Forum Discussion

jbfeldman's avatar
jbfeldman
Copper Contributor
Mar 07, 2025

What service principal is used to authenticate Logic Apps to Azure resources?

This question is a bit more academic than practical, but I'm just trying to enhance my knowledge of how Azure authentication works under the hood. The default way to authenticate managed Logic Apps ...
Automation & Control
azure
Kidd_Ip's avatar
Kidd_Ip
MVP
Mar 08, 2025

Considering this:

 

  • What Service Principal is used for the OAuth connection to the Azure Resource Management (ARM) API?
    • When Logic Apps connect to Azure resources, they often use Managed Identities (either system-assigned or user-assigned) for authentication. Managed Identities are essentially service principals managed by Azure, and they allow Logic Apps to authenticate to Azure Resource Management APIs without needing explicit credentials.
    • For connectors that require OAuth, the authentication process typically involves granting permissions to a service principal associated with the Logic App or the connector itself. This service principal acts on behalf of the Logic App to access the ARM API.
  • How does the Azure Logic Apps service principal connect to the ARM API without explicit permissions?
    • The Azure Logic Apps service principal itself doesn’t inherently have permissions. Instead, Azure uses role-based access control (RBAC) to grant the necessary permissions to the Managed Identity of the Logic App. For example, you might assign the Logic App's Managed Identity a role like "Contributor" or "Reader" on the target resource group or subscription.
    • The "magic" here is that Azure handles the token issuance and validation process behind the scenes. When the Logic App makes a request to the ARM API, Azure validates the Managed Identity and ensures it has the appropriate RBAC permissions to perform the requested action.
  • jbfeldman's avatar
    jbfeldman
    Copper Contributor
    Mar 10, 2025

    Hi Kidd, I understand what you're saying, but in the scenario I described in my original post I am not using any managed identities. 

     

    For connectors that require OAuth, the authentication process typically involves granting permissions to a service principal associated with the Logic App or the connector itself. This service principal acts on behalf of the Logic App to access the ARM API.

    This is correct, but I'm not able to find that service principal for connectors that utilize the Azure Resource Management API, only for connectors that utilize the Graph API

    The "magic" here is that Azure handles the token issuance and validation process behind the scenes. When the Logic App makes a request to the ARM API, Azure validates the Managed Identity and ensures it has the appropriate RBAC permissions to perform the requested action.

    This isn't the case in my question, because I'm not using Managed Identities 

     

    • balasubramanim's avatar
      balasubramanim
      Iron Contributor
      Mar 14, 2025

      jbfeldman 

      You are right. When using OAuth-based connectors (without Managed Identity), Logic Apps rely on a Microsoft-managed service principal for authentication to the ARM API.

      Unlike Graph API connectors, this service principal is not visible in Enterprise Applications.
      Azure handles token issuance and validation behind the scenes, ensuring the request has the correct RBAC permissions.
      To track it, check Azure AD Sign-In Logs or assign ARM API permissions to a custom App Registration as a test.
      Microsoft could definitely make this more transparent.

Resources