1. Getting more out of Flow connectors
CRMUG Summit 2017
5/15/2019 9:12 PM
Getting more out of Flow connectors
POWFL10 - Extending Flow Integration of SharePoint and other services using REST APIs
Session: POWFL10
Title: Extending Flow Integration of SharePoint and other services using REST APIs
Session Description:
Flow is great for quickly connecting various systems together using any of the extensive list of connectors available, but what happens when the connector you have doesn't support exactly what you need?
Using the HTTP action with some (often) simple REST calls it is possible to extend the functionality of various connectors and connect to other non-supported systems.
In this session I will demonstrate a few common Flow use-cases with SharePoint permissions and Project Online custom fields that are not supported with the out of the box connectors. Additionally I will go into some detail around authentication challenges and include a demonstration of using a 3rd party API to integrate foreign exchange data into SharePoint.

2. About me Martin Laukkanen
5/15/2019 9:12 PM
About me
I’ve supported, consulted and developed on Microsoft platforms since 1998.
I currently work in Switzerland for TPG, consulting for many of the largest Microsoft Swiss and Global accounts for SharePoint and Project deployments.
I’ve been blogging about Project, SharePoint and Office 365 for 10 years.
Martin Laukkanen
Senior Consultant & Developer
TPG The Project Group
Blog:
LinkedIn: linkedin.com/in/martinlaukkanen

3. Session agenda (pt. 1) Scenarios where Flow connectors need our help
5/15/2019 9:12 PM
Session agenda (pt. 1)
Introduction to the HTTP Connector
Scenarios where Flow connectors need our help
When can the HTTP Connector come to the rescue
Deep-dive examples with SharePoint and Project Online
Poll the audience who uses SharePoint / Project Online

4. Session agenda (pt. 2) Types of authentication
5/15/2019 9:12 PM
Session agenda (pt. 2)
Advanced scenarios with Authentication
Types of authentication
Example with a 3rd party API
Updating foreign exchange rates into a SharePoint list

5. Why do we need the HTTP Connector?
5/15/2019 9:12 PM
Why do we need the HTTP Connector?
When Flow needs a little help

6. Use cases for the HTTP connector
CRMUG Summit EMEA 2017
5/15/2019 9:12 PM
Use cases for the HTTP connector
When existing connectors lack required features.
For example the SharePoint connector lacks support to manage permissions, additionally
many connectors in Preview such as the Project Online connector lack key functionality.
When no connector exists.
For example an in-house developed business application, or any 3rd Party or legacy service or application.
Finally, when you don’t have the time or budget to create a Flow Custom Connector yourself.
Poll the audience for any other examples they have experienced.
E.g. I want planner tasks created from Outlook items, however the standard flow actions create the full html body as the planner task detail. However using the Graph API you can access the preview and free- text body properties as well.
Reference for custom connectors: connectors/

7. HTTP connector to the rescue
CRMUG Summit EMEA 2017
5/15/2019 9:12 PM
HTTP connector to the rescue
Using the HTTP connector requires…
An application or server that supports REST (ideally, but other types of web services can be used).
A web based endpoint accessible online (or via on-prem data gateway).
If the application requires authentication, what type of auth does it support?
Authentication of SharePoint REST endpoints
Microsoft (thankfully) have provided the “Send an HTTP request to SharePoint” action that does all the authentication for you.
Quick definition of the acronym: Representational State Transfer (REST)
Auth points worth mentioning
Microsoft “Send an HTTP request to SharePoint” action that does all the auth for you!
The simplest example is a service with no authentication required, often services will provide “public” endpoints and “private” where you only need to auth for the latter.

8. Example 1: Permissions Securing SharePoint list items
CRMUG Summit EMEA 2017
5/15/2019 9:12 PM
Example 1: Permissions
Idea
Sensitive idea
Securing SharePoint list items
A corporate SharePoint site contains a list where ideas can be submitted by all staff.
We need to be able to restrict access to sensitive items for typical users to support the business process.
Idea list
Typical Ideas
Visible to all
Sensitive ideas
Hidden from most
Elaborate a little on this synthetic example, probably 80-90% of the requirements could be met with out-of-the-box security permissions and groups (or by using a 3rd party connector!).
User Story: Sensitive (secret) items can be created – which must be invisible to all users except for users of one group (reviewers group).
Speaker note: Skip detailed discussion of business process now and elaborate during the hands on demo.

9. Setting list item permissions in SharePoint
5/15/2019 9:12 PM
Demonstration 1
Setting list item permissions in SharePoint
Scenario workflow – discuss during demo:
All new items are created and can be optionally marked “sensitive”.
Non-sensitive items must be visible to all users.
Sensitive items remain visible only to the creator and the reviewers group.
Demo steps, using two different browsers logged in as different users:
Show Ideation SharePoint site and list as normal user
Show list as Reviewer user
Note the sensitive items.
Open Flow pre-prepared workflow
Talk though basic actions:
Trigger (item creation),
Condition (is sensitive),
Show partially complete Http request items – see below – note four uses required here for this task
Test flow with live item
# Break Role inheritance POST:
## How to find:
## Flow snippit:
_api/lists/getByTitle('Ideas')/items(ITEMID)/breakroleinheritance(copyRoleAssignments=false,clearSubsc opes=true)
## Documentation Ref:
service.md

10. Example 2: Project Online Fields
CRMUG Summit EMEA 2017
5/15/2019 9:12 PM
Example 2: Project Online Fields
Projects are created but need all fields populated
Continuing from our previous use case, some approved ideas will end up as projects. Much information has already been gathered during the approval process and this data all needs to be entered into the project on creation.
The default connector can only create new projects with default fields, we’ll need to populate all the fields previously captured custom fields using REST.
Ask Audience who knows Project / Project Server / Online
Use examples:
Increasing the availability of bananas in the break room – probably not a project
Implementing a new cloud based ERP system – boom: project!

