Authenticating Azure API connections in Single-Tenant LogicApp workflows to debug in local VS Code
Published Mar 16 2022 10:54 PM 3,115 Views
Senior Member


Single-Tenant Logic App offering provides the capability to test the Workflows in local dev environment (VS Code). In Single-Tenant Logic App workflow , we have two categories of connectors i.e. Built-In and Azure connectors. Built-In connectors run alongside your local host runtime environment and Azure connectors (API Connections) run in Azure environment. You can use both of these connectors to test/debug in your local VS Code. All required info such as creds, authentication , connections strings of LOB systems will be available in the connections.json , local.settings.json files.


As mentioned , Azure Connectors run in Azure shared connector runtime environment, Workflows need to authenticate to use the Azure API connections from local environment. If you have LogicApp in Azure, LogicApp workflows uses Managed Identity(MI) to authenticate the Azure API connections. But in your local VS Code, we generate a bearer token for each Azure API connection to test in VS Code and store it in local.settings.json file where the token will be valid only for 7 days. At the time of writing this blog, there is no way to regenerate or renew the bearer token and you must recreate new connection to get new token. This would be blocker when you have long-term projects or change requests to debug and deploy.


We would see other workaround to use Azure AD App registration (SPN) for authenticating Azure API connections instead of bearer token. You can follow the below steps.


  1. Create an App registration in the Azure Active directory. You can refer this doc Quickstart: Register an app in the Microsoft identity platform | Microsoft Docs
  2. Build your VS Code projects to either to create or re-use existing Azure API connection.
  3. Edit connections.json file: Edit the authentication type as specified below for all azure API connections to use Azure AD Auth instead of bearer token.
"managedApiConnections": {
"keyvault": {
"api": {
"id": "/subscriptions/YourSubscriptionId/providers/Microsoft.Web/locations/eastus/managedApis/keyvault"
"connection": {
"id": "/subscriptions/YourSubscriptionId/resourceGroups/CaseTest/providers/Microsoft.Web/connections/keyvault-4"
"connectionRuntimeUrl": "",
"authentication": {
"type": "ActiveDirectoryOAuth",
"audience": "",
"credentialType": "Secret",
"clientId": "@appsetting('WORKFLOWAPP_AAD_CLIENTID')",
"tenant": "@appsetting('WORKFLOWAPP_AAD_TENANTID')",
"secret": "@appsetting('WORKFLOWAPP_AAD_CLIENTSECRET')"
"serviceProviderConnections": {
"AzureBlob": {
"parameterValues": {
"connectionString": "@appsetting('AzureBlob_connectionString')"
"serviceProvider": {
"id": "/serviceProviders/AzureBlob"
"displayName": "abcd"


  •  Edit the Local.settings.json file to update with app registration details.

"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"WORKFLOWS_TENANT_ID": "Your Tenant Id",
"keyvault-connectionKey": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjhrcnBtQWM0dVRTTU1tdi14X3NqaHd6WXBpbyJ9..dcnEf04I6iYkmNTML56ctfQjNDdN5pyMOlTQK_n9Yy_kgFM4Qolhz21q3_EepFtuQwgQ2Dz3vxWY69L",
"AzureBlob_connectionString": "sadxadsrgvcz"
  1.   Now, we need to provide access to the SPN on each Azure API connection. Login to Azure Portal--> Go to Azure API  connection --> Access Policies --> Add new access policy to provide access to App Registration.



6.  You can test your Workflows in local VS Code which authenticates the Azure API connections using Active Directory Authentication.


Feel free to reach me if any queries.

1 Comment
Version history
Last update:
‎Jan 19 2022 06:56 PM
Updated by: