Azure Logic Apps - Authenticate with managed identity for Azure AD OAuth-based connectors

Published Feb 24 2021 11:50 AM 10.6K Views
Microsoft

When you enable and use a managed identity (formerly Managed Service Identity or MSI) for authentication, your logic apps can more easily access Azure resources that are protected by Azure Active Directory (Azure AD). A managed identity removes the need for you to manage credentials or Azure AD tokens by providing Azure services with an identity that is managed by Azure AD.

 

Azure Logic Apps currently supports both system-assigned and single user-assigned managed identities for specific built-in triggers and actions such as HTTP, Azure Functions, Azure API Management, Azure App Services, and so on. This blog post announces preview support for using your logic app's managed identity to authenticate to Azure AD OAuth-based managed connector triggers and actions.

 

Below is the list of connectors supporting managed identity authentication in preview with more support coming for other connectors in the future:

 

Connector 

Connector API name 

Azure Container Instance 

aci 

Azure Resource Manager 

arm 

Azure Automation 

azureautomation 

Azure Data Factory 

azuredatafactory 

Azure Data Lake 

azuredatalake 

Azure Key Vault 

keyvault 

Azure Event Grid 

azureeventgrid 

Azure Sentinel 

azuresentinel 

Azure Data Explorer (Preview) 

kusto 

Azure AD Identity Protection (Preview) 

azureadip 

Azure IoT Central V3 (Preview) 

azureiotcentral 

HTTP with Azure AD 

webcontents 

 

Prerequisites 

  • An Azure account and subscription. If you do not have a subscription, sign up for a free Azure account. Both the managed identity and the target Azure resource where you need access must use the same Azure subscription. 
  • To give managed identity access to an Azure resource, you need to add a role to the target resource for that identity. To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

Configure managed identity authentication on supported connectors

  1. In the Azure portal, you can either use an existing logic app that has enabled the user-assigned or system-assigned managed identity, or you can create a new logic app and then enable the system-assigned or user-assigned managed identity on your app. The example in this blog post uses a logic app's system-assigned managed identity. You can set up your logic app with either the system-assigned identity or a single user-assigned identity, but not both. A group of logic apps can share a user-assigned identity because they're not bound to a single Azure resource, while the system-assigned identity strictly belongs to a single Azure resource and can't be shared.
  2. On the target Azure resource where you want the managed identity to have access, give that identity role-based access to the target resource. This role lets your logic app authenticate access to the target resource at runtime by using the managed identity’s Azure AD tokens.
  3. In the Azure portal, open your logic app in the Logic App Designer. Add a trigger or action from a connector that supports managed identity authentication and then select an operation. image001.png

     

    The above example in this post sets up the Azure Resource Manager action, named Read a resource, to use the logic app's system-assigned managed identity for authentication and read the specified Azure resource.
  4. Create a new connection by selecting Connect with managed identity (preview).image002.png

     

    The action now shows the managed identity drop-down list, which includes the managed identity type that's currently enabled on the logic app. image003.png

     

    If the managed identity isn't enabled, the following error appears when you try to create the connection. image004.png

     

    After successfully creating the connection, the designer can fetch any dynamic values, content, or schema by using managed identity authentication.
  5.  Provide the required input for the action that you selected. The connection name appears at the bottom of the action shape.image005.png

     

  6. Add any other actions that your logic app requires to run. When you're done, save the workflow.
  7. To test your logic app, on the designer toolbar, select Run.

 

How does a connection with a managed identity work at runtime?

Connections that you created to use a managed identity are a special connection type that you can use only with a managed identity.image006.png

 

 

 

At runtime, the connection uses the managed identity that’s enabled on the logic app. This configuration is saved in the logic app definition’s parameters object, which contains the $connections property object that includes pointers to the connection’s resource ID, the api’s resource ID and connectionProperties. The authentication property in connectionProperties contains user-assigned identity’s resource id if a user-assigned identity is associated with the logic app. No additional input is required in authentication property object other than type, if a system-assigned identity is associated with the logic app.image007.png

 

 

During runtime, the Logic Apps service checks whether any managed connector trigger and actions in the logic app are configured to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, the Logic Apps service retrieves the Azure AD token that’s associated with the managed identity and uses that token to authenticate to the target resource and perform the configured operation in trigger and actions.

 

Next steps

We’d like your feedback! Please try the managed identity support managed connections that support Azure AD OAuth and let us know what you think. Stay tuned for managed identity support in more connectors such as SQL Server, Office, Power platform, and other Azure connectors. 

14 Comments
Senior Member

It would be really nice this would work with Office 365 Outlook actions too.  Maybe I'm missing something, but so far it does not seem like it's possible.

Occasional Contributor

Managed Identity, and also Service Principal, seem to have no ability to query subscriptions with Azure Monitor connector, as described here, despite MI being promoted to subscription owner (to test)

https://docs.microsoft.com/en-us/answers/questions/263744/trouble-connecting-to-monitor-log-in-logic...

Microsoft

Apologies for the delay in response!

@andyinv - We are actively working on investigating the managed identity authentication issues with azure monitor logs connector along with our dependencies. I will update this thread as soon as we have a fix and ready for rollout. Apologies for the inconvenience.

 

@Jonathan Lefebvre - Managed identity authentication with outlook connector is currently not supported. We are working with outlook team for adding the support in future but unfortunately i don't have an ETA for same as of now.

Occasional Contributor

Is it correct that the managed identity is not possible for the following API connections:

- Azure Storage Account

?

 

I need to read/write StorageTable and StorageContainer. The client context is LogicApps (same region as of the storage accounts).

 

If the above list is current (I assume so since an ARM deployment failed which works for Azure KeyVault/ApiConnectionUsingSystemIdentity), what is the ETA on this?

Microsoft

@AvineshwarTexas it is not currently supported for the connector itself; however, you can use an HTTP action with Managed Identity to connect to storage via REST API as a workaround for now.

Occasional Visitor

@nidhipathak I am not able to use managed identity setup with HTTP connector. It is always throwing - "

WorkflowManagedIdentityNotSpecified. The workflow '<workflow name>' does not have managed identity enabled or the identity has been deleted. If the managed identity of the workflow is updated recently, please wait for 2 minutes and try again. See https://aka.ms/logicapps-msi for details."
 
Here is the setup - 
manish34124_0-1617177738800.png

 

Leet me know if required some more info.

Occasional Contributor

@nidhipathak . Does managed identity work with Microsoft Teams.  I am trying to have logic app send a message to a specific Teams channel and wanted to see if I could use Managed identity for authentication ?

Occasional Visitor

Hi, ARM deployment to empty RG (using managed ACI connection) returns :

The API connection 'aci' is not configured to support managed identity


LogicApp Identity:

          "identity": {
              "type": "SystemAssigned"
            },


ConnectionProperties (Logic App parm):

 "connectionProperties": {
       "authentication": {
             "type": "ManagedServiceIdentity"
                 }
       }


It deploys ACI API connection, but it is not authorized.



Regular Visitor

@michal-ml Did you resolve your issue? I've come across the same problem when trying to enable managed identity from Logic to ACI:

                                "connectionProperties": {
                                    "authentication": {
                                        "type": "ManagedServiceIdentity"
                                    }
                                },
{
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('APIConnection')]",
            "location": "[parameters('location')]",
            "kind": "V1",
            "properties": {
                "displayName": "[variables('azureinstancename')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', parameters('subscriptionID'),'/providers/Microsoft.Web/locations/', parameters('location'),'/managedApis/aci')]"
                }
            }
        } 
Occasional Visitor

Hi, unfortunately not as excepted. I had to create it manually for the first time. All other deployments with same configuration/properties works after that.

Regular Visitor

@michal-ml Thanks for replying, I'll go down that route for now, real shame it doesnt work.

 

For others that stumble across this heres the error when ran against

'/subscriptions/', parameters('subscriptionID'),'/providers/Microsoft.Web/locations/', parameters('location'),'/managedApis/aci' :
The API connection 'aci' is not configured to support managed identity

 

Senior Member

@nidhipathak  are there any news regarding Azure Monitor Logs connector authentication using Managed Identities or Service Principal?

Do I have to use a normal user dedicated to Logic Apps?
Does it works if user has MFA?

Thanks for your feedback.

Luca

Senior Member

@andyinv  I can confirm that using Service Principal it's working!

Occasional Visitor

Given that this is now in preview for 7+ months, is there anything known about when this will become GA?

I have searched and looked at several blogs and documentation pages, including Azure Updates, but could not find anything hinting at this.

 

(Using the Key Vault Connector in Logic Apps with System Assigned Managed Indentity.)

%3CLINGO-SUB%20id%3D%22lingo-sub-2088322%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2088322%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20would%20be%20really%20nice%20this%20would%20work%20with%20Office%20365%20Outlook%20actions%20too.%26nbsp%3B%20Maybe%20I'm%20missing%20something%2C%20but%20so%20far%20it%20does%20not%20seem%20like%20it's%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2138796%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2138796%22%20slang%3D%22en-US%22%3E%3CP%3EManaged%20Identity%2C%20and%20also%20Service%20Principal%2C%20seem%20to%20have%20no%20ability%20to%20query%20subscriptions%20with%20Azure%20Monitor%20connector%2C%20as%20described%20here%2C%20despite%20MI%20being%20promoted%20to%20subscription%20owner%20(to%20test)%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fanswers%2Fquestions%2F263744%2Ftrouble-connecting-to-monitor-log-in-logic-app.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fanswers%2Fquestions%2F263744%2Ftrouble-connecting-to-monitor-log-in-logic-app.html%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2066254%22%20slang%3D%22en-US%22%3EAzure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2066254%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20medium%3B%20font-family%3A%20inherit%3B%22%3EWhen%20you%20enable%20and%20use%20a%20%3C%2FSPAN%3E%3CA%20style%3D%22font-size%3A%20medium%3B%20font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Emanaged%20identity%3C%2FA%3E%3CSPAN%20style%3D%22font-size%3A%20medium%3B%20font-family%3A%20inherit%3B%22%3E%20(formerly%20Managed%20Service%20Identity%20or%20MSI)%20for%20authentication%2C%20your%20logic%20apps%20can%20more%20easily%20access%20Azure%20resources%20that%20are%20protected%20by%20Azure%20Active%20Directory%20(Azure%20AD).%20A%20managed%20identity%20removes%20the%20need%20for%20you%20to%20manage%20credentials%20or%20Azure%20AD%20tokens%20by%20providing%20Azure%20services%20with%20an%26nbsp%3Bidentity%20that%20is%20managed%20by%26nbsp%3BAzure%20AD.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20class%3D%22WordSection1%22%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%223%22%3EAzure%20Logic%26nbsp%3BApps%20currently%26nbsp%3Bsupports%26nbsp%3Bboth%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esystem-assigned%3C%2FA%3E%E2%80%AFand%E2%80%AFsingle%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fmanaged-identities-azure-resources%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Euser-assigned%3C%2FA%3E%E2%80%AFmanaged%20identities%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flogic-apps%2Flogic-apps-securing-a-logic-app%23add-authentication-outbound%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Especific%20built-in%20triggers%20and%20actions%3C%2FA%3E%20such%20as%20HTTP%2C%20Azure%20Functions%2C%20Azure%20API%20Management%2C%20Azure%20App%20Services%2C%20and%20so%20on.%20This%20blog%20post%20announces%20preview%20support%20for%20using%20your%20logic%20app's%20managed%20identity%20to%20authenticate%20to%20Azure%20AD%26nbsp%3BOAuth-based%20managed%26nbsp%3Bconnector%20triggers%20and%20actions.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBelow%20is%20the%20list%20of%20connectors%20supporting%20managed%20identity%20authentication%20in%20preview%20with%20more%20support%20coming%20for%20other%20connectors%20in%20the%20future%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20border%3D%221%22%20width%3D%22400px%22%20cellspacing%3D%220%22%20cellpadding%3D%220%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3E%3CSTRONG%3EConnector%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3E%3CSTRONG%3EConnector%26nbsp%3BAPI%20name%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Container%20Instance%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eaci%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Resource%20Manager%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Earm%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Automation%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazureautomation%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Data%20Factory%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazuredatafactory%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Data%20Lake%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazuredatalake%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Log%20Analytics%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazureloganalytics%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Key%20Vault%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Ekeyvault%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Event%20Grid%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazureeventgrid%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Sentinel%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazuresentinel%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20Data%20Explorer%20(Preview)%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Ekusto%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20AD%20Identity%20Protection%20(Preview)%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Eazureadip%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EAzure%20IoT%20Central%20V3%20(Preview)%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%20valign%3D%22bottom%22%3E%3CP%3Eazureiotcentral%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22243px%22%3E%3CP%3EHTTP%20with%20Azure%20AD%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22156px%22%3E%3CP%3Ewebcontents%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CH4%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%20id%3D%22toc-hId-150092372%22%3E%26nbsp%3B%3C%2FH4%3E%0A%3CH4%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%20id%3D%22toc-hId--1657362091%22%3EPrerequisites%26nbsp%3B%3C%2FH4%3E%0A%3CUL%3E%0A%3CLI%3EAn%20Azure%20account%20and%20subscription.%20If%20you%26nbsp%3Bdo%20not%26nbsp%3Bhave%20a%20subscription%2C%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Ffree%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esign%20up%20for%20a%20free%20Azure%20account%3C%2FA%3E.%20Both%20the%20managed%20identity%20and%20the%20target%20Azure%20resource%20where%20you%20need%20access%20must%20use%20the%20same%20Azure%20subscription.%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ETo%20give%26nbsp%3Bmanaged%26nbsp%3Bidentity%20access%20to%20an%20Azure%20resource%2C%20you%20need%20to%20add%20a%20role%20to%20the%20target%20resource%20for%20that%20identity.%20To%20add%20roles%2C%20you%20need%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Froles%2Fpermissions-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20administrator%20permissions%3C%2FA%3E%E2%80%AFthat%20can%20assign%20roles%20to%20identities%20in%20the%20corresponding%20Azure%20AD%20tenant.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH4%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%20id%3D%22toc-hId-830150742%22%3EConfigure%20managed%20identity%20authentication%20on%20supported%20connectors%3C%2FH4%3E%0A%3COL%3E%0A%3CLI%3EIn%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20portal%3C%2FA%3E%2C%E2%80%AFyou%20can%20either%20use%20an%20existing%26nbsp%3Blogic%20app%20that%20has%20enabled%20the%20user-assigned%20or%20system-assigned%20managed%20identity%2C%20or%20you%20can%20create%20a%20new%20logic%20app%20and%20then%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flogic-apps%2Fcreate-managed-service-identity%23enable-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eenable%20the%20system-assigned%20or%20user-assigned%20managed%20identity%3C%2FA%3E%20on%20your%20app.%20The%20example%20in%20this%20blog%20post%20uses%20a%20logic%20app's%20system-assigned%20managed%20identity.%20You%20can%20set%20up%20your%20logic%20app%20with%20either%20the%20system-assigned%20identity%20or%20a%E2%80%AFsingle%E2%80%AFuser-assigned%20identity%2C%20but%20not%20both.%26nbsp%3BA%20group%20of%20logic%20apps%20can%20share%20a%20user-assigned%20identity%20because%20they're%20not%20bound%20to%20a%20single%20Azure%20resource%2C%20while%20the%20system-assigned%20identity%26nbsp%3Bstrictly%26nbsp%3Bbelongs%26nbsp%3Bto%20a%20single%20Azure%20resource%20and%20can't%20be%20shared.%3C%2FLI%3E%0A%3CLI%3EOn%20the%20target%20Azure%20resource%20where%20you%20want%20the%20managed%20identity%20to%20have%20access%2C%20%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flogic-apps%2Fcreate-managed-service-identity%23access-other-resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egive%20that%20identity%20role-based%20access%20to%20the%20target%20resource%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E.%20This%20role%20lets%20your%20logic%20app%20authenticate%20access%20to%20the%20target%20resource%20at%20runtime%20by%20using%20the%20managed%20identity%E2%80%99s%20Azure%20AD%20tokens.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EIn%20the%E2%80%AF%3CA%20style%3D%22font-family%3A%20inherit%3B%20background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20portal%3C%2FA%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%2C%20open%20your%20logic%20app%20in%20the%26nbsp%3BLogic%20App%20Designer.%20Add%26nbsp%3Ba%26nbsp%3Btrigger%20or%20action%26nbsp%3Bfrom%20a%20connector%20that%20supports%20managed%20identity%20authentication%20and%20then%20select%20an%20operation.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image001.png%22%20style%3D%22width%3A%20862px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246839i0963ED459CE29B83%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image001.png%22%20alt%3D%22image001.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3EThe%20above%20example%20in%20this%20post%20sets%20up%20the%20Azure%20Resource%20Manager%20action%2C%20named%20%3CSTRONG%3ERead%20a%20resource%3C%2FSTRONG%3E%2C%20to%20use%20the%20logic%20app's%20system-assigned%20managed%20identity%20for%20authentication%26nbsp%3Band%20read%26nbsp%3Bthe%26nbsp%3Bspecified%20Azure%20resource.%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20new%20connection%20by%20selecting%20%3CSTRONG%3EConnect%20with%20managed%20identity%20(preview)%3C%2FSTRONG%3E.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image002.png%22%20style%3D%22width%3A%20859px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246843i7A94BBE42A77BC83%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image002.png%22%20alt%3D%22image002.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3EThe%20action%20now%20shows%20the%20managed%20identity%20drop-down%20list%2C%20which%20includes%20the%20managed%20identity%20type%20that's%20currently%20enabled%20on%20the%20logic%20app.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image003.png%22%20style%3D%22width%3A%20856px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246844i22E495CD456CE3F5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image003.png%22%20alt%3D%22image003.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3EIf%20the%20managed%20identity%20isn't%20enabled%2C%20the%20following%20error%20appears%20when%20you%20try%20to%20create%20the%20connection.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image004.png%22%20style%3D%22width%3A%20854px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246845i05983D6171CDA667%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image004.png%22%20alt%3D%22image004.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3EAfter%20successfully%20creating%20the%20connection%2C%20the%20designer%20can%20fetch%20any%20dynamic%20values%2C%20content%2C%20or%20schema%20by%20using%20managed%20identity%20authentication.%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BProvide%20the%20required%20input%20for%20the%20action%20that%20you%20selected.%20The%20connection%20name%20appears%20at%20the%20bottom%20of%20the%20action%20shape.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image005.png%22%20style%3D%22width%3A%20851px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246846i0333A02BAF32E50A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image005.png%22%20alt%3D%22image005.png%22%20%2F%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3EAdd%20any%20other%26nbsp%3Bactions%20that%20your%20logic%20app%20requires%20to%20run.%20When%20you're%20done%2C%20save%20the%20workflow.%3C%2FLI%3E%0A%3CLI%3ETo%20test%20your%20logic%20app%2C%20on%20the%20designer%20toolbar%2C%20select%20%3CSTRONG%3ERun%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20Calibri%2C%20sans-serif%3B%20font-size%3A%2011pt%3B%20text-indent%3A%20-0.25in%3B%22%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%2013.0pt%3B%20font-family%3A%20'Calibri%20Light'%2Csans-serif%3B%20color%3A%20%232f5496%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%20id%3D%22toc-hId--977303721%22%3EHow%20does%20a%20connection%20with%20a%20managed%20identity%20work%20at%26nbsp%3Bruntime%3F%3C%2FH4%3E%0A%3CP%3EConnections%20that%20you%20created%20to%20use%20a%20managed%20identity%20are%20a%20special%20connection%20type%20that%20you%20can%20use%20only%20with%20a%20managed%20identity.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image006.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246850i2FAE0324DDE91286%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22image006.png%22%20alt%3D%22image006.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAt%20runtime%2C%20the%20connection%20uses%20the%20managed%20identity%20that%E2%80%99s%20enabled%20on%20the%20logic%20app.