Power Automate Azure Key Vault access inconsistencies

I’m in the process of building a Flow that connects to a Dataverse database inside a Microsoft Team. When you create this you get the ability to create Cloud Flows (aka Power Automate).

image

However, there is an issue when you try and use something like Azure Key Vault actions here.

image

In the above, you can see that I’m in my default Power Automate environment and the Get secret action of Azure Key Vault is accessible as expected and shows all the items I have inside the vault.

image

However, if I swap to another environment that was created as part of a Team (here an environment called Automation), you’ll see that I can add the Azure Key Vault action Get Secret but I no longer see the items inside that vault as I did before! I am using the same user in both cases.

It has clearly something to do with the connection,

image

which shows up as invalid as you can see above.

image

If I try and add a new connection, I see the above dialog but can’t make any changes or enter any information. Looks like I might need to investigate the Connect with a service principal option perhaps?

However, for now, there seems to be a limit when you use the Azure Key vault actions inside anything that is not the default environment for the Power Platform in your tenant. I will assume this is because these environments are limited to Microsoft Teams and have innate restrictions that I’ll need to find information on. If you know what this is, I’d love to hear from you.

Using Power Automate to send SMS

I recently had the need to send an SMS programmatically. The reason I wanted to be able to do this si because Microsoft Bookings currently doesn’t send SMS reminders to attendees of a booking outside the US. That means, here in Australia, I needed to add the capability via another SMS integration option.

The most obvious choice, once again, is Power Automate. To handle the SMS component I needed to work with a SMS provider. The one who came to party was Mondotalk.

The first step was to consult the Mondotalk API to discover how to send an SMS using code. Luckily, their documentation contained a handy PowerShell script:

$messagebody1 = @{

id = $id

key = $key

username = $username

password = $password

to = “<phone>”

sender = “<phone>”

msg = “hello world”

replyto = director@ciaops.com

}

$url = <API url>

Invoke-RestMethod -Method POST -Uri $url -Body $messageBody1

In essence you create the body of the API request using an array and then you simply POST that to the API URL. Pretty straightforward and after I worked out all the variables like username, id and key, I had this working.

image

The key action is HTTP as shown above. It is important to remember that this a ‘premium’ connector and you may need a more advanced license to use this.

Initially, I thought I’d just bung in the parameters into the HTTP action as I have done before and it would be good to go. Not the case as it turned out. Everything I tried came back with a variation of the following error:

{“_meta”:{“status”:”ERROR”},”records”:{“errorCode”:401,”userMessage”:”Must login or provide credentials.”,”devMessage”:”Please provide credentials by either passing in a session token via cookie, or providing password and username via BASIC authentication.”,”more”:null,”applicationCode”:”Unauth:1″}}

In essence, the API is failing to login to my account to send the SMS. The PowerShell worked fine but Power Automate didn’t.

The solution ended up lying with adding a header field to the HTTP action:

Content type: application/x-www-form-urlencoded

and formatting the body with an ‘&’ between the fields i.e:

username=#####&password=*******&to=61######&id=#####&key=<GUID>msg=hello&replyto=director%40ciaops.com&sender=61########

as well as setting the authentication in the HTTP action to None as it was being done in the body of the request.

After all of that, I finally had success. The lesson here is that APIs don’t always want JSON!

image

I then decided to wrap a Power Virtual Agent bot around the Flow and publish it into a Team to allow users to send SMS directly from Teams. They simply use a key phrase to call the bot and tell it when number to send to. The bot passes those details to the Flow and runs what I had worked out previously

image

The only change here from the initial on demand Flow was the passing of a variable into the Flow from the bot and creating the body of the API request, also as a variable.

image

Again, it is important to get the body field in EXACTLY the right format for the API request when it is created.

So, that’s how you connect an SMS API gateway to Power Automate and Power Virtual Agents. The real trick was getting the right format of the API POST request which had to be deduced from the documentation. Hopefully, sharing that process here gives others a shortcut to getting it working in their environments because it took me a LONG time to work it out!

Thanks again to Mondotalk for being kind enough to give me a demo account and assist getting this working.

