Forum Discussion
What service principal is used to authenticate Logic Apps to Azure resources?
Hi Kidd, I understand what you're saying, but in the scenario I described in my original post I am not using any managed identities.
For connectors that require OAuth, the authentication process typically involves granting permissions to a service principal associated with the Logic App or the connector itself. This service principal acts on behalf of the Logic App to access the ARM API.
This is correct, but I'm not able to find that service principal for connectors that utilize the Azure Resource Management API, only for connectors that utilize the Graph API
The "magic" here is that Azure handles the token issuance and validation process behind the scenes. When the Logic App makes a request to the ARM API, Azure validates the Managed Identity and ensures it has the appropriate RBAC permissions to perform the requested action.
This isn't the case in my question, because I'm not using Managed Identities
You are right. When using OAuth-based connectors (without Managed Identity), Logic Apps rely on a Microsoft-managed service principal for authentication to the ARM API.
Unlike Graph API connectors, this service principal is not visible in Enterprise Applications.
Azure handles token issuance and validation behind the scenes, ensuring the request has the correct RBAC permissions.
To track it, check Azure AD Sign-In Logs or assign ARM API permissions to a custom App Registration as a test.
Microsoft could definitely make this more transparent.