Blog Post

Azure Integration Services Blog

4 MIN READ

Azure Logic Apps - Authenticate with managed identity for Azure AD OAuth-based connectors

Microsoft

Feb 24, 2021

When you enable and use a managed identity (formerly Managed Service Identity or MSI) for authentication, your logic apps can more easily access Azure resources that are protected by Azure Active Directory (Azure AD). A managed identity removes the need for you to manage credentials or Azure AD tokens by providing Azure services with an identity that is managed by Azure AD.

Azure Logic Apps currently supports both system-assigned and single user-assigned managed identities for specific built-in triggers and actions such as HTTP, Azure Functions, Azure API Management, Azure App Services, and so on. This blog post announces preview support for using your logic app's managed identity to authenticate to Azure AD OAuth-based managed connector triggers and actions.

Below is the list of connectors supporting managed identity authentication in preview with more support coming for other connectors in the future:

Connector	Connector API name
Azure Container Instance	aci
Azure Resource Manager	arm
Azure Automation	azureautomation
Azure Data Factory	azuredatafactory
Azure Data Lake	azuredatalake
Azure Key Vault	keyvault
Azure Event Grid	azureeventgrid
Azure Sentinel	azuresentinel
Azure Data Explorer (Preview)	kusto
Azure AD Identity Protection (Preview)	azureadip
Azure IoT Central V3 (Preview)	azureiotcentral
HTTP with Azure AD	webcontents

Prerequisites

An Azure account and subscription. If you do not have a subscription, sign up for a free Azure account. Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.
To give managed identity access to an Azure resource, you need to add a role to the target resource for that identity. To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

Configure managed identity authentication on supported connectors

In the Azure portal, you can either use an existing logic app that has enabled the user-assigned or system-assigned managed identity, or you can create a new logic app and then enable the system-assigned or user-assigned managed identity on your app. The example in this blog post uses a logic app's system-assigned managed identity. You can set up your logic app with either the system-assigned identity or a single user-assigned identity, but not both. A group of logic apps can share a user-assigned identity because they're not bound to a single Azure resource, while the system-assigned identity strictly belongs to a single Azure resource and can't be shared.
On the target Azure resource where you want the managed identity to have access, give that identity role-based access to the target resource. This role lets your logic app authenticate access to the target resource at runtime by using the managed identity’s Azure AD tokens.
In the Azure portal, open your logic app in the Logic App Designer. Add a trigger or action from a connector that supports managed identity authentication and then select an operation.

The above example in this post sets up the Azure Resource Manager action, named Read a resource, to use the logic app's system-assigned managed identity for authentication and read the specified Azure resource.
Create a new connection by selecting Connect with managed identity (preview).

The action now shows the managed identity drop-down list, which includes the managed identity type that's currently enabled on the logic app.

If the managed identity isn't enabled, the following error appears when you try to create the connection.

After successfully creating the connection, the designer can fetch any dynamic values, content, or schema by using managed identity authentication.
Provide the required input for the action that you selected. The connection name appears at the bottom of the action shape.
Add any other actions that your logic app requires to run. When you're done, save the workflow.
To test your logic app, on the designer toolbar, select Run.

How does a connection with a managed identity work at runtime?

Connections that you created to use a managed identity are a special connection type that you can use only with a managed identity.

At runtime, the connection uses the managed identity that’s enabled on the logic app. This configuration is saved in the logic app definition’s parameters object, which contains the $connections property object that includes pointers to the connection’s resource ID, the api’s resource ID and connectionProperties. The authentication property in connectionProperties contains user-assigned identity’s resource id if a user-assigned identity is associated with the logic app. No additional input is required in authentication property object other than type, if a system-assigned identity is associated with the logic app.

During runtime, the Logic Apps service checks whether any managed connector trigger and actions in the logic app are configured to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, the Logic Apps service retrieves the Azure AD token that’s associated with the managed identity and uses that token to authenticate to the target resource and perform the configured operation in trigger and actions.