Displaying a percentage with two decimal places in Power Automate

image

In this section from my Power Automate I initialise two variables (currentscore and maxscore) with values using the Set variable action. I want a third variable, sspercentage, to be equal to:

(currentscore) / (maxscore) * 100

that is, a percentage but with only two decimal places. To do that I need to use the following formula in the Set variable 3 action:

formatNumber(mul(div(variables(‘currentscore’),variables(‘maxscore’)),100),’0.00′,’en-US’)

which you will note, if you look carefully, actually results in sspercentage being a string not a float!

(div(variables(‘currentscore’),variables(‘maxscore’))

handles the division

mul(div(variables(‘currentscore’),variables(‘maxscore’)),100)

multiples the division by 100 to get the percentage value.

The 0.00 in the formula is the actual formatting that you can adjust if you need and the en-US is the language format for the number. The Microsoft reference is for the formatnumber function is here:

https://docs.microsoft.com/en-us/azure/logic-apps/workflow-definition-language-functions-reference#formatNumber

The end result looks like:

image

If the formatnumber function is not used then the result contains a lot of numbers after the decimal place and remains of type float, which I would only need if I wanted to display the value of Pi!

Incentivising Microsoft Teams contributions with Power Automate

One of the most important parts of technology adoption is incentivising people. One simple way to do this is to acknowledge their contributions in Microsoft Teams. I’ve spoken about this before using something like:

Custom Praise badges in Microsoft Teams

The challenge there is, that this is a manual process. How can the same be achieved the same kind of thing using automation I recently wondered?

What if you could automatically determine the number of chat messages that someone posted into Microsoft Teams, and then acknowledge the highest contributors with a custom ‘thank you’ message? Here’s how I managed to do just that using the Microsoft Graph and Power Automate.

The core information needed about messages posted in Microsoft Teams will come the Microsoft Graph, specifically:

getTeamsUserActivityUserDetail

The first step in this process will be to create an Azure AD application in the tenant, which I have detailed previously:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

the credentials for this Azure AD application will then need to be uploaded into Azure Key Vault as I have covered here:

Uploading Graph credentials to Azure Key Vault

You’ll also need to set the API permissions for this application to :

image

Reports.Read.All

 You’ll need to trigger your Flow the way that suits you. Typically you’d schedule it to run on the first of each month. You’ll then need to use the Get secret action from the Azure Key Vault as shown above. You should also note that this is a premium connectors, so you’ll need an appropriate Power Platform license to use this.

image

Next, will be the HTTP action that also a premium connector. The URI to use here will be:

https://graph.microsoft.com/beta/reports/getTeamsUserActivityUserDetail(period=’D30’)?$format=application/json

The D30 parameter determines how many previous days to consider. Valid options for the number of days is 7,30, 90, 180 according to the documentation.

The security parameters come from the Azure Key Vault Get secret actions.

image

The data returned from this HTTP action will be in JSON format, so that is fed into the Parse JSON action as shown above.

One tricky things about parsing json is to get the right schema. When I first attempted this I received this error:

“message”: “Invalid type. Expected String but got Null.”,

After some digging I found that sometimes the lastactivitydate parameter returned a string or NULL value. Thus, I need to modify the original JSON for that parameter to accommodate both potential results:

“lastActivityDate”: {
     “type”: [
         “string”,
         “null”
     ]
},

Here the whole working JSON schema I used:

