david wyattThere are lots of connectors available on the Power Platform (over a thousand), and that leads to a simple question, which one is the best, which is the most powerful, wwhich on is super?
Obviously this is subjective, and dependent on your requirements, but there is one connector, and one particular action that I think is incredibly powerful, and you probably haven't used it.
And the most powerful connector is..... 'HTTP with Microsoft Entra ID (preauthorized)', specifically the 'Invoke an HTTP request'
So lets dive in:
- Why is it Powerful
- How to Use it
- Its Problems
1. Why is it Powerful
The reason is its so powerful is because, in theory it is the universal Microsoft connector. The connector allows you to use any Microsoft API that you (or who ever authenticates the API) can use. In practice it allows you to use any API that has been setup in the platform, so this means you can use additional endpoints (including undocumented ones) that are not supported by connectors.
If you think of connectors there are 2 levels, specific actions, and HTTP actions. The HTTP versions are a lot more open and powerful, and the HTTP with Microsoft Entra ID (preauthorized) sits above all of those HTTP actions, as a kind of universal HTTP action.
And this makes it perfect for connectors that don't have HTTP versions.
Ever wanted a HTTP version of the Admin connectors, well you can with Entra HTTP, below you can see using the api.flow.microsoft.com version to list environments.
And just to prove it, if you use the old Admin flow API, it flags a error thinking you are using the version 1 of the 'List Flows as Admin'.
https://api.flow.microsoft.com/Providers/Microsoft.ProcessSimple/scopes/admin/environments/{{environmentID}}/flows?api-version=2016-11-01-beta&$top=25
Here's some other cool examples:
Flows
Ever wanted to get flow logs (without having to use the new Dataverse log table)
https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/{{environmentID}}/flows/{{resourceID}}/runs/{{flowRunID}}?api-version=2016-11-01
Yep you can do that, and any other api.flow.microsoft.com API call you see in your browser network tab.
MS Forms
The MS Forms connections, is how to put this, limited.
But there are lots of MS Forms API's, quick example is maybe you want to edit the questions on a form, well you can do that with the Entra HTTP action.
Connector Settings
Ever wanted to check blocked connectors, well you can now using the api.bap.microsoft.com.
https://api.bap.microsoft.com/providers/PowerPlatform.Governance/v1/connectors/metadata/unblockable
Now I know this is very niche, but there are lots of cool things you can do with bap api
This is a quick snapshot, the options are almost infinite.
2. How to Use it
The connector is a little different from other connectors, as you need to set the root url and resource principal url you want to use. Once that is set you can create a connection.
The root url is quite obvious, its the base url of the API you want to use, like:
- https://api.flow.microsoft.com/
- https://forms.office.com/formapi/api/
- https://graph.microsoft.com/
- https://yourDynamics.crm4.dynamics.com/
The resource principal url is the permission you want, for most you can just use the root url.
When using Microsoft API's the SPN has permission that are set by scopes (like read emails, delete files, etc). In the Power Platform every connector has a SPN setup with certain scopes (it's why the HTTP actions can't always call every end point). So with Entra we need to point at the right resource principal (aka SPN) to get the right permission (aka scope).
The resource principals appear to be using the .default scope, like https://graph.microsoft.com/.default, that's why you can use the root url, but be warned . default doesn't always use the root, as example:
https://api.flow.microsoft.com/ uses https://service.flow.microsoft.com/
If anyone has a full list of the Power Platforms resource principals, please do share.
3. The Problems
First one is a small one, you cant create connections in the New UI, as it doesn't show the scope, it appears to be a simple bug. You can switch to Classic UI, create the connection, and then switch back and use it.
Second because you have to set the scope of the permissions any manual flows/apps require the user to add the url and scope, which is not user friendly and destined to cause lots support tickets when users do it wrong.
Next, we are limited to what resource principals that are setup, so not every API and scope is available, and there is no resource I can find that lists them.
Finally, it is a bit of a nightmare for admins. As it have no end point configuration in the DLP policies it means if you activate it, you have opened up a lot more connectors without knowing it.
So although in most cases the Super Connector is a little overkill, and you are better off using standard or HTTP version of the API, for me it still sits top of all of them, making it the most powerful.
