Microsoft Flow has changed the rules in the world of SharePoint. It is faster, more comfortable to do, and has a lot of ready to use actions. They allow you to utilize almost all SharePoint functions and connect to the 3rd party services. Some companies migrated their processes from Nintex or other custom solutions to MS Flow. The introduction of the paid Flow plans right after making users dependent on it was a remarkable business operation but let’s stick to the topic of this article.
In my article Use Microsoft Flow to display Teams messages in the SPFx app, I mentioned the lack of authentication in the HTTP request trigger. Let’s dive into it.
HTTP Request Trigger
The “When a HTTP request is received” action gives you a chance to create your own web service and access data which is usually not accessible. It can be called by anyone who has an URL generated by Flow. Literally, by anyone. This action doesn’t have any authentication.
Threat
Let’s refer again to the second article. We have created an HTTP trigger. You can call this Flow by the generated URL and pass Teams team id and channel id. You will get the latest messages from your channel in response. Sounds great? Not completely. Consider adding two more actions to the mentioned Flow:
Can you see the power you have now? You can get all teams, all channels and download up to twenty messages (‘Get messages’ action has this limit) from each of them, without any authentication.
The same applies to lists, libraries, and other data on SharePoint. You can simply export your Flow and import on any environment you have access to and steal data almost silently. Did someone leave his laptop unlocked? Just upload your flow, copy generated URL, and you are ready to go. Everything is executed in the context of the careless user.
Prevention
MS Flow is a user-level automation solution. If a user did not add you to the Flow owners, you wouldn’t be able to see what is going on inside. If your account has a tenant admin permission, you can add yourself to every created flow and, if it’s necessary, delete it.Visit Flow admin center, navigate to ‘resources’ and then ‘flows’. You can find any suspected flow here and add ownership for yourself or anyone you want.
After performing those steps, you can edit those Flows and make sure that the security policies of your organization are not violated.
Basic authentication
I don’t want to daunt you from using this marvellous trigger. That’ why I will show you how to make a simple authentication process.
- Create an authentication list. Only two columns are obligatory: a user and a token. They can be a single line of text to make them easier to use.
- Add user emails you want to give access, typing their names in the user column and generate random GUID as a token.
- Now edit the Flow you want to secure.
- Add the token and the email to the POST request body.
"email": {
"type": "string"
},
"token": {
"type": "string"
}
- Add action to get a list item by a user email. We want to get the current token to compare it with the one sent in the request. You can limit your view because you need only the ‘Token’ column.
- Add an ‘Update item’ action. Generate a new token with the guid() expression. A user has to get the token every time s/he wants to use the Flow.As a result, we know he is authorized. To get the item’s ID, you should use the following expression:
body('Get_items')?['value']?[0]?['ID']
- Compare the tokens from the request body and the list. If the tokens are different, return 401 error. If the token is correct, proceed with further steps. Get the token from the list with the expression similar to previous:
body('Get_items')?['value']?[0]?['Token']
- Add an action parallel with the condition’. Change run after to run only if ‘Update item’ fails. Return 401 unauthorized. The action fails if the ‘Get items’ doesn’t find any tokens for the provided user.
The authentication is ready to use! Every time you want to use the Flow, you have to get the token from the list. It requires two API calls from your endpoint, but the security is worth it.
Summary
Microsoft Flow is immature but excellent service. It needs to be polished up, and this process is continuously progressing. We should highlight its weaknesses and appreciate the advantages. In this way, we will get the most of the Flows. At the moment, we should use common sense and design processes thoughtfully. Remember:
- Educate your users,
- Trust but check – cover MS Flow in your internal security audits,
- Check the Flows created by 3rd party suppliers,
- Don’t leave your hardware unattended,
- Visit https://office365.uservoice.com/ and share your doubts and ideas.
Leave a comment and let me know if you use HTTP trigger and what do you think about it? Do you have a different idea how to authenticate users?
I’m SharePoint enthusiast working currently at Avenga. I like to test new technologies, unconventional solutions and share my ideas. I’m dealing with the online version of SharePoint, Azure, and some other Office 365 applications but I have experience with on-premises as well.