This article is contributed. See the original author and article here.

Microsoft Graph API is a powerful REST API that enables access to cloud resources and it supports two types of permissions, application and delegated permissions. 


Some operations do not support application permissions, it only support delegated permissions.


To call Graph API from Azure Logic Apps using delegated permissions, follow the steps below:


1. Register an app, add required delegated API permissions to your registered app and grant admin consent.

  1. Go to your Azure Active directory

  2. From left side menu, click on Manage -> App registerations

  3. Click + New registeration

  4. Specify a name for the registered app and click Register, app Overview is opened.

  5. Copy the Application (client) id and Directory (tenant) id to a text editor for later useInitialize.png

  6. From left side menu, click on Manage -> Certificates & secrets

  7. Under Client secrets, click + New client secret

  8. Specify a description, select an expiry duration and click Add

  9. Copy the secret value to a text editor for later useInitialize.png

  10. From left side menu, click Manage -> API permissions

  11. Click + Add a permission

  12. From select an API, select Microsoft Graph

  13. Select Delegated permissions

  14. Select the permissions by checking the checkbox next to required permissions and click Add permissions

  15. Click Grant admin consent

2. In your Logic app, before the Graph API HTTP action, add another HTTP action to get an access token for Microsoft Graph:

  1. From Method dropdown list, select POST method

  2. For URI, enter tenant id/oauth2/token, for your tenant id, check step 1.e above

  3. Add header with key: Content-Type, value: application/x-www-form-urlencoded

  4. For Body, enter:

grant_type=password&resource= client id&username=service account username&password=service account password&client_secret=client secret


Note that client_id (check step 1.e above) and client_secret (check step 1.i above) are for your registered App, service account username and password are for a user account in your active directory.


3. Add Data operationsParse JSON action

  1. For Content, select Body from the Dynamic content list

  2. For Schema, enter the following schema:


    “properties”: {

        “access_token”: {

            “type”: “string”


        “expires_in”: {

            “type”: “string”


        “expires_on”: {

            “type”: “string”


        “ext_expires_in”: {

           “type”: “string”


        “not_before”: {

            “type”: “string”


        “resource”: {

            “type”: “string”


        “token_type”: {

            “type”: “string”



    “type”: “object”



4. Add VariablesInitialize variable action

  1. Enter name for the variable: AuthorizationHeaderValue

  2. From Type dropdown list, select String


5. Add VariablesSet variable action

  1. From name dropdown list, select AuthorizationHeaderValue variable

  2. For value, enter Bearer  access_token; note that there is a single space left after Bearer, and access_token is selected from Dynamic content list


6. For the last step, the HTTP action that calls Microsoft Graph API

  1. From Method dropdown list, select required method

  2. For URI, enter the graph API method you want to call

  3. Add header with key: Authorization, value: select AuthorizationHeaderValue variable



Your workflow should look as follows:


Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.