Deeper control over HTTP invocation of flows

Customers frequently use “When a HTTP request is received” trigger as a key piece of the extensibility story for their own applications and services. Using this trigger, a unique URL is generated on flow save and customers can trigger Power Automate workflows by sending an HTTP request to this URL.

Today, we are excited to announce a new capability for this trigger. Customers can now add OAuth authentication to such HTTP request triggered workflows, to add an additional layer of control to this workflow. With a single parameter within the trigger, makers can restrict only users within their tenant can trigger this workflow by sending an HTTP request to the URL. This will be the default option for this trigger moving forward, to ensure customers create secured endpoints by default.


Customers can further lock down who can trigger this workflow to specific users within the tenant. This list could contain specific user ids or service principal object ids, on whose context the workflow might be triggered.




Once either of these parameters are added to this trigger, then only those requests that contain the specific claims (tenant id, user id or object id) in the http requests will be allowed to trigger the flow.

You can learn more about this capability here. It is also recommended to check out the Microsoft Authentication Library (MSAL) to understand how you add the right claims in your HTTP request, depending on the language and framework you are using within your application or service.

Please feel free to provide your questions and feedback in the Power Automate community.

Happy Automating!