# Microsoft Power Automate authentication

> You can choose between the following authentication options:

## Prerequisites

You can choose between the following authentication options:

* **OAuth 2.0 Authorization code**: Connects to the UiPath public application with your Microsoft account credentials, and, optionally, to your shared mailbox.
* **Bring your own OAuth 2.0 app**: Connects to a private application you create, and, optionally, to your shared mailbox.

In case you encounter any errors during the sign-in process, we recommend you contact your Microsoft Power Automate administrator.

## Admin consent

Many organizations require the consent of an administrator before you create a connection to an external application. The
admin consent workflow requires an admin to approve the app registration to specific users or groups before a connection is
established. For more details, refer to [Overview of admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/admin-consent-workflow-overview) and [User and admin consent in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview) in the Microsoft documentation.

:::note
* Integration Service impersonates the user that creates the connection. The credentials of the user offer access to all of
the same resources that they have in the given application. If you share the connection, every change made to Microsoft Power
Automate with that connection is made on behalf of that user.
* The Microsoft Power Automate connector uses OAuth 2.0 to authenticate and access Microsoft Dataverse APIs behind the scenes.
Scopes are automatically managed through Azure AD app, requiring no manual configuration by the user.
:::

## Scopes

The connector requests the following permissions/scopes:

* OAuth 2.0 Authorization code: `offline_access`, `.default`
* Bring your own OAuth 2.0 app:
  + Minimal scopes for creating a connection: `openid`, `offline_access`

## OAuth 2.0 Authorization code

### Adding the Microsoft Power Automate connection

To create a connection to your Microsoft Power Automate instance, perform the following steps:

1. Select Orchestrator from the product launcher.
2. Select a folder, and then navigate to the **Connections** tab.
3. Select **Add connection**.
4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
5. Select the **OAuth 2.0 Authorization code** authentication type.
6. Enter the environment ID.
7. Add the necessary scopes.
8. Enter the **Tenant ID**.
9. Select **Connect**.
10. Authenticate with your Microsoft email address and password.

### Refresh tokens for OAuth applications

Refresh tokens for OAuth applications can be invalidated or revoked at any time by Microsoft. This can happen for different
reasons, such as timeouts and revocations. For details, see Microsoft's official [documentation](https://learn.microsoft.com/en-us/entra/identity-platform/refresh-tokens#token-expiration).

:::note
Token invalidation results in failed connections and automations are unable to run without fixing connections.
:::

Make sure to follow best practices from Microsoft when creating your OAuth applications. For full details on how to create
a Microsoft OAuth app, refer to the Microsoft documentation: [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2).

## Bring your own OAuth 2.0 app

To learn how to create an application, go to Microsoft's official documentation and follow the described steps: [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2).

:::note
This is an advanced functionality and requires admin privileges in the target application. Work with your IT administrator
to set up your application successfully.
:::

### Requirements

When creating your own application to use with Integration Service, you must consider the following requirements:

1. You must configure the application as a **Multitenant** or **Single tenant** application.
2. You must configure a **Web** application.
3. You must configure a **Web** Redirect URI. The Redirect URI (or callback URL) for your OAuth 2.0 application is provided in the authentication screen
   when creating a connection: `https://{baseURL}/provisioning_/callback`.
4. You must set up delegated permissions. For more information, refer to [Permissions](https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http#permission-types) in the Microsoft official documentation.
5. Generate a client secret for your application.

### Adding the Microsoft Power Automate connection

To create a connection to your Microsoft Power Automate instance, perform the following steps:

1. Select Orchestrator from the product launcher.
2. Select a folder, and then navigate to the **Connections** tab.
3. Select **Add connection**.
4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
5. Select the **Bring your own OAuth 2.0 app** authentication type.
6. Fill in the required fields: **Client ID**, **Client secret**, **Environment ID**, and **Tenant ID**.
7. Add the necessary scopes.