Skip to main content

Notifications

Community site session details

Community site session details

Session Id :
Power Automate - Building Flows
Answered

Secure When an HTTP request is received

(0) ShareShare
ReportReport
Posted on by 716
Hello Power Automate Community,
 
I hope you can help, please.
 
I'm looking for advice on how best to secure a Flow which has the trigger "When an HTTP request is received". I've read through all the documents I can find and watched numerous videos, but what I'm trying to achieve is this. 
  1. I created a Flow using the "When an HTTP request is received" and it generated the URL. Here is an fake example: "https;//lotsofcharacters.blarblar.com".
  2. I then go into a third party application, such as Salesforce, ServiceNow etc. From that third party application, when something happens, let's say a record is created, the third party system will send a webhook message with information in the body to my Flow example URL above.
  3. It then triggers the Flow and the Flow does what it's meant to do.
Everything is perfect except the example URL to trigger my Flow can be called by anyone from anywhere, so if someone gets hold of the example URL they can trigger the Flow. 
 
My question is, how do I make it so that the Flow can only be triggered if the call comes from the third party system such as Salesforce, ServiceNow, Jira etc?
 
Two things I explored was:
  1. Trigger Conditions | Adding a trigger condition so if there is something specific in the body, header etc, then only fire. But this will wouldn't stop potential DOS attacks, I believe.
  2. Authentication | There is the "who can trigger this flow" dropdown on the trigger, but as the call is coming from a third party then I couldn't work out how to use this.
Any thoughts would be greatly appreciated.
 
Thanks,
 
Garry
 
 
  • CU01081947-0 Profile Picture
    CU01081947-0 716 on at
    Secure When an HTTP request is received
    Hello @VeGETzX,

    Thanks for the response. That's a shame it can't be done and the only work around is trigger conditions. 

    All the best, 

    Garry
  • Verified answer
    VeGETzX Profile Picture
    VeGETzX 364 on at
    Secure When an HTTP request is received

    I have tried something similar before.

    I used an HTTP trigger to receive requests from a third-party service. During the process, I discovered that

    • We cannot set 'Who can trigger the flow' to specific users or restrict it to the organization. This is because enabling this option requires all incoming requests to be authenticated via Microsoft Entra ID, which is not supported by standard webhooks.
    • Using trigger conditions is the best approach if you have logic to correctly verify that the requests are coming from a trusted source.
      • With trigger conditions, even if someone sends a request to your URI, it won't trigger the flow unless it meets the specified condition. This means that if the person doesn't know your detection logic, they cannot trigger your flow and should prevent POS attach that you aware of.

    Here’s an example of using a trigger condition to validate a secret key in the request header.

     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Thomas Rice – Community Spotlight

We are honored to recognize Thomas Rice as our March 2025 Community…

Kudos to the February Top 10 Community Stars!

Thanks for all your good work in the Community

Announcing Our 2025 Season 1 Super Users!

A new season of Super Users has arrived, and we are so grateful for the daily…

Leaderboard

#1
WarrenBelz Profile Picture

WarrenBelz 146,423 Most Valuable Professional

#2
RandyHayes Profile Picture

RandyHayes 76,287 Super User 2024 Season 1

#3
Pstork1 Profile Picture

Pstork1 65,280 Most Valuable Professional

Leaderboard