Secure API Calls with the HTTP with Microsoft Entra ID (Preauthorised) Connector in Power Automate Using Certificate Authentication

Introduction

When building automation in Power Automate that interacts with Microsoft Graph or custom APIs, using a secure and scalable authentication method is crucial. The “HTTP with Microsoft Entra ID (Preauthorised)” connector allows just that—especially with certificate-based authentication. In this post, I’ll walk you through how to set it up using client certificate secret authorization, including generating your certificate files, registering your app, configuring your flow, and understanding when (and when not) to use this approach.

---

Section 1: Setting Up Your App Registration in Microsoft Entra ID

To begin, create an App Registration in Microsoft Entra ID:

1. Go to Azure Portal
2. Navigate to Microsoft Entra ID > App registrations > New registration
3. Give your app a name and set it as single-tenant (or multi-tenant if needed)
4. Under Certificates & Secrets, you’ll later upload your .cer file
5. Under API permissions, add the required delegated or application permissions (e.g., Files.ReadWrite.All for OneDrive)
6. Note down:
   • Application (client) ID
   • Directory (tenant) ID

---

Section 2: Generate Your .cer and .pfx Certificate Files Using PowerShell

Use the following PowerShell script to generate both the .cer (for uploading to Entra ID) and .pfx (used in Power Automate) files:

# Set variables
$certSubject = "CN=OneDriveShortcutCertificate"          
# Customize the certificate subject as needed
$certOutputFolder = "C:\Users\username\foldername"         # Folder to store your certificates
$pfxFileName = "HTTPWithMicrosoftEntraID.pfx"           
# File name for the .pfx file
$cerFileName = "HTTPWithMicrosoftEntraID.cer"           
# File name for the .cer file

$pfxFilePath = Join-Path -Path $certOutputFolder -ChildPath $pfxFileName
$cerFilePath = Join-Path -Path $certOutputFolder -ChildPath $cerFileName

$certPasswordPlain = "YourStrongPassword123!"       
# Replace with a secure password
$securePassword = ConvertTo-SecureString -String $certPasswordPlain -Force -AsPlainText

# Create the output folder if it doesn't exist
if (!(Test-Path -Path $certOutputFolder)) {
    New-Item -ItemType Directory -Path $certOutputFolder | Out-Null
}

# Generate a self-signed certificate in the CurrentUser's Personal store
$cert = New-SelfSignedCertificate -Subject $certSubject `
    -CertStoreLocation "cert:\CurrentUser\My" `
    -KeyExportPolicy Exportable `
    -KeySpec Signature `
    -NotAfter (Get-Date).AddYears(4)

# Export the certificate along with its private key to a PFX file (for local use if needed)
Export-PfxCertificate -Cert $cert -FilePath $pfxFilePath -Password $securePassword

# Export only the public key portion of the certificate to a .cer file
Export-Certificate -Cert $cert -FilePath $cerFilePath

Write-Output "Self-signed certificate created."
Write-Output "PFX file exported to: $pfxFilePath"
Write-Output "Public certificate (.cer) exported to: $cerFilePath"

⚠️ Replace "YourStrongPassword123!" with your secure password.

Once generated:

• Upload the .cer file in the Certificates & secrets tab of your app registration.
• Save the .pfx file and password for use in the connector.

---

Section 3: Configure the Connector in Power Automate

1. In Power Automate, add the “Invoke an HTTP request using Microsoft Entra ID (Preauthorised)” action

1. Fill out the required fields:
   • Microsoft Entra ID resource URI – e.g., https://graph.microsoft.com
   • Base Resource URL – e.g., https://graph.microsoft.com/v1.0/
   • Tenant ID, Client ID, and the Client Certificate (pfx) with its password

1. Once configured, the action behaves like a standard HTTP request

---

Section 4: Use Cases

One of the most powerful use cases for this setup is accessing other users’ OneDrive files without impersonating a user or managing rotating user credentials. For example:

• Automating document archival for terminated employees
• Accessing user drives based on security group triggers
• Sending files from shared libraries or mailboxes to users’ OneDrives

Recently I’ve used it to create synced shortcuts to SharePoint sites into user’s OneDrive. But it could also be used to target pretty much any Graph API endpoint and have it act using the app registrations permissions.

---

Section 5: Benefits of Using Certificate-Based Authentication in This Connector

One of the biggest advantages of using the HTTP with Microsoft Entra ID (Preauthorised) connector with certificate authentication is enhanced security and reduced credential exposure. Specifically:

• No exposed secrets in flow runs: Unlike using the generic HTTP action with OAuth 2.0, this connector hides sensitive credentials. When calling Microsoft Graph or other APIs, you won’t see client secrets in the run history—protecting your app from accidental leaks or screenshots.
• Centralized credential management: With the certificate stored in the Power Automate connection and managed centrally via Entra ID, there’s no need to embed secrets in individual flows.
• Improved auditing and isolation: App permissions and actions are clearly tied to the registered application, separating them from user context and improving security posture.
• No need for user-delegated context: You can make app-only calls (ideal for background automation) without requiring user sign-ins or managing service accounts.

This setup is especially useful in environments where flows are maintained by multiple admins or deployed across environments using pipelines—providing confidence that secrets aren’t exposed.

---

Conclusion

Using the Microsoft Entra ID (Preauthorised) connector with certificate-based auth is a robust, scalable method for secure, service-to-service API calls. With a one-time setup and regular certificate hygiene, you’ll unlock powerful scenarios in Power Automate—securely.