Microsoft provides a lot of standard and premium connectors to integrate Power App/Automate to Microsoft and Non-Microsoft systems. But, there are scenarios when we require an integration with a system where a standard or premium connector is not available. As an example, when we want to connect to a custom application running on our on-prem servers. In this situation, we have an option to configure a custom connector that can communicate to custom applications and can perform operations that are not available otherwise. This custom connector requires a data gateway for establishing an on-prem connection to the Custom Application’s Rest API. A typical data connection request will look like :-
In our implementation, we were trying to use windows authentication via a custom connector to authenticate and authorise the request to this custom application which is running on an on-prem server. This scenario requires us to utilize a data gateway to establish a connection. This is quite a straightforward configuration on the custom connector configuration screen to use window authentication on the custom connector with the data gateway option selected. The following images show the connection settings.
Our Rest API and custom application are configured to authenticate and authorize requests via windows authentication. I am not going into detail on the definition part of the custom connector and how the Rest API and custom application are supporting windows authentication.
Now the next step is to configure the data gateway to provide access to the users.
There are three types of access we can provide on the data gateway:-
- Connection Creator: This allows the user to create data sources and connections on the gateway
- Connection Creator with resharing: Allows the user to create data sources and connections on the gateway and reshare gateway access
- Admin: Allows the user to manage gateway configurations, credentials and updates
Here comes the big limitation where the data gateway is not accessible to the users who have the “Connection Creator” access level. As per the Microsoft Article (https://docs.microsoft.com/en-us/power-platform/admin/onpremises-data-gateway-management), it is highlighted that
“The gateway must be shared with the Admin permission level to be used by custom connectors”
This is impractical to provide Admin access to all the business users so we have to come up with an alternative solution which is summarized below.
Data gateways are only accessible to users with admin permission so we introduced a service account that has admin access on the Data Gateways and which will be used for the initial setup of the custom connector.
Once the connection is set up, then that connection is shared with the business users so that they can use the service account windows authentication to authenticate against the data gateway, REST API and custom application.
For authorization, the current user name is fetched from the current user context in the Power app / automate and is passed as a mandatory header parameter to the Rest API. This passed username is then impersonated by the REST API to authorize the request for Custom Application.
Business users cannot access data gateways without having admin permission on the data gateway. So we have to use a service account to configure the data gateway and same service account is used for windows authentication on the Rest API and Custom Application. Authorization is done by impersonating the user by passing current username in one of the mandatory header parameters.