This article provides steps for setting up API access utilizing the Workflows API Connector functionality to connect to the Microsoft Graph API. This allows scopes to be added where they are not included in the out-of-the-box Microsoft Connectors within Workflows. This can also be used to connect via Client Credentials.

• Okta Workflows
• Microsoft Graph API
• API Connection

Before starting, decide whether to use Authorization Code (Delegated permissions) or Client Credentials (App-only permissions) to connect to Azure/Entra. Delegated permissions will require that both the app and the user being used to authorize have permissions to perform any actions taken by the connection. App-only permissions require setting permissions for the app itself, not for a particular user. Please utilize the links above to read more about these options from Microsoft. 

The current built-in Azure connector in Okta Workflows utilizes Delegated permissions.

Authorization Code (Delegated Permissions)

1. Create an app with Microsoft Entra Admin Center.

   1. To create an app in the Microsoft Entra admin center, follow the instructions at Register an application with the Microsoft identity platform and add a Web (platform application type).

   2. When creating the Web (platform-application type), for the Redirect URI, use the following Redirect URIs for Okta Workflows Preview and Production orgs, respectively:

      1. Preview: https://oauth.workflows.oktapreview.com/oauth/httpfunctions/cb.

      2. Production: https://oauth.workflows.okta.com/oauth/httpfunctions/cb.

2. Create and record a Client Secret for the app: Option 2: Add a client secret.

   1. Record the Client Secret (labeled Value in the UI) to be used later when setting up the Connection in the Workflows Console.

3. Add Delegated permissions to the created app to access Microsoft Graph.

   1. Delegated Permissions uses the Authorization code grant flow and signs in on behalf of a user.

      1. If desired to use Application Permissions, instead of using the OAuth setup with API Connection (step 6 below), select Client Credentials as the Auth Type, then Client Authentication Type as Send as basic auth header (client_secret_basic).

   2. Select/Add the permissions the client app should have on behalf of the signed-in user.

      1. Add offline_access scope to get a refresh token.

      2. Add User.Read.All from endpoint.

      3. Add other scopes as needed.

4. Configure Okta API Connection.

   1. Log into the Okta Workflows console.

   2. Click Connections > New Connection > API Connector.

   3. Provide a name for the Connection.

   4. Select Auth Type as OAuth and enter the following details:

      1. Access Token Path: Found under the application's Overview > Endpoints (OAuth 2.0 token endpoint (v2)).

      2. Authorize Path: Found under the application's Overview > Endpoints (OAuth 2.0 authorization endpoint (v2)).

      3. Client ID: Found under the application's Overview >  Application (client) ID.

      4. Client Secret: Use the client secret value saved earlier.

      5. Scope: Add scopes in the format:

         1. offline_access user.read.all.

            1. NOTE: Separate multiple scopes with a space.

            2. NOTE: In some cases, instead of entering scope name, like user.real.all, may have to enter the Full Scope, like https://graph.microsoft.com/User.Read.

5. Click Create. There will be a prompt to log into Microsoft and to grant access.

   1. To see which scopes are granted and/or to Grant access via Entra Admin Console, see Admin consent button.

At this point, access should be successful. To confirm, use the following method: GET to the following API Endpoint to list users: https://graph.microsoft.com/v1.0/users from the List of users.

Client Credentials (App-only Permissions)

1. Create an app with Microsoft Entra Admin Center.

   1. To create an app in the Microsoft Entra admin center, follow the instructions at Register an application with the Microsoft identity platform and add a Web (platform application type).

   2. When creating the Web (platform-application type), for the Redirect URI, use the following Redirect URIs for Okta Workflows Preview and Production orgs, respectively:

      1. Preview: https://oauth.workflows.oktapreview.com/oauth/httpfunctions/cb.

      2. Production: https://oauth.workflows.okta.com/oauth/httpfunctions/cb.

2. Create and record a Client Secret for the app: Option 2: Add a client secret.

   1. Record the Client Secret (labeled Value in the UI) to be used later when setting up the Connection in the Workflows Console.

3. Add any Application permissions that are required to perform the intended actions with the connection

4. Configure Okta API Connection.

   1. Log into the Okta Workflows console.

   2. Click Connections > New Connection > API Connector.

   3. Provide a name for the Connection.

   4. Select Auth Type as Client Credentials and enter the following details:

      1. Access Token Path: Found under the application's Overview > Endpoints (OAuth 2.0 token endpoint (v2)).
      2. Client Authentication Type: Select "Send as basic auth header" (if this does not work, attempt the "Send as basic auth body" option)
      3. Client ID: Found under the application's Overview >  Application (client) ID.
      4. Client Secret: Use the client secret value saved earlier.
      5. Scope: This depends on the required permissions. One option is to use https://graph.microsoft.com/.default as the scope. Per Microsoft, "this value informs the Microsoft identity platform endpoint to include in the access token all the app-level permissions the admin consented to."
5. Click Create. If everything's set up correctly, it should successfully create the connection.

Related References

• How to Authenticate with HTTP Cards Okta Workflows