Running Powershell inline with Az commands- Logic App Standard

With the availability of the Inline "Execute Powershell code" action, a few questions have been brought to us like for example how to execute Az commands with this action.

First, let's talk about requirements.

As the documentation states, we need to use a Logic App Standard workflow, and when we add the action, it will create two files: a requirements.psd1 file and the execute_powershell_code.ps1 file, in the workflow folder, for reference.

Add and run PowerShell in Standard workflows - Azure Logic Apps | Microsoft Learn

We can import private modules and public modules, but these aren't imported automatically. We need to specify the modules we need.

So, to make our lives easier, the great folks in the Product Group already gave us some hints on how to import them.

For our purposes, we will import only the Az module.

The Requirements file will need to look like this:

# This file enables modules to be automatically managed by the Functions service.
# See https://aka.ms/functionsmanageddependency for additional information.
#
@{
    # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. Uncomment the next line and replace the MAJOR_VERSION, e.g., 'Az' = '5.*'
    'Az' = '10.*'
}

With the module imported, we can now face the script itself. This demo is a very simplistic script, that will list the resource groups in the subscriptions.

The example script is as follows:

$action = Get-TriggerOutput

Connect-AzAccount -Identity

$results = Get-AzSubscription | ForEach-Object {
    $subscriptionName = $_.Name
    Set-AzContext -SubscriptionId $_.SubscriptionId
    (Get-AzResourceGroup).ResourceGroupName | ForEach-Object {    
        [PSCustomObject] @{
            Subscription = $subscriptionName
            ResourceGroup = $_
        }
    }
}

Push-WorkflowOutput -Output $results

The trick to make this work is that we're connecting to the AzAccount with the Managed Identity. The Logic App already has a System Assigned MI out of the box, that allows you to connect to the Az environment, but you will need to assign permissions as well. For my example, I assigned the MI a Contributor role, for the subscription, as I was listing all Resource Groups in it. But you may restrict as needed, of course.

With the test, you can see that this simple script executes quite nicely, taking about 45 seconds to complete (may depend on user experience and the script complexity). Keep in mind that this is running on a WS1 plan, so it may be a bit slow. Once it caches the request, it's quite fast:

So, to summarize, the steps taken to achieve proper execution for Az commands with the inline PowerShell action were:

• Add the action
• Import the Az module in the requirements file
• Assign the proper role to the Logic App Managed Identity
• Create the script
• Test!