One of the core proficiencies of Logic Apps is the ability to connect a broad range of services together, and authentication is a central piece in keeping communications safe and secure. We also want an easy development experience, and managed identity allows users to connect to resources without the hassle of managing credentials themselves. We have supported system-assigned managed identity in Standard and we’re very excited to now bring user-assigned managed identity to this platform.
First, we will walk through how to use a user-assigned managed identity with a managed connector Second, we will discuss what it means to configure token store, which is not something that’s required to use user-assigned identities in general, but can be useful to users who want more fine-grained control of their API connections.
Search for the Key Vault connector and choose an action to add. We will use “List Secrets” in this example.
In connections.json, where information is stored for each API connection, you may notice that there are two separate “authentication” sections for each connection.
The orange one under “connectionProperties” is what is used to authenticate to the target resource (Outlook, KeyVault, etc.) and will change depending on the type of authentication selected in the designer.
The green one is the authentication being used to communicate with token store, which, until now, has always been set to “ManagedServiceIdentity” for an app deployed to Azure, with no configurability.
When using an API connection, Logic Apps talks to the target resource in two steps.
Connection #1 uses the authentication configured for token store and connection #2 uses the authentication configured for the target resource.
In Logic Apps Consumption, #1 was abstracted away from the user, but that is no longer the case in Standard as the user now has much more ownership and control over their Logic App resource. Now, with the addition of user-assigned managed identity, this authentication can be switched from the default system-assigned identity to any user-assigned identity, and since this is at a per-connection granularity, user- and system- assigned identities can be mix-and-matched between connections.
Changing the token store auth can be useful if you want to share the same API connection between multiple Logic Apps but not add every Logic App’s system-assigned identity to the access policy of the API connection resource. Or, if you don’t want to have system-assigned identity configured on the Logic App at all, you can choose to switch to using user-assigned and disable system-assigned identity on the app altogether.
Note: If the “identity” property is missing, system-assigned managed identity is implicitly used.
We hope this provides a helpful starting point for using user-assigned managed identities with Logic Apps Standard. For more information, see our official documentation here. As always, we appreciate any feedback or suggestions that you may have.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.