This connector is built on top of Microsoft Azure Active Directory Connector, but limits it's scope and operations to only those with groups and members of groups (see below). The Grap API scopes required for this connector are:
- Group.ReadWrite.All
- GroupMember.ReadWrite.All
- offline_access
This connector exposes operations to be used in Microsoft Flow and PowerApps.
The connector supports the following actions:
Create Security group
: Create a security group in your AAD tenantGet group
: Get details for a group by idFind group
: Find a group by a criteriaGet group members
: Get the users who are members of a groupRemove Member From Group
: Remove Member From GroupAdd user to group
: Add a user to a group in this AAD tenant
You will need the following to proceed:
- A Microsoft PowerApps or Microsoft Flow plan with custom connector feature
- An Azure subscription
- The Microsoft Power Platform Connectors CLI
Since the APIs used by the connector are secured by Azure Active Directory (AD), we first need to set up a few thing in Azure AD for connector to securely access them. After this setup, you can create and test the connector.
Since the connector uses OAuth as authentication type, we first need to register an application in Azure AD. This application will be used to get the authorization token required to invoke rest APIs used by the connector. You can read more about this here and follow the steps below:
-
Create an Azure AD application This can be done using [Azure Portal] (https://portal.azure.com), by following the steps here. Once created, note down the value of Application (Client) ID. You will need this later.
-
Configure (Update) your Azure AD application to access the Microsoft Graph API This step will ensure that your application can successfully retrieve an access token to invoke Azure Active Directory rest APIs on behalf of your users. To do this, follow the steps here.
- For redirect URI, use "https://global.consent.azure-apim.net/redirect"
- For the credentials, use a client secret (and not certificates). Remember to note the secret down, you will need this later and it is shown only once.
- For API permissions, use "Microsoft Graph" and "Application" type permissions "Group.ReadWrite.All" and "GroupMember.ReadWrite.All"
At this point, we now have a valid Azure AD application that can be used to get permissions as service principal and access Microsoft Graph API. The next step for us is to create a custom connector.
Run the following commands and follow the prompts:
paconn login
paconn create -s settings.json --secret <client_secret>
- Microsoft Graph API explorer
- Build a custom connector for Microsoft Graph API
- Microsoft Graph API documentation - Group resource
- Service principal authentication
- Streamlining Integration: Using Service Principal authentication on Custom connectors with Microsoft Graph Application Permissions
- Microsoft Power Platform Connectors CLI
- Microsoft Azure Active Directory Connector on GitHub
- Configure custom connectors with authenticated APIs in Microsoft Power Platform