403 error when trying to GET https://graph.microsoft.com/v1.0/me in Power Automate Flow

Question

I am trying to access Microsoft Graph API via a Power Automate Flow.

I've created an 'App Registration' in Azure AD and setup what I think should be the required API permissions for the GET request I am attempting.

In Power Automate, I am using the approach where you generate an access token and then pass that in the header of subsequent requests.

It generates the access token fine, but produces a 403 error when trying to GET:

 https://graph.microsoft.com/v1.0/me

I've been looking into this for several hours and come across suggestions to go to https://jwt.ms and paste in the access token, but when I do that, I don't know what I should be looking for.

Error when running manually triggered flow:

Action 'HTTP' failed

Insufficient privileges to complete the operation.

Status Code: 403

API Permissions in Azure AD

Here are the docs which specify which permissions are required for the relevant GET request, ie:

Delegated (work or school account)  User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

Authentication in Power Automate Flow

Request in Power Automate Flow

Text values from the above screenshots are below in case anyone wants to try and replicate:

HTTP Authenticate Request:

https://login.microsoftonline.com/@{variables('tenant_id')}/oauth2/token

Content-Type   application/x-www-form-urlencoded

client_id=@{variables('application_id')}&client_secret=@{variables('secret_value')}&resource=https://graph.microsoft.com&grant_type=client_credentials

HTTP GET Request:

URI:  https://graph.microsoft.com/v1.0/me

Authorization     Bearer @{body('Parse_JSON')?['access_token']} 

Update:

I don't know if this is the correct answer or not, but I think Power Automate might require Application permissions as opposed to Delegate permissions in the Azure App Registration area.

The following research lead me to this conclusion:

01) https://www.youtube.com/watch?v=VJWFzdy2c4E&t=242s
he adds Application permissions and not Delegate permissions

02)

You are obtaining a token via the confidential client flow, meaning you not running in the context of a user. Thus you should not be using the /me endpoint, but /users/objectID one...Or obtain a token via some of the delegate permissions flows. Source

I therefore changed to Application permissions, called this endpoint, and it worked fine:

https://graph.microsoft.com/v1.0/users   

Whether Application permissions are the best (or only?) approach when accessing Microsoft Graph from Power Automate, I don't know (maybe the method I used to authenticate enforced the use of Application permissions?). I kind of like the idea of ensuring the Flow only performs actions that the user triggering the Flow is allowed to perform., but meh, atleast something is working at the end of the day.

Answer 1

You are using Client Credential Flow which requires the application permissions aka No logged in user. Client credentials flow is used for tasks that don't need user interaction like server side apps, demons, background tasks like power automate.

With the token acquired from client credentials flow, you can not call /me/.. because these endpoints required logged in user as @hong-ooi has pointed out - Explains the 403.

In your case, you will need to add application permissions instead of delegated then call GET https://graph.microsoft.com/v1.0/{userId | unpn} instead of GET https://graph.microsoft.com/v1.0/me. Note /me translates to /user/{userId | unpn} for you.