In the previous blog, SAP connectivity from the Copilot Studio and Power Platform were explored, let’s now look at an enhanced version of the scenario explained in the previous blog in the newer video below:

Scenario description:

Let’s say, the salesperson realizes that material in the sales order placed by the customer is not available and wants to help replace the unavailable item for the customer in the sales order.

The salesperson does the following:

The salesperson asks the Copilot to help her look through all the materials in the SAP system to find the best replacement.
The salesperson gets a suitable replacement suggestion from Copilot and tries to access material stock information for that material. However, the salesperson is not authorized to do so as she does not have the right authorization to do so in the SAP system.
The salesperson messages her colleague who does have the authorization to check material stock information for her. The colleague checks the stock information and informs the salesperson that the material is in stock.
The salesperson now decides to update the sales order with the new material and remove the old material from the sales order.

As you can see from the video, the scenario has been enhanced and has additional two Power Platform and Copilot Studio abilities added to it:

Adaptive cards
Authorization/ Principal Propagation

Below is a description what they are and how to begin to implement them.

Adaptive cards: 

Information returned via chatbots shouldn’t be restricted to looking only as good as the UI of the platform you deploy the bot on, it would be more interactive and personal to your brand to have a way to choose how users get to interact with the bot you created. This is where adaptive cards are a game changer. 

Here are some examples in the above scenario where adaptive cards were used:

1) To display the adaptive card with information from the SAP system in a digestible and visually appealing format with the SAP logo to show the information is from the SAP system

2)To create a form like input while modifying the sales order to provide an easy way to get information from the user with the SAP logo to show the change will be made to the SAP system.

To create and modify adaptive cards in the Copilot Studio, you can add an adaptive card either to a question or the message as shown below.

You can then modify the code in JSON ( as shown below) to make it look the way you want, add URLs for images/logos you would like to show. You can also use the adaptive card designer to have a better idea of the elements you can make use of.

The code for the adaptive cards used in the scenario are on the GitHub Repo.

Principal Propagation for Authorization: 

Principal propagation ensures that a user’s identity is securely passed from one system to another, allowing for proper authorization and access control. It plays a crucial role in maintaining security and seamless user experiences across different systems.

In this case, it ensures that an M365 user has the right access to the SAP system to access information without them having to use their SAP credentials to login. Here is an outline of the steps to implement this:

Set Up Microsoft Entra ID: Entra ID serves as the central identity provider for your applications. It manages user identities, authentication, and access control. When a user logs in, AAD validates their credentials and issues tokens (such as JWT) that represent their identity. 

Configure Azure API Management (APIM):  APIM acts as a gateway for APIs, managing their exposure, security, and policies. It handles requests from clients and routes them to the appropriate backend services. In APIM, you configure AAD authentication for your APIs. When a client makes a request, APIM validates the token with AAD to ensure the user’s identity. Additionally, APIM forwards requests to the backend system (e.g., SAP) based on the API configuration, including features like caching and rate limiting.

Flow of Principal Propagation:

User requests an APIM endpoint.
APIM validates the user’s token with AAD.
If valid, APIM extracts the user’s identity.
APIM forwards the request to SAP with the user’s identity.
SAP uses this identity for authorization. SAP accepts only tokens they issued themselves and therefore we need to interact with their Identity Provider.

Integrating with Power Platform: You can create a custom connector in Power Platform that calls the APIM API. This allows you to seamlessly incorporate principal propagation into your Power Automate flow. You can read more about creating custom connector here.

Here are resources that discuss Principal Propagation and the steps associated with its implementation in detail:

Principal propagation in a multi-cloud solution between Microsoft Azure and SAP, Part I: Building the foundation

Configure SAP Principal Propagation with AAD and SAP OAuth server

To learn more about how to implement this new version of the scenario visit the GitHub repo that has detailed instructions as well as Power Automate flows you can readily import to your environment. 

​Microsoft Tech Community – Latest Blogs –Read More