%20This%20configuration%20is%20saved%20in%20the%20logic%20app%20definition%E2%80%99s%20%3CSTRONG%3Eparameters%3C%2FSTRONG%3E%20object%2C%20which%20contains%20the%20%3CSTRONG%3E%24connections%3C%2FSTRONG%3E%20property%20object%20that%20includes%20pointers%26nbsp%3Bto%26nbsp%3Bthe%20connection%E2%80%99s%20resource%20ID%2C%26nbsp%3Bthe%20api%E2%80%99s%20resource%20ID%20and%20connectionProperties.%20The%20%3CSTRONG%3Eauthentication%3C%2FSTRONG%3E%20property%20in%20connectionProperties%20contains%20user-assigned%20identity%E2%80%99s%20resource%20id%20if%20a%20user-assigned%20identity%20is%20associated%20with%20the%20logic%20app.%20No%20additional%20input%20is%20required%20in%20authentication%20property%20object%20other%20than%20type%2C%20if%20a%20system-assigned%20identity%20is%20associated%20with%20the%20logic%20app.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22image007.png%22%20style%3D%22width%3A%20870px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246849i945502F2A7A16A39%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22image007.png%22%20alt%3D%22image007.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDuring%20runtime%2C%20the%20Logic%20Apps%20service%20checks%20whether%20any%26nbsp%3Bmanaged%20connector%20trigger%20and%20actions%20in%20the%26nbsp%3Blogic%20app%20are%20configured%20to%20use%20the%20managed%20identity%26nbsp%3Band%20that%20all%20the%20required%20permissions%20are%20set%20up%20to%20use%20the%20managed%20identity%20for%20accessing%20the%20target%20resources%20that%20are%20specified%20by%20the%20trigger%20and%20actions.%20If%20successful%2C%20the%20Logic%20Apps%20service%20retrieves%20the%20Azure%20AD%20token%20that%E2%80%99s%20associated%20with%20the%20managed%20identity%20and%20uses%20that%20token%20to%20authenticate%20to%20the%20target%20resource%20and%20perform%20the%20configured%20operation%20in%20trigger%20and%20actions.%3C%2FP%3E%0A%3CP%20class%3D%22MsoNormal%22%20style%3D%22margin-bottom%3A%200in%3B%20line-height%3A%20normal%3B%20vertical-align%3A%20baseline%3B%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%20id%3D%22toc-hId-1510209112%22%3ENext%20steps%3C%2FH4%3E%0A%3CP%3EWe%E2%80%99d%20like%20your%20feedback!%20Please%20try%20the%20managed%20identity%20support%20managed%20connections%20that%20support%20Azure%20AD%20OAuth%20and%20let%20us%20know%20what%20you%20think.%20Stay%20tuned%20for%20managed%20identity%20support%20in%20more%20connectors%20such%20as%20SQL%20Server%2C%20Office%2C%20Power%20platform%2C%20and%20other%20Azure%20connectors.%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2066254%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22bloglogo_upload.PNG%22%20style%3D%22width%3A%20359px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F246830i3BA308342C22829F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22bloglogo_upload.PNG%22%20alt%3D%22bloglogo_upload.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAzure%20Logic%26nbsp%3BApps%20currently%26nbsp%3Bsupports%26nbsp%3Bmanaged%20identities%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Flogic-apps%2Flogic-apps-securing-a-logic-app%23add-authentication-outbound%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3Especific%20built-in%20triggers%20and%20actions%3C%2FA%3E.%20This%20blog%20post%20announces%20preview%20support%20for%20using%20your%20logic%20app's%20managed%20identity%20to%20authenticate%20to%20Azure%20AD%26nbsp%3BOAuth-based%20managed%26nbsp%3Bconnector%20triggers%20and%20actions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2066254%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ELogic%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163456%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163456%22%20slang%3D%22en-US%22%3E%3CP%3EApologies%20for%20the%20delay%20in%20response!%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F683671%22%20target%3D%22_blank%22%3E%40andyinv%3C%2FA%3E%26nbsp%3B-%20We%20are%20actively%20working%20on%20investigating%20the%20managed%20identity%20authentication%20issues%20with%20azure%20monitor%20logs%20connector%20along%20with%20our%20dependencies.%20I%20will%20update%20this%20thread%20as%20soon%20as%20we%20have%20a%20fix%20and%20ready%20for%20rollout.%20Apologies%20for%20the%20inconvenience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F77791%22%20target%3D%22_blank%22%3E%40Jonathan%20Lefebvre%3C%2FA%3E%26nbsp%3B-%20Managed%20identity%20authentication%20with%20outlook%20connector%20is%20currently%20not%20supported.