Microsoft Dynamics 365 | Integration, Dataverse...

Get access token silently without user interaction

(5) Share

Report

Posted on by Anthony Des

I am developing a React pcf control to consume Graph API.

I'd like to use the token of an application user and I am using the msal library to get token.

I have read this article:

https://taerimhan.com/consuming-microsoft-graph-api-from-pcf-control/

But I cannot find a way to get token totally silently. I don't want that popup opens.

Have you some suggestion? Can I use an alternative library or approach to get token silently?

Categories:

Dynamics 365 general

All responses (5)

Answers (0)

Suggested answer

Saif Ali Sabri 1,522 Super User 2025 Season 1 on at

Like (0)

Report
Get access token silently without user interaction

You're absolutely right about the limitations of using a Power Automate HTTP-triggered flow for retrieving tokens in a Model-Driven App. The lack of a direct way to trigger Power Automate flows from PCF without a static HTTP endpoint makes portability an issue.

Use Dataverse Custom API for Token Retrieval

Create a Dataverse Custom API

Go to Power Apps > Solutions → Create a Custom API to retrieve the token.

Use Power Automate Inside Custom API

The API internally calls a Power Automate flow that retrieves the token using HTTP with Azure AD.

Call the Custom API from PCF Control

typescript
CopyEdit
function getTokenFromDataverse() {
    const request = {
        boundParameter: null,
        operationName: "your_CustomAPIName",
        operationType: 0,
        parameters: {}
    };

    return Xrm.WebApi.online.execute(request)
        .then(response => response.json())
       .then(data => data.token);
}
✅ No hardcoded URLs
✅ Fully portable across environments
✅ Secure and scalable
Anthony Des 18 on at

Like (1)

Report

Get access token silently without user interaction

Saif Ali Sabri you have described my power automate flow, but these are the limits of this approach.

I cannot find any documentation about this javascript/typescript method "window.PowerApps.invokeMethod"

In Canvas App you can run a power automate flow with "Run" command.

In a Model driven App command button doens't support the Run command, so you cannot run a power automate workflow with PowerFx "Run" command and I cannot use PowerFx instructions in a PCF control because I must use javascript/typescript like language.

So in a Model Driven App the only solution remains:

1) create an instant cloud flow to get token that have like first component "When HTTP request is received" and like last component an HTTP response with token returned

2) call this flow from PCF control by javascript/typescript

3) use the token for future calls

The limit of this approach is that is not portable between different environments, because the HTTP post url generated from "When HTTP request is received" changes according environment and there is no way to give it by dataverse or other api calls, unless you don't save this url in an environment variable that will change according environment.

I am looking for a portable way to make api call without use an environment variable to save url to get the token.
Suggested answer

Saif Ali Sabri 1,522 Super User 2025 Season 1 on at

Like (0)

Report
Get access token silently without user interaction

Since you're using Power Platform (Power Apps, Power Automate) and want to get the token without user interaction in a PCF control, the best approach is:
Solution: Use Power Automate to Retrieve the Token
Since Power Apps users already have an active session, the recommended way to obtain a token for Graph API without popups is to trigger a Power Automate flow that retrieves the token on behalf of the application user.
Steps:

Create a Power Automate Flow

Go to Power Automate and create a new Instant Cloud Flow.

Add the "Invoke an HTTP request" (Premium) action.

Configure the request to use HTTP with Azure AD authentication:

Method: POST

URI: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

Headers:

Content-Type: application/x-www-form-urlencoded

Body:

txt
CopyEdit
client_id=your-client-id
&client_secret=your-client-secret
&scope=https://graph.microsoft.com/.default
&grant_type=client_credentials

The response will contain the access token.

Call the Flow from PCF Control

In your PCF control, use PowerApps.invokeMethod to trigger the flow:

javascript
CopyEdit
function callFlow() {
    const flowName = "YourFlowName"; // Replace with actual Flow name
    const requestBody = {}; // Add parameters if needed

    return new Promise((resolve, reject) => {
        window.PowerApps.invokeMethod("Run", requestBody)
            .then(response => resolve(response.access_token))
            .catch(error => reject(error));
    });
}

Use the Token in PCF to Call Graph API

Once you get the token from Power Automate, use it in your PCF control to call Microsoft Graph.

Why This Works?
✅ No popups – The user session is already active.
✅ No manual login – The token is retrieved in the background.
✅ Fully within Power Platform – No external backend like Node.js needed.
This is the best no-interaction solution for Power Apps + PCF control. 🚀 Let me know if you need refinements!
Anthony Des 18 on at

Like (1)

Report

Get access token silently without user interaction

Hi Saif Ali Sabri thanks for your response, but I cannot accept your answer because my backoffice is not made in node.js, but I use only power platform (power automate, power apps etc.).

My users use Powerapps so they have already an active session.

The most simple thing will be recover the token that they already have, but this is not possible because is saved in crypted way on browser side.

The best way will be recover application user token, but it seems that the only way to do this is create a power automate flow that I can trigger by Javascript on my pcf control., without expose client secret on server side that is a bad practice.

Actually I have already made a power automate flow to get application user token and it works, but the problem is that this flow use like first component "When an HTTP request is received", it generates a random url that I cannot retrieve from database so my pcf controI could have to read this url from enviroment variable (if I decide to save it in environment variable) and after trigger the power automate flow to get the application user token. I'd like to find a cleaner solution.
Saif Ali Sabri 1,522 Super User 2025 Season 1 on at

Like (0)

Report
Get access token silently without user interaction

To get a token silently without user interaction in your React PCF control, follow these steps using MSAL with client credentials flow:
Solution: Use Client Credentials Flow

Register an App in Azure AD

Go to Azure Portal > App registrations and create an app.

Assign API permissions → Add Microsoft Graph > Application permissions (e.g., User.Read.All).

Create and store a client secret securely.

Use MSAL Node (Not Browser) for Silent Authentication
Since your requirement is to authenticate as an application user (daemon app) without user interaction, use the Client Credentials Flow in your backend (not in the React frontend).

Install @azure/msal-node:

bash

npm install @azure/msal-node

Example Code to Get Token:

javascript

import { ConfidentialClientApplication } from "@azure/msal-node"; const config = { auth: { clientId: "your-client-id", authority: "https://login.microsoftonline.com/your-tenant-id", clientSecret: "your-client-secret", } }; const cca = new ConfidentialClientApplication(config); async function getToken() { const tokenRequest = { scopes: ["https://graph.microsoft.com/.default"] }; try { const response = await cca.acquireTokenByClientCredential(tokenRequest); return response.accessToken; } catch (error) { console.error("Token acquisition failed", error); return null; } }

3.Use Token in PCF Control

Fetch the token in your backend.

Pass it securely to your React PCF control for Graph API calls.

Why This Works?
No popup: Uses application credentials (no user interaction required). Silent authentication: No browser redirection, direct token retrieval. Secure: Best for server-side processes in PCF controls.
Let me know if you need further details!