Next steps

We’d like your feedback! Please try the managed identity support managed connections that support Azure AD OAuth and let us know what you think. Stay tuned for managed identity support in more connectors such as SQL Server, Office, Power platform, and other Azure connectors.

Updated Mar 10, 2021

Version 3.0

Logic Apps

nidhipathak

Microsoft

Joined January 15, 2021

View Profile

Azure Integration Services Blog

Follow this blog board to get notified when there's new activity

nidhipathak
Microsoft
Feb 24, 2021
Apologies for the delay in response!

andyinv - We are actively working on investigating the managed identity authentication issues with azure monitor logs connector along with our dependencies. I will update this thread as soon as we have a fix and ready for rollout. Apologies for the inconvenience.

Jonathan Lefebvre - Managed identity authentication with outlook connector is currently not supported. We are working with outlook team for adding the support in future but unfortunately i don't have an ETA for same as of now.
Jonathan Lefebvre
Copper Contributor
Jan 22, 2021
It would be really nice this would work with Office 365 Outlook actions too. Maybe I'm missing something, but so far it does not seem like it's possible.
andyinv
Brass Contributor
Feb 16, 2021
Managed Identity, and also Service Principal, seem to have no ability to query subscriptions with Azure Monitor connector, as described here, despite MI being promoted to subscription owner (to test)

https://docs.microsoft.com/en-us/answers/questions/263744/trouble-connecting-to-monitor-log-in-logic-app.html
Luca_Bovo
Iron Contributor
Oct 17, 2021
andyinv I can confirm that using Service Principal it's working!
AvineshwarTexas
Copper Contributor
Mar 16, 2021
Is it correct that the managed identity is not possible for the following API connections:
- Azure Storage Account
?

I need to read/write StorageTable and StorageContainer. The client context is LogicApps (same region as of the storage accounts).

If the above list is current (I assume so since an ARM deployment failed which works for Azure KeyVault/ApiConnectionUsingSystemIdentity), what is the ETA on this?
devinsimoneaux
Microsoft
Mar 25, 2021
AvineshwarTexas it is not currently supported for the connector itself; however, you can use an HTTP action with Managed Identity to connect to storage via REST API as a workaround for now.
manish34124
Copper Contributor
Mar 31, 2021
nidhipathak I am not able to use managed identity setup with HTTP connector. It is always throwing - "
WorkflowManagedIdentityNotSpecified. The workflow '<workflow name>' does not have managed identity enabled or the identity has been deleted. If the managed identity of the workflow is updated recently, please wait for 2 minutes and try again. See https://aka.ms/logicapps-msi for details."

Here is the setup -

Leet me know if required some more info.
Vaman-Kini
Brass Contributor
Apr 15, 2021
nidhipathak . Does managed identity work with Microsoft Teams. I am trying to have logic app send a message to a specific Teams channel and wanted to see if I could use Managed identity for authentication ?

michal-ml

Copper Contributor

Apr 20, 2021

Hi, ARM deployment to empty RG (using managed ACI connection) returns :

The API connection 'aci' is not configured to support managed identity

LogicApp Identity:

          "identity": {
              "type": "SystemAssigned"
            },

ConnectionProperties (Logic App parm):

 "connectionProperties": {
       "authentication": {
             "type": "ManagedServiceIdentity"
                 }
       }

It deploys ACI API connection, but it is not authorized.

ElliottLW

Copper Contributor

Jun 15, 2021

michal-ml Did you resolve your issue? I've come across the same problem when trying to enable managed identity from Logic to ACI:

                                "connectionProperties": {
                                    "authentication": {
                                        "type": "ManagedServiceIdentity"
                                    }
                                },

{
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('APIConnection')]",
            "location": "[parameters('location')]",
            "kind": "V1",
            "properties": {
                "displayName": "[variables('azureinstancename')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', parameters('subscriptionID'),'/providers/Microsoft.Web/locations/', parameters('location'),'/managedApis/aci')]"
                }
            }
        }