default response after the import, you should see the payload. This will represent the schema for the response. Should look like this:

Update the connector and move to the last screen in the wizard: Test

Test

Before we can test the connector, we need to create a new connection. Click + New connection, and select the account that you want to use. Remember that this account needs one of these roles to create a Temporary Access Pass:

  • Global admin
  • Privileged authentication admin
  • Authentication admin

Next, enter the UPN of the test user and test the operation. The body can be empty, but two brackets will also work. You should see a valid response and a 201 response code. Make sure that your test user has a Temporary Access Pass yet. Otherwise, this test will fail.

If your test was successful, we can now go on to create the other actions.

Get, List and Delete

Now, repeat the above steps to create the remaining three definitions.

ListTemporaryAccessPass

Summary: ListTemporaryAccessPass
Description: List Temporary Access Pass
Operation ID: ListTemporaryAccessPass
Verb: GET
URL: https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods
Response sample:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('AdeleV%40M365x583104.OnMicrosoft.com')/authentication/temporaryAccessPassMethods",
    "value": [
        {
            "id": "6971aea8-147e-478f-809b-6fa29d42edfa",
            "temporaryAccessPass": null,
            "createdDateTime": "2021-08-07T13:23:32.6999338Z",
            "startDateTime": "2021-08-07T13:23:31.2392129Z",
            "lifetimeInMinutes": 60,
            "isUsableOnce": false,
            "isUsable": true,
            "methodUsabilityReason": "EnabledByPolicy"
        }
    ]
}

GetTemporaryAccessPass

Summary: GetTemporaryAccessPass
Description: Get Temporary Access Pass
Operation ID: GetTemporaryAccessPass
Verb: GET
URL: https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods/{id}
Response sample:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#users('AdeleV%40M365x583104.OnMicrosoft.com')/authentication/temporaryAccessPassMethods/$entity",
  "id": "2cbf352d-3c26-4d74-a48d-692d8f7cdb3a",
  "temporaryAccessPass": null,
  "createdDateTime": "2021-08-08T17:41:32.147959Z",
  "startDateTime": "2021-08-08T17:41:31.6435277Z",
  "lifetimeInMinutes": 60,
  "isUsableOnce": false,
  "isUsable": true,
  "methodUsabilityReason": "EnabledByPolicy"
}

DeleteTemporaryAccessPass

Summary: DeleteTemporaryAccessPass
Description: Delete Temporary Access Pass
Operation ID: DeleteTemporaryAccessPass
Verb: DELETE
URL: https://graph.microsoft.com/beta/users/{UPN}/authentication/temporaryAccessPassMethods/{id}
Response sample: none *

*If successful, this method returns a 204 No Content response code. It does not return anything in the response body.

Don’t forget to update your connector to save the changes!

If all actions and responses are added, you should be able to successfully test all four actions. I suggest testing in this order:

  1. Create Temporary Access Pass
  2. List Temporary Acces Pass (grab the ID to test the next actions)
  3. Get Temporary Access Pass (using ID from previous step)
  4. Delete Temporary Access Pass (using ID from previous step)

HTTP headers

One last (important) thing before the custom connector is ready for use: headers. Most of the POST requests to Graph API require headers. You can read this in the documentation.

So, we are going to use a policy to fix that. I did not work with policies before, so this is a nice way to introduce them. In the Definition tab, click + New policy.

  1. Provide a name for the policy, in this case ‘Set HTTP header’
  2. Choose the template “Set HTTP header”
  3. Select only the CreateTemporaryAccessPass operation. The other operation don’t require a header.
  4. Enter: ‘content-type’
  5. Enter: ‘application/json’
  6. Choose for ‘override’. Any other header will be replaced.
  7. Select ‘Request’. The policy will only applu on the request.

Don’t forget to update your connector to save the changes!

Okay, you’ve come really far! Now it’s time to use our connector in Power Apps and Power Automate and build a nice app around it! Click here if you are ready for the final step. It’s going to be fun! Part 5: Create an app in PowerApps using a custom connector

This article is part of a series.


9 thoughts on “How to build a PowerApp – Temporary Access Pass Manager – Part 4”

  1. Hoi Jan,

    Erg leuke handleiding om kennis te maken met Graph en PowerApps.
    Ik kom bij Stap 4 alleen niet verder bij het onderdeel testen.
    Ik kies dan voor ‘ New connection’ en log in met mijn Global Admin account, maar krijg dan een groot rood scherm met foutmeldingen. Bekend probleem toevallig?

  2. When testing CreateTemporaryAccessPass, options to input custom lifetime, etc not working. Tried adding “lifetimeInMinutes”: 120 and it uses default 60 minutes.

    1. Does this work when you do it to the Graph API directly? Note that you can also set the default values in your tenant under the authentication policies.

      1. yes it does using graph explorer, i notices if i changed to raw body and removed “JSON”: and updated it worked in the custom app section

        by default the connector is putting format into body

        {
        “JSON”: “\”lifetimeInMinutes\”: 60″
        }

        vs what is needed below
        {
        “lifetimeInMinutes”: 60
        }

        1. I ended up setting up flows vs the custom connectors, and added a box to enter custom JSON content to pass to the flow to create TAP and be able to use custom start time, lifetime, etc. Thank you.

          1. Thanks! Running it through flow would indeed give you more flexibility to run custom HTTP requests against Graph API. I have done so in the past, but for this one I would see how far I could come doing it without flows 😉

  3. Everything works as expected when using this application from service account that it was created under.
    With the way PowerApps configured, it seems that any user that this application is shared with will also need to be an Administrator because it creates individual connection for each person.
    Unless I am doing something wrong. Not sure if anyone came across this before. It seems that instead of using existing service account connection it creates a new one

    1. Same issue as Jason M above. It does not delegate the permissions to the regular user. Instructions followed precisely. Had to add the regular user to the Azure Builtin Group Authenticator Administrators. Great article – just a shame there is not a fix for this permissions issue.

  4. First of all, thank you for this awesome content and very useful tool! I got it working for my Company and its very practical.

    I have a question tho, we are an MSP company and we have more customers, every customer with a different Microsoft Tenant etc and we use the Partner Center from Microsoft to access these Tenants. Is there any way that i can implement this App for all the customers? I imagine another Combobox where i could select the Customer i want (TenantID) and then i could search for the user in this Tenant.
    Do you have any idea how something like this would be possible? I am stuck and i cant find a way to be able to speak API to the Partner Center.
    Thank you very much in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *