I am having trouble creating a PowerApps Custom Connector which allows me to access Microsoft Graph using APPLICATION permissions.
I have created my Azure AD App Registration, with three API permissions:
- Delegated: User.Read
- Application: User.Read.All
- Application: Directory.Read.All
I have confirmed the Redirect URI is correctly set for Power Apps (https://global.consent.azure-apim.net/redirect) and I have generated a Client Secret.
I have then created TWO different Power Apps custom connectors, and both of them give me exactly the same results.
Connector A: Auth Type: OAuth2.0
- Identity Provider: Generic OAuth 2
- Client ID & Client Secret (as expected)
- Auth URL: https://login.microsoftonline.com/{{Tenant ID}/oauth2/v2.0/authorize
- Token URL: https://login.microsoftonline.com/{{Tenant ID}/oauth2/v2.0/token
- Scope: https://graph.microsoft.com/.default
Connector B: Auth Type: OAuth 2.0
- Identify Provider: Azure Active Directory
- Client ID & Client Secret (as expected)
- Login URL: https://login.windows.net
- Tenant ID: common (this is the default)
- Resource URL: https://graph.microsoft.com
- Scope: {blank} (this is the default)
I then setup (in both connectors) the same two actions:
- /v1.0/me
- /v1.0/users
In BOTH connectors the first action (/me) works .. and returns the details of the logged in user. The second connector (/users) returns "Access Denied - Insufficient Privileges".
This is telling me it is using the Delegated permissions (which allows it to retrieve /me) and not the Application permissions (which is why it can't list all of the user accounts).
So .. is there any setting in Power Apps which allows me to specify that this connector should use Application requests rather than delegated?
Thank you!