Guidance for Azure Active Directory connector

The following information contains guidance and best practices for using the Azure Active Directory connector in your flows.

Authentication

Create a connection using an admin or user Azure Active Directory account. See Authorization.

The connection uses delegated access and delegated permissions, not app-only access or app-only permissions.

Reauthorize a connection

If you've used your account to create a connection successfully, you should be able to use this account to create as many connections as you want. You can also reauthorize any existing connections if the admin hasn't changed any configuration settings.

Types of accounts

  • Azure Active Directory admin account

  • Azure Active Directory admin credentials

Supported scopes

The following OAuth scopes must be enabled in your Azure Active Directory connector environment:

  • email
  • openid
  • profile
  • offline_access
  • Directory.ReadWrite.All
  • Directory.AccessAsUser.All
  • Group.ReadWrite.All
  • User.ReadWrite.All
  • User.Invite.All
  • Calendars.ReadWrite
  • Calendars.ReadWrite.Shared
  • Contacts.ReadWrite.Shared
  • Files.ReadWrite.All
  • People.Read.All
  • AccessReview.ReadWrite.All
  • AccessReview.ReadWrite.Membership
  • Analytics.Read
  • AdministrativeUnit.ReadWrite.All
  • AppCatalog.ReadWrite.All
  • Bookings.ReadWrite.All
  • Chat.ReadWrite
  • PrivilegedAccess.ReadWrite.AzureAD
  • PrivilegedAccess.ReadWrite.AzureResources
  • EduAdministration.ReadWrite
  • Financials.ReadWrite.All
  • IdentityProvider.ReadWrite.All
  • IdentityRiskEvent.Read.All
  • IdentityRiskyUser.Read.All
  • DeviceManagementApps.ReadWrite.All
  • DeviceManagementConfiguration.ReadWrite.All
  • DeviceManagementManagedDevices.PrivilegedOperations.All
  • DeviceManagementManagedDevices.ReadWrite.All
  • DeviceManagementRBAC.ReadWrite.All
  • DeviceManagementServiceConfig.ReadWrite.All
  • Mail.Send.Shared
  • MailboxSettings.ReadWrite
  • Mail.ReadWrite.Shared
  • Member.Read.Hidden
  • Notes.ReadWrite.All
  • Notes.Create
  • Notifications.ReadWrite.CreatedByApp
  • OnPremisesPublishingProfiles.ReadWrite.All
  • Organization.ReadWrite.All Place.Read.All
  • ProgramControl.ReadWrite.All Reports.Read.All
  • RoleManagement.ReadWrite.Directory
  • SecurityEvents.ReadWrite.All
  • SecurityActions.ReadWrite.All
  • ThreatIndicators.ReadWrite.OwnedBy
  • Sites.FullControl.All
  • Tasks.ReadWrite
  • Tasks.ReadWrite.Shared
  • Agreement.ReadWrite.All
  • AgreementAcceptance.Read.All
  • Policy.Read.All
  • Policy.ReadWrite.TrustFramework
  • UserActivity.ReadWrite.CreatedByApp

Action card or event card-specific limitations

Return child folders

The List Contact Folder card returns a maximum of two levels of child folders. As an alternative approach, you can use one of the following API calls with the Custom API Action card. See Custom API Action.

  • Return first-level contact folders from a folder:

    /users/{{userPrincipalName}}/contactFolders/{{contactFolderId}}/childFolders

  • Returns first- and second-level contact folders from a folder:

    /users/{{userPrincipalName}}/contactFolders/{{contactFolderId}}/childFolders?$expand=childFolders

  • Returns the 1st, 2nd and 3rd level contact folders from a folder:

    /users/{{userPrincipalName}}/contactFolders/{{contactFolderId}}/childFolders?$expand=childFolders($expand=childFolders)