11. Updating custom field values in Project Online
5/15/2019 9:12 PM
Demonstration 2
Updating custom field values in Project Online
Demo steps:
(Reminder: No special chars in Name)
Open new flow workflow – this one is triggered in Idea being Modified (vs created as before)
Review trigger
Review conditions (check for status = approved)
If approved
Create project using OOB connector
Update fields using HTTP
(Publish project, etc required for Project Online logic)
# Demo 2: Project Custom fields
## Flow snippit
_api/ProjectServer/Projects(PROJUID)/Draft/UpdateCustomFields
## Get Project Custom field internal name
## Documentation
api/jj668989(v%3doffice.15)
## UpdateCustomFields body
````JSON {
"customFieldDictionary": [{
"Key": "Custom_98e ee911afaf00155d089414",
"Value":
"ValueType": "Edm.String"
},{
"Key": "Custom_d2fe8d59993ee911afaf00155d089414",
"Value":
"Key": "Custom_7bf6ea38993ee911afbd00155d0c2d1a",
"Value":
"ValueType": "Edm.Decimal" }] }
```

12. 5/15/2019 9:12 PM
What about auth?
Authentication challenges when using REST web services

13. Authentication scenarios
5/15/2019 9:12 PM
Authentication scenarios
Types of REST authentication
Legacy and simple types
HTTP Basic or Digest Authentication
API keys or tokens
OAuth 2 authentication
OAuth 2 Bearer tokens (access tokens and refresh tokens)
Grant types: implicit, auth code, on-behalf-of and client credentials grants
Others: Context tokens, ACS Hybrid on-prem tokens, S2S, etc
Basic Auth: Password base64 in the header (SSL mandatory!!!) – Digest hashes user/password
API keys: Secret in the header, typically assigned per application
OAuth v2 is the current standard, is simpler to implementation but some services still use v1
Bearer tokens (e.g. from AzureAD v2 for MS Graph APIs)
Tokens expire and must be renewed
References:

14. Authenticated HTTP call examples
CRMUG Summit 2017
5/15/2019 9:12 PM
Authenticated HTTP call examples
GET /thing HTTP/1.1
Host: example.org
Authorization: Basic Zm9vOmJhcg==
GET HTTP/1.1
Authorization: Bearer EwAoA8l6BAAU…j7A0XqHCjbKKgWSkcAg==
Host: graph.microsoft.com
Basic
OAuth 2
HTTP Headers shown
Basic vs digest;
Basic encodes (base64) username/password (Encoding is reversible!!)
Digest hashes (sha256) username/password
OAuth 2;
Looks simple above
Process of obtaining Bearer token varies by implementation

15. Basic Auth in Flow Example of Basic authentication headers
5/15/2019 9:12 PM
Basic Auth in Flow
Example of Basic authentication headers
Simplest example possible
- No use of SSL or even headers, ie key is sent in clear text!

16. API Key Auth flow example (fixer.io)
CRMUG Summit 2017
5/15/2019 9:12 PM
API Key Auth flow example (fixer.io)
GET /api/latest?access_key=[apikey]&base=EUR&symbols=GBP,USD HTTP/1.1
Host: data.fixer.io
Response body: {
"success": true,
"timestamp": ,
"base": "EUR",
"date": " ",
"rates": {
"GBP": ,
"USD": }
Example using access key to retrieve fx rates from API
Note the parameters are in the query string
For POST or other requests, the key could be in Header not Query String

17. 5/15/2019 9:12 PM
3rd Party API Usage
Get foreign exchange rates regularly via API
Simplest example possible
No use of SSL or even headers, ie key is sent in clear text!

18. 5/15/2019 9:12 PM
Updating Fx rates
Update SharePoint list with foreign exchange rates from 3rd party
Simplest example possible
No use of SSL or even headers, ie key is sent in clear text!

19. Authentication scenarios
5/15/2019 9:12 PM
Authentication scenarios
Microsoft client credential grant OAuth 2 flow
(Time permitting: at this point we should be at most 50 mins into the session to allow for 5 mins Q&A)
Multi-step process unlike previous ones
TLDR; version:
Call Azure AD login service with pre-registered AppId and Secret
Get token
Use token to access service / resource
Source:
Source:

20. Azure AD OAuth2 grant example
CRMUG Summit 2017
5/15/2019 9:12 PM
Azure AD OAuth2 grant example
POST /contoso.com/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=625bc9f6-3bf6-4b6d-94ba-e97cf07a22de&client_secret=qkDwDJlDfig…qu6sILxQQqhJ+s=&resource=https%3A%2F%2Fservice.contoso.com%2F
Client Id: Created when registering an app in Azure
Client secret: app secret registered in Azure app
Resource: What resource (site / service / application) the request is for
The Azure app needs to have permissions for this resource
No demo sorry, no time for this one.

21. Questions? Connect with me
5/15/2019 9:12 PM
Questions?
Connect with me
LinkedIn: linkedin.com/in/martinlaukkanen/
Blog:

22. References and further reading
5/15/2019 9:12 PM
References and further reading
For these slides, demos and more references see the following
This slide-deck and more information on the demos
Updating resource custom field values via REST in Microsoft Flow
Assign unique permissions in SharePoint with send http request action
Create 'No code' solutions with SharePoint and Flow
RESTful API Authentication Basics
Azure AD Service to service calls using client credentials (shared secret or certificate)

23. 5/15/2019 9:12 PM