Solved: Accessing Admin API from Microsoft Power Automate

rdstoknes · ‎11-28-2020

Anyone here successfully used Microsoft’s Power Automate to connect to the Admin API?

I am building a Power App within our tenant that I can use for simple tasks such as reactivation of users when changing phone etc, without having to log in (simpler, since all support techs don’t need access to the Duo admin portal etc).

I have tried using the documentation to construct the authentication header, as well as hashing it, but all I get is “missing credentials” even though the submitted header looks very much like the one I actually get working using Postman client.

Any help is appreciated!

/Rune

rdstoknes · ‎05-25-2021

@DuoKristina, I got another crack at it and after some trial and error finally figured it out.

As Power Automate is a “low-code/no-code” tool, implementing the necessary authorization from e.g. Python examples is not straight forward. What I ended up with, referring to specific Power Automate functions/expressions, was:

Creating all the necessary header elements as variables:

Timestamp - using formatdatetime(utcNow(),‘R’)) - basically current time using RFC1123
iKey value
sKey value
method (e.g. GET)
host (■■■■■■■■■■■■■■■■■■■■■■■■■)
path (e.g. /admin/v1/users to list users)
params (blank in case of listing all users, a username when listing a specific one)

Using the Power Automate function “Compose” to concatenate timestamp, method, host, path and params, using decodeUriComponent(’%0A’) as the “divisor” instead of “\n” for newline character
As there is no HMAC function to create an HMAC SHA1 hash (as far I as I know) directly within Power Automate, I used an API for Encodian HMAC within Power Automate (free registration for limited use) to create an HMAC SHA1 representation of the concatenated text result from (2) with sKey as key, digest SHA1 and output type HASH
Using the Power Automate function Compose, creating a Base64 output of the concatenated iKey + “:” + outputs from (3)
Another Compose function to prepend "Basic " to the Base64 output from (4)
Calling the Duo REST API with an HTTP function in Power Automate (Premium license needed):

GET method
URI constructed from https://host/path (both previously mentioned variables)
Header Authorization with value from (5)
Header Date with value from variable timestamp (1)
Header Content-type with value “application/x-www-form-urlencoded”

This could be replaced in part/fully by creating a custom connector like @styson mentioned, but I haven’t looked into that yet as I was only concerned about getting a simple API call towards Duo work in the first place.

Hope this will save someone else from the same amount of trial and error as I have been left with.

View solution in original post

Amy2 · ‎05-25-2021

Hi @RuneS and @styson,
Edited: Please disregard my previous reply, as I missed that your API calls work in Postman.

I still recommend reaching out to our Duo Support team as they may be able to assist with this. They’re usually a good bet for troubleshooting technical problems if you don’t get a response from others here in the forum. I’m not adept at using our API myself, so my ability to help is pretty limited here.

rdstoknes · ‎05-25-2021

I reached out to Duo support first, only to be told that they could not assist on such a problem since [QUOTE] Duo support are also not programmers so we are limited in what help we can offer [/QUOTE].
After that I tried reaching out to the community. There is another reply in the post now, so I’ll look into that.

DuoKristina · ‎05-25-2021

How do you add this in Power Automate? Do you script the API calls and then have a pre-request script generating the header on each call to the API as is commonly done in Postman?

Duo, not DUO.

rdstoknes · ‎05-25-2021

@DuoKristina, I got another crack at it and after some trial and error finally figured it out.

As Power Automate is a “low-code/no-code” tool, implementing the necessary authorization from e.g. Python examples is not straight forward. What I ended up with, referring to specific Power Automate functions/expressions, was:

Creating all the necessary header elements as variables:

Timestamp - using formatdatetime(utcNow(),‘R’)) - basically current time using RFC1123
iKey value
sKey value
method (e.g. GET)
host (■■■■■■■■■■■■■■■■■■■■■■■■■)
path (e.g. /admin/v1/users to list users)
params (blank in case of listing all users, a username when listing a specific one)

Using the Power Automate function “Compose” to concatenate timestamp, method, host, path and params, using decodeUriComponent(’%0A’) as the “divisor” instead of “\n” for newline character
As there is no HMAC function to create an HMAC SHA1 hash (as far I as I know) directly within Power Automate, I used an API for Encodian HMAC within Power Automate (free registration for limited use) to create an HMAC SHA1 representation of the concatenated text result from (2) with sKey as key, digest SHA1 and output type HASH
Using the Power Automate function Compose, creating a Base64 output of the concatenated iKey + “:” + outputs from (3)
Another Compose function to prepend "Basic " to the Base64 output from (4)
Calling the Duo REST API with an HTTP function in Power Automate (Premium license needed):

GET method
URI constructed from https://host/path (both previously mentioned variables)
Header Authorization with value from (5)
Header Date with value from variable timestamp (1)
Header Content-type with value “application/x-www-form-urlencoded”

This could be replaced in part/fully by creating a custom connector like @styson mentioned, but I haven’t looked into that yet as I was only concerned about getting a simple API call towards Duo work in the first place.

Hope this will save someone else from the same amount of trial and error as I have been left with.

DuoKristina · ‎05-26-2021

@RuneS Thanks for sharing your solution!

Duo, not DUO.