As we know, we can deploy Logic App connector API connection using different ways, like via ARM template in Azure CLI, Powershell or DevOps. In some scenarios, customer may want to create the API connection using API calls which cannot perform interactive thing (like login with the credentials). The process described in the following article shows step-by-step guide to create API connection for a Logic App connector (consumption) using ARM REST API with client like Postman.
Register a client application with Azure AD
To register a client that accesses an Azure Resource Manager REST API:
1. Sign in the Azure portal, search for and select Azure Active Directory.
2. In the left panel, under Manage, select App registrations > New registration.
3. Enter a display Name for the application and specify who can use the application:
4. Select Register to complete the initial app registration.
5. Once the registration finishes, the Azure portal displays the app registration's Overview pane. The Application (client) ID uniquely identifies your application in the Microsoft identity platform. Please note down the Application (client) ID and Directory (tenant) ID for later use:
6. In the left panel, select Certificates & secrets > Client secrets > New client secret:
7. Add a description for your client secret and select an expiration for the secret or specify a custom lifetime.
8. Select Add.
Note: Please make sure to record the secret's value for use later. This secret value is never displayed again after you leave this page.
9. In the left panel, select API permissions > Add a permission > Microsoft APIs, select Azure Service Management. Select Delegated permissions and select the permissions the client app should have on behalf of the signed-in user. Currently, Azure Service Management API has only one permission listed - user_impersonation.
10. Select Add permissions;
11. Back to the API permissions page, click Grant admin consent:
12. Please grant the registered application the Logic App Contributor role of the target resource group. Go to the resource group, in the left panel, select Access control (IAM)-> Add role assignment:
13. Search for Logic App Contributor:
14. Select the registered application to be assigned the role -> Review + assign:
Note: If the Logic App Contributor role is not assigned, when trying to create the API connection using ARM API, you may encounter the following error:
"message": "The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' does not have authorization to perform action 'Microsoft.Web/connections/write' over scope '/subscriptions/<subscriptionid>/resourceGroups/LAtestRG/providers/Microsoft.Web/connections/testconn58' or the scope is invalid. If access was recently granted, please refresh your credentials."
Acquire an access token
After we have a valid client registration, we can use the OAuth 2.0 client credentials grant (non-interactive clients) to acquire an access token: