Retrieve access token from Microsoft Entra ID

This guide describes how to retrieve and store an application access token with a shared secret from Microsoft Entra ID. Access tokens are required to build integrations with Microsoft APIs like Microsoft Graph.

For more information about the configuration required on the Microsoft side, read about the client credentials flow in the Microsoft Documentation.

In Appfarm, this process requires setting up a service that updates a secret. The service can be configured to update the secret at regular intervals using schedules.

Example

An example service based on Microsoft Sharepoint integration is available in our Showroom.

Step 1

Step 2

Go to Microsoft Entra ID.
Click Add -> App registration.
In the Name field, enter a display name, for example appfarm.
Click Register.

Step 3

Generate and record credentials.

Go to Certificates & secrets.
Click New client secret.
Enter the required details and click Add.
Note down the generated client secret Value. This value is required later in this process.
Go to Overview.
Note down the Application (client) ID and Directory (tenant) ID values.

Step 4

You can now start configuring the integration in Appfarm Create. First, add the credentials gathered in step 3 as secrets.

In Appfarm Create, go to Secrets.
Click Create Secret.
In the Name field, enter a name for the client secret credential, for example Microsoft Client Secret.
In the Value field, enter the client secret you noted down in Step 3.
Click Create.
Repeat this process, adding the application (client) ID and directory (tenant) ID values as secrets.

Step 5

Create another secret to store the access token that will be used to authenticate individual requests to the Microsoft API.

Click Create Secret.
In the Name field, enter a name for the access token, for example Microsoft Access Token.
Click Create.

The value of this access token secret will be updated using a service.

Step 6

Create a service. You can also choose to use an existing service.

Go to Services.
Click New Service.
Enter a name for the service, for example Microsoft Entra ID.
Click Create Service.

The service is then created along with a default endpoint.

Step 7

Create a service variable. The service variable will be used to temporarily store a new access token before it is updated in the secret.

Go to Data using the top navigation.
Go to Service Variables.
Click Add Runtime Property.
In the Name field, enter a name for the service variable, for example Access Token.

Step 8

Create an action to retrieve an access token and update the secret.

Go to Actions using the top navigation.
Click Add Action.
Enter a name for the action, for example Get access token.
Add a Web request action node. The web request will request a new access token and store it in the service variable.
- Configure the web request with the following properties:

Property Value

Property	Value
URL	Select Function. Add the directory (tenant) ID secret created in step 4 as a function param. Enter the following code where tenantId must match the name of the function param you just added: return ``https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`` Click OK.
Method	`POST`
Body Type	`URL-encoded`
Body Content	Click Add Form Data and add the following key-value pairs. Key: `grant_type`, Value: `client_credentials` Key: `client_id`, Value: Use the function editor to return the secret storing the application (client) ID created in step 4. Key: `client_secret`, Value: Use the function editor to return the secret storing the client secret created in step 4. Key: `scope`, Value: See the Microsoft documentation. For Microsoft Graph integration, you might set `https://graph.microsoft.com/.default`.
Response Type	`JSON (default)`
Result Mapping	Click Add Result Mapping. For the Data Source property, select `Service Variables`. Under Property Mapping, for the service variable created in step 7, enter `access_token`.

URL

Select Function.
Add the directory (tenant) ID secret created in step 4 as a function param.
Enter the following code where tenantId must match the name of the function param you just added: return `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`
Click OK.

Method

POST

Body Type

URL-encoded

Body Content

Click Add Form Data and add the following key-value pairs.
- Key: grant_type, Value: client_credentials
- Key: client_id, Value: Use the function editor to return the secret storing the application (client) ID created in step 4.
- Key: client_secret, Value: Use the function editor to return the secret storing the client secret created in step 4.
- Key: scope, Value: See the Microsoft documentation. For Microsoft Graph integration, you might set https://graph.microsoft.com/.default.

Response Type

JSON (default)

Result Mapping

Click Add Result Mapping.
For the Data Source property, select Service Variables.
Under Property Mapping, for the service variable created in step 7, enter access_token.

Add an If action node.
- Configure the condition to check if the service variable created in step 7 has a value.

Add an Update secret action node inside the If action node you just added.
- For the Secret property, select the access token secret created in step 5.
- For the Value property, select the service variable created in step 7.

Step 9

Configure the service endpoint.

Go to Endpoints using the top navigation.
Click the default endpoint.
In the Name field, enter a new name for the endpoint, for example Get access token. When you set a name, the Readable ID field will be automatically populated.
In the Process Action field, select the action created in step 8.

You can now trigger this endpoint to refresh the access token. We recommend creating a schedule to call the endpoint and refresh the token automatically at a given interval.

The secret can then be used as the bearer token value for authentication when you make API calls using the web request action node.

PreviousFetch data from BigQuery NextWorkflow automation

Last updated 1 month ago