Hi everyone,
I’m fairly new to working with n8n, so please bear with me if this has already been answered.
We are using Entra ID in our backend, and I’m currently trying to build a software approval workflow in n8n. I have a form with a dropdown where users can select the software they need. After submission, I want to retrieve information about the currently logged-in user, and later also their manager.
The issue I’m running into is that when I use the Entra ID credentials in n8n, it always authenticates using my own account rather than the submitting user.
Is there a way to enforce authentication against Entra ID so that I can retrieve the actual requesting user’s data? If so, which node or approach would be suitable for this?
Kind regards
Hi @TheLuBu Welcome!
I see the issue, i think it is you pointing towards /me endpoint is the problem, as it will always return YOUR account auth, and i think adding a EMAL field to your form would be a better take as currently n8n does not support dynamic per user credential switching kinda thing.
So like when you will add a email to your form, and then use your admin graph API to call the entra ID for that specific USER, somewhat like this: https://graph.microsoft.com/v1.0/users/{{ $('On form submission').item.json['Email'] }}
And for manager i suppose this is how it should look like: https://graph.microsoft.com/v1.0/users/{{ $('On form submission').item.json['Email'] }}/manager
So that no per user auth is actually required.
that’s fair, but I immediately see one problem with that approach: it would allow anyone to request software on behalf of someone else, without giving us a reliable way to identify who actually submitted the request in the first place.
For our use case, we need to make sure that the requester’s identity is trustworthy and cannot simply be entered or spoofed manually. Otherwise, the approval workflow could end up using the wrong user and manager context.
So the key requirement is not just passing a user identifier into n8n, but having a secure way to verify who the actual submitter is.
@TheLuBu i think we might be hitting some limitation on n8n architecture, read this:
And to truly trustworthy identity i think you need to setup a redirect to external auth endpoint like azure, and to basically control that. (you can just add a basic auth in your form so that only limited people know the password, also if any user would be able to create an auth for another user that still would require a password or some amount of information that is somewhat safe, but you are correct on that one!)
The reason it’s authenticating as “you” is that n8n operates on a Service Account model. When you link Entra ID, you are granting the n8n application a static token tied to your identity, rather than “impersonating” whoever happens to be clicking the form. To fix this, you need to decouple who is submitting from how n8n talks to Entra.
The best approach is to set up an App Registration in Azure with Application Permissions (specifically User.Read.All). Instead of having n8n “log in” as the user, have your form pass the submitter’s email address to an n8n Webhook. You then use the Microsoft Graph node to “Get User” and “Get Manager” by querying that specific email. This allows n8n to act as a trusted agent that can look up anyone in the directory, regardless of who triggered the workflow.