Microsoft Graph
Scope of Integration
Yellow.ai Integration with Microsoft Graph allows you to seamlessly connect and use Microsoft Graph services with yellow.ai platform. Any customer who has an Azure Active Directory will be able to seamlessly connect and call Microsoft Graph APIs on yellow.ai platform. This connector will enable users to get access tokens using action node which can then be used to call the Graph APIs.
Configuration
Configuring the integration with Microsoft Graph is straight forward. Follow the steps defined below to start integrating:
1. Navigate to Integrations Tab
Inside your project, navigate to the Configuration tab and then click on the Integrations Tab. Search for Microsoft Graph.
2. Connect to Microsoft Graph
Click on Connect and enter the values in the fields from your Azure account. Once the values are given, the Microsoft Graph will be connected and the action node can be used to get the access token which can then be used to call Microsoft Graph APIs.
Voila! And just like that, you are now connected and can call Microsoft Graph APIs.
If you have multiple accounts, follow the above mentioned steps to add each of them.
- Enter a unique name for each account to easily identify them within the yellow.ai platform. It is recommended to use a name that aligns with its purpose for better usability.
- You can add a maximum of 15 accounts.
- In a two-tier environment, such as bots with only Development/Live environments, you can add account names only in the development mode. Once added and flows have been built, in the Live mode, you can only choose the account names and not edit them.
- In a three-tier environment, such as bots with Staging/Sandbox/Production modes, in Staging and Sandbox modes, you can add and edit new accounts. However, in Production, only the account details added in Staging will be available. You can only map in the production environment.
Authentication methods
When connecting an account, choose how yellow.ai should authenticate with Microsoft Graph using the Grant Type field:
| Grant Type | When to use |
|---|---|
| Client Credentials (app-only) | Default. The bot acts as the application itself, with no signed-in user. Suitable for most Graph operations such as reading users, managing group membership, and updating directory objects. |
| Password (ROPC - delegated) | The bot signs in as a service account user. Required for operations that Microsoft only allows with a delegated (user) token — most notably resetting a user's password with write-back to on-premises Active Directory (hybrid AD). |
When you select Password (ROPC - delegated), two additional fields appear:
- Username (UPN) – the service account's user principal name (for example,
[email protected]). - Password – the service account's password.
Prerequisites for the Password (ROPC) grant
This grant type signs in as a real user, so the service account and app registration must be set up to allow it:
- Assign an admin role to the service account: Privileged Authentication Administrator (to reset any user, including admins) or Authentication Administrator (for non-admin users only).
- Exclude the service account from MFA / Conditional Access / Security Defaults. ROPC cannot satisfy multi-factor authentication; if MFA applies, sign-in fails with error
AADSTS53004. - Grant the delegated Microsoft Graph permission
UserAuthenticationMethod.ReadWrite.Alland provide admin consent. - If your app registration has no client secret, enable Allow public client flows in the app's Authentication settings. (With a client secret, the app is treated as a confidential client and this step is not required.)
The Password (ROPC) grant is validated at connect time by signing in as the service account. If the account is subject to MFA, the connection will fail — make sure the prerequisites above are met before connecting.
Use-cases
Following are the use-cases which are currently accommodated in the Integration:
When multiple accounts are added, select the appropriate account for each node, allowing you to leverage the unique functionalities of each account for their intended purposes.
Get access tokens
Access tokens required to call the Graph APIs can be fetched using action nodes provided in the integration. It should be noted that necessary permissions need to be given while registering the application on the Azure portal. For more details, please refer https://docs.microsoft.com/en-us/graph/auth-v2-service.
Reset a user's password (with on-premises AD write-back)
Use the Reset password (on-prem AD) action node to reset a user's password through Microsoft's authentication-methods API. Unlike a standard directory password change (which updates the cloud account only), this flow supports password write-back to on-premises Active Directory, making it suitable for hybrid AD environments where users sign in against on-prem AD.
Inputs:
- User Principal Name (Email) – the email/UPN of the user whose password is being reset.
- New Password – the new password. Leave blank to let Microsoft auto-generate one.
Requirements:
- The account must be connected using the Password (ROPC - delegated) grant type (see Authentication methods).
- For the password to sync to on-premises AD, Password Writeback must be enabled in Azure AD Connect in your environment.
A successful reset returns an "accepted" (HTTP 202) response — Microsoft processes the reset asynchronously and, in hybrid setups, writes it back to on-premises Active Directory shortly after.
Supported Version
This integration shall support latest version releases.
For more information, please refer to Microsoft Graph Documentation.