First published on MSDN on Sep 21, 2017
Authored by Sjoukje Zaal
This is the third part in the series about securing your Logic Apps. In the previous post, I've described how to add several Access restriction policies to your API inside of the API Management Service. In this post, I was going to show how you can leverage the Validate JWT Access Restriction Policy. But when I did some research for this article, I found out that, to proper implement that policy, it is better to first secure your Logic App with Azure Active Directory using API Management. And as this is also a great topic for this series, I've decided to add this as well. So, a little side step is added to this series.
In this series:
For this article, I've used the Logic App which is created in the
of this series, and the API Management service which is created in the
Grant Permissions inside Azure Active Directory
The first step is to grant permissions inside the Azure Active Directory for your Logic App. The Logic App is added to Azure AD as part as the configuring and publishing process from Visual Studio. To access the Azure Directory Tenant from the Azure Portal, click
Azure Active Directory
in the left menu, and then
Inside the App Registration window, click on the
The Settings page is openend. In there, click on
Select the API.
You can choose between two different APIs in the next screen for authenticating your application with Azure AD. In here select
Windows Azure Active Directory.
In the next screen, the application permissions are set. As we only want to authenticate to Azure Active Directory, you only need to select the
Read Directory Data
Register the Azure API Management Service in Azure Active Directory
Next, is to register the Azure API Management Service as an application in Azure Active Directory.
Inside the Azure AD tenant, in the Azure Portal, click
again. Then click on
New Application Registrations
, in the top menu.
Name the application, I've named mine
as an application pick
Web app / api
and fill in the API Management Service URL as the sign-on URL and append with '/signin'. In my case this is:
After creation, click the
tab of the App. Change the App ID URI to the API Management Service URL and append with '/SecureLogicApp':
. Click the
Configure an API Management OAuth 2.0 Authorization Server
Now, open the API Management service in the Azure Portal and click
in the left menu.
Add an optional name, like
. In the 'Client registration page URL' box, add a placeholder URL, like
Next add, the
Authorization Endpoint URL
Token Endpoint URL.
These values can be retrieved from the App Endpoints Page of the Azure AD application which is registered in the previous step. For this, you have to navigate to the Azure Active Directory tenant in the Azure Portal.
OAuth 2.0 authorization endpoint
and paste it into the
Authorization endpoint URL
OAuth 2.0 token endpoint
and paste it into the
Token endpoint URL
textbox. Add an additional body parameter to the URL with
Name = resource
and Value = the App ID of the SecureLogicApp. You can obtain this URL from the Azure Active Directory tenant in the Azure Portal.
Next, specify the
. These are the credentials for the resource you want to access, in this case the Azure API Management application which is added in the previous step. In the Azure Portal, this is called the
For generating a client secret, click
in the left menu, add a description and select
for expiration. Click the save button to save the configuration and display of the key.
Copy the key to the client secret field in the OAuth Service creation page.
Below the client secret is a. authorization code field. Copy the URL, switch back to the Azure AD portal and paste it in the
field of the
API Management App
The next step is to configure the permissions for the API Management application. Click
and check the box for
Read Directory Data.
Select An API
, and in the search box type the name of the Logic App and select it from the list and click select.
For the permissions, there is only one possibility,
. Check it.
button, and after that, the
Enable OAuth 2.0 Authorization in the API Management Portal
Now that the OAuth 2.0 server is configured, you can enable it in the API Management portal. Switch over to the API Management portal in the Azure Portal, click
in the left menu and select the
. Click the
In there, under the
and below select the OAuth 2.0 server. Save your settings.
Now, it is time to test the App. Something strange happened here, when I click the
tab, next to the
tab at the top of the window, it is not possible to select the
. But, when I open the Developer Portal, there is a possibility to select it. So, we have to do it from there.
To open the Developer Portal, click the menu item at the top of the Azure Management Service. Then, click
and click the
Scroll down a bit and in the Authorization section, click the
OAuth 2 Server
dropdown and select
And now comes the cool part...
a window pops up! Wow!! Trust the application, by clicking the
(Sorry for the Dutch language...)
After accepting the permissions, you get an access token and you can now test your API.
There will be a lot of production scenarios where you want to secure your Logic App with Azure AD. There are a lot of steps involved and it was kind of a puzzle to implement this in the 'new' Azure Portal, as the documentation I've found regarding this topic, was all aiming at the Classic Portal. I actually did not meet my deadline for this article because of this. But finally, it worked!
The next article will cover the Validate JWT Access Restriction Policy. So, stay tuned!