%20We%20are%20working%20with%20outlook%20team%20for%20adding%20the%20support%20in%20future%20but%20unfortunately%20i%20don't%20have%20an%20ETA%20for%20same%20as%20of%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2215345%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2215345%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20correct%20that%20the%20managed%20identity%20is%20not%20possible%20for%20the%20following%20API%20connections%3A%3C%2FP%3E%3CP%3E-%20Azure%20Storage%20Account%3C%2FP%3E%3CP%3E%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20read%2Fwrite%20StorageTable%20and%20StorageContainer.%20The%20client%20context%20is%20LogicApps%20(same%20region%20as%20of%20the%20storage%20accounts).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20above%20list%20is%20current%20(I%20assume%20so%20since%20an%20ARM%20deployment%20failed%20which%20works%20for%20Azure%20KeyVault%2FApiConnectionUsingSystemIdentity)%2C%20what%20is%20the%20ETA%20on%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2236003%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2236003%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F628220%22%20target%3D%22_blank%22%3E%40AvineshwarTexas%3C%2FA%3E%26nbsp%3Bit%20is%20not%20currently%20supported%20for%20the%20connector%20itself%3B%20however%2C%20you%20can%20use%20an%20HTTP%20action%20with%20Managed%20Identity%20to%20connect%20to%20storage%20via%20REST%20API%20as%20a%20workaround%20for%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2246500%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2246500%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F930953%22%20target%3D%22_blank%22%3E%40nidhipathak%3C%2FA%3E%26nbsp%3BI%20am%20not%20able%20to%20use%20managed%20identity%20setup%20with%20HTTP%20connector.%20It%20is%20always%20throwing%20-%20%22%3C%2FP%3E%3CDIV%3E%3CSTRONG%3EWorkflowManagedIdentityNotSpecified%3C%2FSTRONG%3E%3CSPAN%3E.%20The%20workflow%20'%3CWORKFLOW%20name%3D%22%22%3E'%20does%20not%20have%20managed%20identity%20enabled%20or%20the%20identity%20has%20been%20deleted.%20If%20the%20managed%20identity%20of%20the%20workflow%20is%20updated%20recently%2C%20please%20wait%20for%202%20minutes%20and%20try%20again.%20See%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Flogicapps-msi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Flogicapps-msi%3C%2FA%3E%20for%20details.%3C%2FWORKFLOW%3E%3C%2FSPAN%3E%22%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EHere%20is%20the%20setup%20-%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22manish34124_0-1617177738800.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F268564iADA0C44F3FE06FF9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22manish34124_0-1617177738800.png%22%20alt%3D%22manish34124_0-1617177738800.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELeet%20me%20know%20if%20required%20some%20more%20info.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2273664%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2273664%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F930953%22%20target%3D%22_blank%22%3E%40nidhipathak%3C%2FA%3E%26nbsp%3B.%20Does%20managed%20identity%20work%20with%20Microsoft%20Teams.%26nbsp%3B%20I%20am%20trying%20to%20have%20logic%20app%20send%20a%20message%20to%20a%20specific%20Teams%20channel%20and%20wanted%20to%20see%20if%20I%20could%20use%20Managed%20identity%20for%20authentication%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2278870%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2278870%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20ARM%20deployment%20to%20empty%20RG%20(using%20managed%20ACI%20connection)%20returns%20%3A%3C%2FP%3E%3CPRE%3EThe%20API%20connection%20'aci'%20is%20not%20configured%20to%20support%20managed%20identity%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3ELogicApp%20Identity%3A%3C%2FP%3E%3CPRE%3E%20%20%20%20%20%20%20%20%20%20%22identity%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22SystemAssigned%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EConnectionProperties%20(Logic%20App%20parm)%3A%3C%2FP%3E%3CPRE%3E%20%22connectionProperties%22%3A%20%7B%0A%20%20%20%20%20%20%20%22authentication%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22ManagedServiceIdentity%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%7D%3C%2FPRE%3E%3CP%3E%3CBR%20%2F%3EIt%20deploys%20ACI%20API%20connection%2C%20but%20it%20is%20not%20authorized.