Adding an MS Graph Connection Print

Previously, integrations with MS products required authenticating a Connection for each product (listed below).

• OneDrive Personal
• OneDrive for Business
• Sharepoint Document
• Sharepoint List
• Excel Online (Requires MS Graph Connection)

However, with the introduction of MS Graph Connections, individual connections for each MS product are a thing of the past—one Connection authenticating communication for numerous MS products, supporting 2FA.

Before commencing, you'll need access to your MS Azure portal (to authenticate a connection) and the respective MS product account (to configure form/data source connectors).

In this article

• Adding a Connection
  • Authenticating With App-Only
  • Authenticating With User Account
• App Registration on Microsoft's Portal
  • New App Registration
  • Create Client Secret Value
  • Configuring API Permissions
  • Authorizing Connection
• Data Source Connector
• Form Connector

Adding a Connection

When logged into your DOWO Flow web portal, navigate to Connected Data > Connections > Add Connection - Microsoft Graph. 

You must first decide whether to authenticate your MS Grah connection with "App-Only" permissions or with "User Account" permissions, which depends on the API permissions path taken when registering your App in the MS Azure Portal.

Authenticating With App-Only

Allows the app to access data independently without a signed-in user.

This authentication option requires:

• Application permissions or app roles (set in MS Azure portal).
• Client ID (DOWO Flow portal Connection input).
• Client Secret (DOWO Flow portal Connection input). 
• Tenant ID (DOWO Flow portal Connection input). 
  AND
• User ID (Appeante portal Connector input).

Also note that if App-Only is set and the user requires an ExcelOnline and/or OneDrive Personal Connector, the user will need to specify a User ID (also referred to as the User Object ID) on the corresponding Connector.

Authenticating With User Account

Allows the application to act on behalf of the signed-in user. Requires scopes.

This authentication option requires:

• Delegated permissions (set in MS Azure portal).
• Client ID (DOWO Flow portal Connection input).
• Client Secret (DOWO Flow portal Connection input). 
• Tenant ID (DOWO Flow portal Connection input if not a multi-tenant application, i.e., Organizational Only).

Once added, the Connection's properties display to be filled out. Then, hit SAVE to view the Authorize button.

This will authorize the use of the currently signed-in Microsoft account. If you prefer to use a different account, you can either log out of all currently signed-in accounts and then click this button again or you can open an incognito, private browsing window to sign in with your preferred account.

*View App Registration on Microsoft's Portal below on how to acquire.

You MUST enter the Tenant ID if an 'Organization Only' application is registered, i.e., not a multi-tenant application. The tenant ID is a GUID value that looks like this: 20380a36-8777-43f7-a79e-65bdb53f462

The Tenant ID can be left blank if the app registration is set as a multi-tenant. 

After you set up your app on the MS Azure portal, you can access all the details necessary to configure your connector. In the next section, we provide detailed instructions on how to do this, so buckle up and let's begin.

App Registration on Microsoft's Portal

By the end of this process, you will have registered a new app on the Microsoft Azure portal, created a client secret value, and acquired all the necessary details to authenticate your MS Graph connection in our platform.

The differences between a User Account and App-Only authentication are also highlighted.

Please note that the process documented below is liable to change without notice as Microsoft updates their Azure portal interface.

New App Registration

First, go to https://portal.azure.com/ and log in with your Microsoft/Office/Excel/Onedrive/Sharepoint/Azure/Entra account details. 

Click the View button on the "Manage Microsoft Entra ID" option to proceed to the next step, where you can start the App Registration process.

On this page, click the "App registrations" option in the main left menu to start the app registration process as shown in the screenshot below.

Once on the App registration page, click the "New Registration" button as shown in the screenshot below:

On the next screen you will need to do the actual registration of your application.

1. Name - The display name for the application you are registering. You can change this at a later stage.
2. Who can use this application or access this API? -  (Selecting the 2nd option - "Accounts in any organizational directory  (Any Microsoft Entra ID - Multitenant)" will work for most use cases)
3. Redirect URI - Select the "Web" option, then copy the "Callback URL" paste it into this field)
4. Click "Register" to register for your application.

After clicking the "Register" button in the step above, your app will be created, and you can begin setting up your secret keys.

Client ID and Client Secret

In the Overview of your newly created app's settings.

1. The Client ID needed is the "Application (client) ID".
2. The Client Secret Value will need to be created by clicking the link next to "Client Credentials" called "Add a certificate or secret", as shown in the screenshot below:

This will take you to the screen where you can manage your certificates and secrets. On this screen, click on the "New client secret" button as shown in the screenshot below:

When you click on the "New client secret" button, a sidebar will open on the right of the screen, as shown in the screenshot below. Here, you will need to enter a descriptive name for this secret key and specify how long you want it to be valid. We used 180 days as a default, but you can make it longer or shorter as your organization's security rules dictate.

Click the "Add" button at the bottom of the "Add a client secret" sidebar to save your changes.

Once your changes are saved, you will be taken to the Client Secrets overview pages, where you can copy the Secret Value as shown in the screenshot below:

Paste this Client Secret Value in the "Client Secret" field on the "Adding a Connection" part of our secure portal.

You are now ready to configure your API Permissions for the Microsoft service you wish to connect to.

Configuring API Permissions

Each Microsoft Service you wish to connect to through this app registration process requires you to configure specific API permissions so that it can perform correctly on our platform. Click the "API Permissions" option in the left menu on the app registration overview page to get started.

On the next page click the option to "Add a permission" to select the Microsoft Service that you wish to add permissions for.

When you click on the "Add a permission" button as shown above, a section will open on the right side of the screen, allowing you to choose which Microsoft service you wish to add permissions for. This is where it is vitally important for you to select the correct permissons for the respective Microsoft service you wish to use, in this case we select "Microsoft Graph" as shown in the screenshot below. The rest of this article provides instructions for setting up OneDrive and Sharepoint to work with your MS Graph connection.

For instructions on configuring Power BI API Permissions to work in our platform search for the Power BI guide in the knowledgebase.

After selecting "Microsoft Graph" as the service for which you would like to configure API permissions, on the next screen, select "Delegated" or "Application" permissions, depending on your preferred authentication type.

Overview of Microsoft Graph permissions - Microsoft Graph | Microsoft Learn 

On the "Delegated Permissions" screen for User Account authentication, you will need to add explicit support for the following API permissions for Sharepoint or OneDrive to work on your MS Graph connection.

Type Delegated.

On the "Applications Permissions" screen for App-Only authentication, you will need to add explicit support for the following API permissions for Sharepoint or OneDrive to work on your MS Graph connection.

Type Application with User.Read Delegated.

As shown in the image above, the 'Admin consent required' status is not accepted. An administrator must grant access to the API permissions where 'Yes' is required. 

If you've completed the above successfully, you are finally ready to authorize your connection on our platform. 

Authorizing Connection

On our secure web portal, after entering your Client ID, Secret, and Tenant ID, if necessary, hit Save and then Authorize.

Authorizing will consist of signing in to your MS account and ticking a consent box confirming the API permissions added. If you've done everything correctly, you'll have allowed our platform to connect to your account, displaying the successfully connected indicator.

MS Graph Connections support 2FA when authorizing.

When adding a Form or Data Source Connector, select the MS Graph Connection in the Using Connection property dropdown.

Data Source Connector

When adding a Sharepoint List Data Source Connector or any other supported MS product connector, select the MS Graph Connection instead of a Sharepoint Connection in the Using Connection dropdown.

Form Connector

When adding a Sharepoint Connector or any other supported MS product connector, select the MS Graph Connection instead of a Sharepoint Connection in the Using Connection dropdown.