Team @mention in private channels using Microsoft Graph in Power Automate

Flow Microsoft 365 Microsoft Teams

If you are trying to perform an action in Power Automate and find that out-of-the-box actions do not suffice, perhaps using Microsoft Graph in an HTTP call will get the job done.

I recently had a requirement to @mention the team in a team private channel. It is possible to do an @mention to an individual but what if you want to notify everyone in the team channel about an important event?

Here is where Microsoft Graph using delegated permissions can get the requirement across the line. Kudos to Laura Kokkarinenn on her great blog for pointing me towards Microsoft Graph.

This solution does require two Premium actions, the Key Vault and HTTP. Whilst the Key Vault is recommended for security it is not essential but the Premium HTTP is required.

The first requirement is setting up an Application Registration in Azure Active Directory to use for OAuth 2.0 authentication in your HTTP Graph calls.

Create a new application:

Screenshot of Azure Application Registration

Give it a meaningful name and go with the default choices, then select Register. On the next screen where you choose Call APIs. You will get a default User.read, select Add a permission and on the next screen select Microsoft Graph.

Screenshot of Azure request API permissions

Then, depending on the requirements on your solution, Delegated or Application permissions. In my particular case to be able to use Channel.Message.Send, this was only available as a Delegated Permission.

Screenshot of Azure request API permissions

Select the permissions the application needs:

Screenshot of Azure request API specific permissions

Now that you have an application with the requisite permissions, create a client secret.

Screenshot of Azure Application client secrets

At this point when the client secret displays, copy the ‘Value’ column as this will be obscured when you next view the secret details.

Important: copy this key as you will need this in the Azure Key Vault to use in the Power Automate solution. If you write it down somewhere, ensure it is encrypted/protected.

Screenshot of Azure Application key vault

Go back to the Overview tab for your new application and note the Directory (tenant) ID and the Application (client) ID.

The Client Secret, and the Service Account (non-MFA) account password for use in the Power Automate solution are sensitive information, we would recommend setting up a Key Vault and storing the sensitive information in the Key Vault Secrets. Power Automate has actions to access the Key Vault but these are Premium actions.

Screenshot of Azure Application Key Vault Secrets

Create your new Power Automate Workflow, with a manual trigger, then setup variables for:

  • TenantID
  • ClientID
  • ClientSecret
  • TeamGUID
  • ChannelGUID
  • ChannelGUIDEncoded
  • Username
  • Password

The first three, TenantID, ClientID and ClientSecret you already have noted from the Azure AD Application.

Finding the TeamGUID is most easily obtained from the Teams Admin Centre, click on the Team and the GUID is in the browser address bar. Similarly, clicking on the channel will show the ChannelGUID in the address bar. Typically in the format of 19:[email protected].

Screenshot of Power Automate workflow

Screenshot of Power Automate workflow

Set up a new Connection to the Azure Key Vault which will allow you to use the Out-of-the-box workflow Actions to get the keys for the remaining two variables.

Screenshot of Power Automate workflow

Now that we have our variables all set up, with secret encoded using a Compose and channelGUID we will use an HTTP Graph call to obtain a valid access token.

Note : this again is a Premium action.

Use an HTTP POST action to:
https://login.microsoftonline.com/<TenantID>/oauth2/token

Content-Type:  application/x-www-form-urlencoded

Body

grant_type=password&resource=https://graph.microsoft.com&client_id=<ClientID>&username=<UserName>&password=<Password>&client_secret=<ClientSecret>

Screenshot of Power Automate workflow HTTP request

As always with an HTTP request, run the workflow once now so that you can get the output schema from a successfully run.

Screenshot of Power Automate workflow HTTP outputs

Use the Body JSON to generate your schema

Screenshot of Power Automate workflow Parse JSON

Lastly, add Bearer as a prefix to your token.

Important that there is a space between the word Bearer and the token.

Add any logic your solution requires and to post an @Mention to the whole Team in your Private Channel use an HTTP POST as follows.

METHOD : POST
URl           : https://graph.microsoft.com/v1.0/teams/<variables(‘TeamGUID’)>/channels/<variables(‘ChannelGUID’)>/messages

Authorization : <variables(AuthorizationHeaderValue>
Body :
{
“body”: {
“content”: “<at id=\”0\”><variables(‘ChannelName’)></at><p>YOUR MESSAGE TO THE TEAM</p>”,
“contentType”: “html”
},
“mentions”: [
{
“id”: 0,
“mentionText”: “<variables(‘ChannelName’)>”,
“mentioned”: {
“conversation”: {
“id”: “<variables(‘ChannelGUID’)>”,
“displayName”: “<variables(‘ChannelName’)>”,
“conversationIdentityType”: “channel”
}
}
}
]
}

This will then generate the message posted to the team such that all the members of that channel will get an alert.

If you have any difficulty with the formatting of the JSON in the body, it is always worth using https://developer.microsoft.com/en-us/graph/graph-explorer to test your syntax.

Screenshot of Power Automate workflow HTTP Post