%3C%2FP%3E%3CDIV%3E%3CSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2450743%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2450743%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1031294%22%20target%3D%22_blank%22%3E%40michal-ml%3C%2FA%3E%26nbsp%3BDid%20you%20resolve%20your%20issue%3F%20I've%20come%20across%20the%20same%20problem%20when%20trying%20to%20enable%20managed%20identity%20from%20Logic%20to%20ACI%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CPRE%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22connectionProperties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22authentication%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22ManagedServiceIdentity%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C%3C%2FPRE%3E%3CPRE%3E%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22Microsoft.Web%2Fconnections%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22apiVersion%22%3A%20%222016-06-01%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22name%22%3A%20%22%5Bvariables('APIConnection')%5D%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22location%22%3A%20%22%5Bparameters('location')%5D%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22kind%22%3A%20%22V1%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22displayName%22%3A%20%22%5Bvariables('azureinstancename')%5D%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22customParameterValues%22%3A%20%7B%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22api%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22%5Bconcat('%2Fsubscriptions%2F'%2C%20parameters('subscriptionID')%2C'%2Fproviders%2FMicrosoft.Web%2Flocations%2F'%2C%20parameters('location')%2C'%2FmanagedApis%2Faci')%5D%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%26nbsp%3B%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2452282%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2452282%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20unfortunately%20not%20as%20excepted.%20I%20had%20to%20create%20it%20manually%20for%20the%20first%20time.%20All%20other%20deployments%20with%20same%20configuration%2Fproperties%20works%20after%20that.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2452838%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2452838%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1031294%22%20target%3D%22_blank%22%3E%40michal-ml%3C%2FA%3E%26nbsp%3BThanks%20for%20replying%2C%20I'll%20go%20down%20that%20route%20for%20now%2C%20real%20shame%20it%20doesnt%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20others%20that%20stumble%20across%20this%20heres%20the%20error%20when%20ran%20against%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E'%2Fsubscriptions%2F'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3Bparameters('subscriptionID')%2C%3C%2FSPAN%3E%3CSPAN%3E'%2Fproviders%2FMicrosoft.Web%2Flocations%2F'%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3Bparameters('location')%2C%3C%2FSPAN%3E%3CSPAN%3E'%2FmanagedApis%2Faci'%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CPRE%3EThe%20API%20connection%20'aci'%20is%20not%20configured%20to%20support%20managed%20identity%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2847319%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2847319%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F930953%22%20target%3D%22_blank%22%3E%40nidhipathak%3C%2FA%3E%26nbsp%3B%20are%20there%20any%20news%20regarding%20Azure%20Monitor%20Logs%20connector%20authentication%20using%20Managed%20Identities%20or%20Service%20Principal%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EDo%20I%20have%20to%20use%20a%20normal%20user%20dedicated%20to%20Logic%20Apps%3F%3CBR%20%2F%3EDoes%20it%20works%20if%20user%20has%20MFA%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20your%20feedback.%3C%2FP%3E%3CP%3ELuca%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2855075%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2855075%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F683671%22%20target%3D%22_blank%22%3E%40andyinv%3C%2FA%3E%26nbsp%3B%20I%20can%20confirm%20that%20using%20Service%20Principal%20it's%20working!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2870144%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Logic%20Apps%20-%20Authenticate%20with%20managed%20identity%20for%20Azure%20AD%20OAuth-based%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2870144%22%20slang%3D%22en-US%22%3E%3CP%3EGiven%20that%20this%20is%20now%20in%20preview%20for%207%2B%20months%2C%20is%20there%20anything%20known%20about%20when%20this%20will%20become%20GA%3F%3C%2FP%3E%3CP%3EI%20have%20searched%20and%20looked%20at%20several%20blogs%20and%20documentation%20pages%2C%20including%20Azure%20Updates%2C%20but%20could%20not%20find%20anything%20hinting%20at%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(Using%20the%20Key%20Vault%20Connector%20in%20Logic%20Apps%20with%20System%20Assigned%20Managed%20Indentity.)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Mar 10 2021 01:35 PM
Updated by: