Power Automate approval API

Power Automate is often used to create approval flows. Users are notified via emails but there is only one place where one can check and review all the approvals: https://emea.flow.microsoft.com/manage/environments/Default-{tenant-id}/approvals/received

I’ve been working on a solution to bring this experience to Teams via SPFx. In this article, I present the way to tackle the challenge. Kudos to Marcin Wojciechowski, who gave me a few tips to make this possible. The code is available on my GitHub.

Graph API?

First of all, I would like to mention that I’ve found a beta Graph endpoint: /beta/me/approvals but it’s not documented and it doesn’t return any significant data. Anyway, you can find a powerusers forum thread where you will notice that people have been asking for that kind of API since 2017.

Reverse engineering 

While checking the network communication on the approvals site, I’ve found endpoints that are used for getting all active approvals and accepting/rejecting them.

chrome network tab get request

I’ve explored this endpoint with Postman and SPFx. I’ve got rid of redundant headers and found out that API doesn’t have a strict CORS policy which was an issue with other private Microsoft endpoints I explored.

Till now, I used an authentication token copied from Chrome from the approvals site. So, That’s why I had to find a way to get the token and grant SPFx application permission to access the API. I started with decoding the token with jwt.io to find out to which resource it’s authenticating:

“appid”: “6204c1d1-4712-4c46-a7d9-3ed63d992682”

Using the app id, I’ve located the app among other enterprise applications at portal.azure.com: it’s Microsoft Flow Portal.

azure portal enterprise applications - Microsoft flow app

Grant permissions

To authenticate your SPFx application to flow service:

  1. Go to the portal.azure.com -> App registrations,
  2. Open the “SharePoint Online Client Extensibility Web Application Principal” app and select API permissions,
  3. Add new permission and switch tab to “APIs my organization uses”,
  4. Find “Microsoft Flow Service”,
  5. Add Approvals.Read.All or Approvals.Manage.All permissions,
Grant SharePoint Online Client Extensibility Web Application Principal permissions to Flow Service
  1. Write down the service URL: https://service.flow.microsoft.com
  2. Grant admin consent and you are ready to go.

Authenticate SPFx application and call endpoint

Now, you are ready to authenticate from your SPFx app. In your app, get the aadTokenProvider (use web part or extension context) and call the getToken method. Use the service URL as the resource endpoint URL.

const provider: AadTokenProvider = await this.ontext.aadTokenProviderFactory.getTokenProvider();
const token: string = await provider.getToken(“https://service.flow.microsoft.com/”, true);

There is one more piece of information needed – Tenant ID. You can get it from a decoded token. To decode the token, you can implement your method, or use an existing package like jwt-decode.

const decodedToken = jwt_decode(token);
const tenantId = decodedToken.tid;

The final step is to call an endpoint to get all approvals:

const response = await this.context.httpClient.get(`https://api.flow.microsoft.com/providers/Microsoft.ProcessSimple/environments/Default-${tenantId}/approvalViews?$top=50&$filter=properties/userRole+eq+'Approver'+and+properties/isActive+eq+'true'+and+properties/isDescending+eq+'true'&api-version=2016-11-01`, HttpClient.configurations.v1, { headers: {
        authorization: `Bearer ${accessTokenInfo.accessToken}`,
    },
});
const result = await response.json();

That’s it! You got all the active approvals assigned to the current user. Play with query strings and endpoints to find different APIs. Check my GitHub, where you can find a service class with basic approval actions.

Leave a Reply

Your email address will not be published. Required fields are marked *