{
     “type”: “object”,
     “properties”: {
         “value”: {
             “type”: “array”,
             “items”: {
                 “type”: “object”,
                 “properties”: {
                     “reportRefreshDate”: {
                         “type”: “string”
                     },
                     “userId”: {
                         “type”: “string”
                     },
                     “userPrincipalName”: {
                         “type”: “string”
                     },
                     “lastActivityDate”: {
                         “type”: [
                             “string”,
                             “null”
                         ]
                     },
                     “isDeleted”: {
                         “type”: “boolean”
                     },
                     “deletedDate”: {},
                     “assignedProducts”: {
                         “type”: “array”
                     },
                     “teamChatMessageCount”: {
                         “type”: “integer”
                     },
                     “privateChatMessageCount”: {
                         “type”: “integer”
                     },
                     “callCount”: {
                         “type”: “integer”
                     },
                     “meetingCount”: {
                         “type”: “integer”
                     },
                     “meetingsOrganizedCount”: {
                         “type”: “integer”
                     },
                     “meetingsAttendedCount”: {
                         “type”: “integer”
                     },
                     “adHocMeetingsOrganizedCount”: {
                         “type”: “integer”
                     },
                     “adHocMeetingsAttendedCount”: {
                         “type”: “integer”
                     },
                     “scheduledOneTimeMeetingsOrganizedCount”: {
                         “type”: “integer”
                     },
                     “scheduledOneTimeMeetingsAttendedCount”: {
                         “type”: “integer”
                     },
                     “scheduledRecurringMeetingsOrganizedCount”: {
                         “type”: “integer”
                     },
                     “scheduledRecurringMeetingsAttendedCount”: {
                         “type”: “integer”
                     },
                     “audioDuration”: {
                         “type”: “string”
                     },
                     “videoDuration”: {
                         “type”: “string”
                     },
                     “screenShareDuration”: {
                         “type”: “string”
                     },
                     “hasOtherAction”: {
                         “type”: “boolean”
                     },
                     “urgentMessages”: {
                         “type”: “integer”
                     },
                     “postMessages”: {
                         “type”: “integer”
                     },
                     “replyMessages”: {
                         “type”: “integer”
                     },
                     “isLicensed”: {
                         “type”: “boolean”
                     },
                     “reportPeriod”: {
                         “type”: “string”
                     }
                 },
                 “required”: [
                     “reportRefreshDate”,
                     “userId”,
                     “userPrincipalName”,
                     “lastActivityDate”,
                     “isDeleted”,
                     “deletedDate”,
                     “assignedProducts”,
                     “teamChatMessageCount”,
                     “privateChatMessageCount”,
                     “callCount”,
                     “meetingCount”,
                     “meetingsOrganizedCount”,
                     “meetingsAttendedCount”,
                     “adHocMeetingsOrganizedCount”,
                     “adHocMeetingsAttendedCount”,
                     “scheduledOneTimeMeetingsOrganizedCount”,
                     “scheduledOneTimeMeetingsAttendedCount”,
                     “scheduledRecurringMeetingsOrganizedCount”,
                     “scheduledRecurringMeetingsAttendedCount”,
                     “audioDuration”,
                     “videoDuration”,
                     “screenShareDuration”,
                     “hasOtherAction”,
                     “urgentMessages”,
                     “postMessages”,
                     “replyMessages”,
                     “isLicensed”,
                     “reportPeriod”
                 ]
             }
         }
     }
}

image

I filtered the results produced to firstly remove users with zero messages and then I removed specific users (in this case me) from the results using the two Filter action shown above.

image

One of the limitations I found during this development process was that Flows are not very good at sorting information. It would have been nice if I could have just sorted my results from largest to smallest. I solved this but firstly creating a temporary variable into which I would store the highest number of chat messages. I then looped through all the remaining results using the Apply to Each action shown above, and set this variable to the greatest value found throughout the results.

image

I then employed another Filter action again to remove any results that didn’t match this maximum value.

The next challenge came when considering external users, who have a UPN in the format of:

user_domain.com#EXT#tenant.onmicrosoft.com

Turns out the the Power Automate lookup actions don’t seem to work using these type of UPNs, they only work with an email address apparently!

image

To solve this, I now created two more variables to use when extracting the external users email address.

image

I need to extract and create a user email address before using it in the Search for users (V2) action. To do this I used two functions inside two Set variable actions. The first is:

slice(items(‘Apply_to_each_2’)?[‘userPrincipalName’],0,lastIndexOf(items(‘Apply_to_each_2’)?[‘userPrincipalName’],’#EXT’))

which removes anything from the #EXT and beyond. This typically leaves the format of:

user_domain.com

The second function is:

replace(variables(‘EmailAddress’),’_’,’@’)

that replaces the underscore character with an “at” symbol. The output after both of these functions complete is the users full email address which I can then feed into the Search for users (V2) action to locate my user(s).

image

Now that I have the user information I can use it with the Get an @mention token for a user action and then post a message with that @mention and anything else into the Team to publicly recognise the user(s) using the Post message in a chat or channel action.

image

The end result is a nice message, like shown above, that acknowledges the user(s) for their contribution in the Microsoft Team. Best part is that now it is automated it’ll do all the hard work for you going forward!

The moral of the story here is that Power Automate combined with the Microsoft Graph can achieve just about anything you want. Yes, it does a little bit of setting up with an Azure AD application, Keyvault and so on but they are typically only once off. There is also some advanced techniques when it comes to the JSON parameters but once you start working with, it becomes easier. In short, none of that should put you off from what is possible with the Microsoft Cloud environment and putting the technology to work for you to give you more freedom and improve your business processes.

Offboarding devices from Microsoft Defender for Business using Power Automate

Recently, I wrote an article to make offboard from Microsoft Defender for Business easier:

Offboarding devices from Microsoft Defender for Business using an API with PowerShell

Because this offboarding process utilises an API we can use that with other services such as Power Automate.

Before devices can be offboarded, a list needs to be created that can be accessed by Power Automate. Refer to this article:

Get a list of devices from Defender for Business into a SharePoint list

for details about creating an inventory of devices saved to a SharePoint Online list.

image

The summary of the Flow to do this device offboarding process is shown above.

image

Once the Flow has been triggered I grab the Azure AD application credentials from the Azure Key Vault. I’ve covered off how to create an Azure AD application here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

Getting the Azure AD application credentials into an Azure Key Vault can be done manually or by using this scripted process I’ve covered previously:

Uploading Graph credentials to Azure Key Vault

Once they are in the Azure Key Vault they are easy to access securely using the Flow action Get secret as shown above.

image

Next comes the Get items action as shown above. This filters the list of devices using a column called Offboard and returns items that have this as Yes (or = 1 for Power Automate).

image

A new variable is then created and the initial API offboarding URL is saved into it. This will later be appended with the actual device number that is being offboarded which is required by the API.

image

For each item that was returned from the filtered list of devices (i.e. those that been selected to offboard),

image

the offboarding API URL needed to be extended to include the unique Device ID from the returned results and the string /offboard.

image

Thus URL now needs to be ingested by the HTTP action as shown above. It is important that the body contain the following JSON:

{
   “Comment”: “Offboard machine by automation”
}

This was taken from the documentation:

Offboard machine API

The other access parameters come from Azure AD application that were extracted from Azure Key Vault earlier on in the Flow.

image

Because the return from the HTTP action can vary, we now need to have a Switch action as shown above.

image

In the top right hand corner of the Switch action, select the ellipse (three dots) and then Configure run after from the menu that appears.

image

Because the result from the HTTP action could be 400 (i.e. failure or BadRequest) we still want the Flow to proceed. If the Switch action is not used the Flow will fail like so:

image

Using the Switch action and selecting both the is successful and has failed options shown above, will allow the Flow to continue on.

image

If the HTTP action does return a BadRequest, the left hand side Case condition is met. For any other return, the right hand side Case condition will be executed.

In the case of a return status code = 400, the body of the returned JSON will be parsed and the field Result will updated in the device list for that item with the Message information taken from the JSON results.

In the case of any other return code the following will be executed:

image

Once again, there could a variety of different returned status codes from the HTTP action, however here I’ll just have a single condition to see if it is successful (status code = 201) and for anything else the results will be updated to the Result field for the device in question.

image

The last action required, after the Switch, is to reset the URL variable back to the original string in case there are other devices that have been selected to offboard. Failing to do this will result in an incorrect API URL for every device after the first match.

image

What this offboarding process looks like in practice would therefore be to select which devices to offboard from the SharePoint list, by setting the Offboard column to be Yes, as shown above.

image

Once the offboard Flow has been run, the results for those selected devices are found in the Result column and Offboard column has been reset to be No for each of these, as shown above.

image

If you set the Offboard column to Yes again for this device and re-rerun the offboarding Flow,

image

the Flow runs successfully, even though a base request resulted  during the HTTP action and the information from that is captured and stored in the Result field as shown above.

There are edge case conditions this Flows doesn’t accommodate. This is normally due to the correct information not being fully populated in the portal. This typically happens in the short period you create or add add a device to Defender for Endpoint. It is simple enough to add these checks in the Flow, but for the sake of simplicity that are not included here.

This whole process again demonstrates the flexibility and capability combining APIs with Power Automate can provide. Remember, you can set this whole process up to work across multiple tenants, it doesn’t have to be restricted to just the tenant you are on. Using Power Automate allows you to easily extend a solution to maybe include email notifications, updates into a Microsoft Team and more.

So these are some ways you can offboard devices from Microsoft Defender for Business:

Via a local script

Using Endpoint Manager and Intune

Using PowerShell

and using Power Automate as detailed here.

Celebrating anniversaries with Power Automate

A very common requirement is to remind people about anniversaries. In a business this could take the form of birthdays or commencement dates. It could, however, just as easily be any sort of event that happens on a certain date.

Previously, I’ve shown how to:

Send recurring tweets using Microsoft Flow

However, in this case, instead of simply rotating through a list of posts we want to match today’s date to a date on a list and then broadcast the message that corresponds to that date entry.

image

The starting point for this process is to create a reference list containing the dates and details you wish to share. I recommend that easiest place to do this is in a SharePoint list, as shown above. Of course, this list can contain as much detail and additional columns as you wish, but for this, I’ll keep it simple and just have two fields. It is important that you have at least one column (here Dateoption) that refers to the current year in which that item will be displayed.

image

For simplicity, I have also configured my date column in the SharePoint list to exclude time and display in standard format as shown above. There is nothing stopping you using Date & Time if you wish, it just makes the filtering a little more complex later in this process.

You’ll then want to create a Power Automate Flow that looks like this:

image

It all starts with a Recurrence action that will trigger this process once a day like so:

image

If you select the Show advanced options in this action like so:

image

You can set an exact time when this Recurrence action will be triggered (say 10am). However, since this example is a daily anniversary, we only need to trigger it at any time during the day.

image

We now need our process to determine what the current date is and we can do this using the Current time action as shown above.

image

Next, add the Convert time zone action. There are two reasons for adding this action. Firstly, the Current time action returns today’s date in UTC which may cause issues if you are not in that time zone like me. Thus, I want the current time BUT I want it as a local value (i.e. to reflect the actual time in Sydney, Australia), thus the Source and Destination time zone field settings.

The second reason for the Convert time zone action is so the time value is in the right format for a comparison test later on in the process. Thus, the Format string field should be set to yyyy-MM-dd as shown.

Now, I need to add the Get items action to actually go and look at what is in my SharePoint list.

image

In this action I enter the Site Address and List name, however I also expand the advanced options to reveal the Filter Query field as shown.

image

The Filter Query field will limit the items returned by this action to only those that match the filter. Thus, I want the returned items to only be those that match today’s date, which I have correctly formatted and stored in the Converted time action result. Thus, I want to compare the date field from my SharePoint list (here Dateoption) to the Converted time result. It is important to note that I have enclosed Converted time result in single quotes (‘) to convert the value to a string for comparison. It is very important that you do that, otherwise you’ll get errors when your Flow runs.

image

With the values that the Get Items action returns you’ll need to perform a number of steps. For this you use the Apply to each action as shown above.

image

In the case of this example, I’m simply going to post the text from the Title field in the SharePoint list that matches today’s date into a chat message as shown above. Again, this action could be anything you want, in fact, I’ll talk about how I use this with Twitter later on. For now the expectation is that if there is a match in the SharePoint list for today’s date, then the text for that entry will appear in a Teams chat message.

image

We need to do one more thing before we are finished here. As this is an anniversary calendar, we want to increment the current item for today and have it reoccur on the same date next year. To do that we use the Add to time action as shown by adding 12 months to the result date we have determined as shown above.

image

Before the new date can be added back to the SharePoint list it needs to be formatted correctly. This is achieved using the Compose action as shown using the following expression:

formatDateTime(body(‘Add_to_Time’),’yyyy-MM-dd’)

You’ll notice that that date format yyyy-MM-dd is the same as the one we set in Convert time zone action earlier.

image

All that remains is to use the Update item action to update the item in the SharePoint list with the new date entry just composed. As shown above, the same SharePoint site and list is selected, along with the item ID and Title but the Dateoption field is set to contain our new formatted date output from the previous action.

You can now save your Flow and run a manual test.

image

If I look at the chat in my Team I see the expected message that matches the item Title field in the original SharePoint list.

image

Also looking at my original SharePoint list I see that the date of today’s item has been incremented twelve months as shown.

image

One of the ways that I use this process with Twitter is to regularly post anniversary dates around ANZAC participation from World War One, which are taken from my site ANZACS in France.

The idea is that that the Flow checks this list of dates and then tweets out the text in the Title field if there is a match. Then it increments the PostDate field twelve months ready for next year. You’ll also see that I have added another custom column that records the original date of action just so I can filter and sort easily. Feel free to follow @ANZACSIF to be reminded of these dates.

As I initially mentioned, I believe there are plenty of applications for this type of process in a business. The most common ones I would suggest are for staff birthday and anniversary reminders. The great thing is that with Power Automate it is easy to modify this process to suit whatever need to have. It also makes it easy to edit the events and more if you need to because all you need to do is modify the SharePoint list that this process uses.

The possibilities are endless thanks to the Power Platform.

Power Automate ODATA filter failure when field named ‘Date’

image

So, I was doing some testing with a new Flow in Power Automate. What I wanted it to do was, at a recurring time each day, look for today’s date in a list of SharePoint items and then display other values from any matching record in a Team’s chat. To prototype this out I created a very simple list with two columns, as shown above, Title and Date. Remember, the Title field is generally created for you by default when you create a basic SharePoint List.

image

In Power Automate I used a SharePoint Get Items action as shown above to get the information I wanted. To filter down to the data I used on ODATA query like:

Date eq ‘2021-12-31’

to test. Problem was, as shown above, I was getting no results that were feeding through to the next Apply to each action that followed directly after.

There were no errors indicated in my Flow. I tried a number of different format options and so on, trying to work out what the issue was.

image

The issue turned out to be the name of the field – Date – I had created in my SharePoint List! Once I created a new column called Dateoption with the same format, and entered the same data into it and removed the offending Date column, it successfully filtered data as expected and passed the result to the following Apply to each action as you can see above.

The moral of the story is that you should probably avoid naming your fields with any ‘reserved’ programming commands like ‘Date’ as I did. Make it something unique like ‘Datefield’ or whatever. Just don’t use a common term like ‘Date’ as I did or you might struggle to troubleshoot as I did here.

Hopefully, this will save you wasting the amount of time I did to solve this that you can better spend on creating your Flow!

Power Platform product release

pexels-clem-onojeghuo-175711 (1)

I am please to announce the inaugural product release from the CIAOPS Patron Power Platform Community:

Power Automate Drink Ordering System

This is a PDF document that takes your step by step through creating an automated process for bulk ordering of drinks. This solution was developed to solve the challenge or ordering many drinks at events, however it could be used for much more mundane things such as preparing complimentary drinks when guests attend a business.

This project can also be seen as a great way to start learning the Microsoft Power Platform by creating a real world process using Power Automate (Microsoft Flow). The information provided run to over 130 pages and includes screen shots and easy to follow instructions.

To celebrate the release of this inaugural product, it is being offered at a special 75% discount which you can take advantage of here:

https://directorcia.gumroad.com/l/lDekX/foundation

This special offer is available for the first 25 purchases! So if you are interested in getting your hands dirty with the Microsoft Power Platform, here’s a great opportunity to get started.

Look out for more projects coming soon from the CIAOPS Patron Power Platform Community.