Azure Logic Apps - Authenticate with managed identity for Azure AD OAuth-based connectors

nidhipathak · ‎Feb 24 2021

When you enable and use a managed identity (formerly Managed Service Identity or MSI) for authentication, your logic apps can more easily access Azure resources that are protected by Azure Active Directory (Azure AD). A managed identity removes the need for you to manage credentials or Azure AD tokens by providing Azure services with an identity that is managed by Azure AD.

Azure Logic Apps currently supports both system-assigned and single user-assigned managed identities for specific built-in triggers and actions such as HTTP, Azure Functions, Azure API Management, Azure App Services, and so on. This blog post announces preview support for using your logic app's managed identity to authenticate to Azure AD OAuth-based managed connector triggers and actions.

Below is the list of connectors supporting managed identity authentication in preview with more support coming for other connectors in the future:

Connector	Connector API name
Azure Container Instance	aci
Azure Resource Manager	arm
Azure Automation	azureautomation
Azure Data Factory	azuredatafactory
Azure Data Lake	azuredatalake
Azure Key Vault	keyvault
Azure Event Grid	azureeventgrid
Azure Sentinel	azuresentinel
Azure Data Explorer (Preview)	kusto
Azure AD Identity Protection (Preview)	azureadip
Azure IoT Central V3 (Preview)	azureiotcentral
HTTP with Azure AD	webcontents

Prerequisites

An Azure account and subscription. If you do not have a subscription, sign up for a free Azure account. Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.
To give managed identity access to an Azure resource, you need to add a role to the target resource for that identity. To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

Configure managed identity authentication on supported connectors

In the Azure portal, you can either use an existing logic app that has enabled the user-assigned or system-assigned managed identity, or you can create a new logic app and then enable the system-assigned or user-assigned managed identity on your app. The example in this blog post uses a logic app's system-assigned managed identity. You can set up your logic app with either the system-assigned identity or a single user-assigned identity, but not both. A group of logic apps can share a user-assigned identity because they're not bound to a single Azure resource, while the system-assigned identity strictly belongs to a single Azure resource and can't be shared.
On the target Azure resource where you want the managed identity to have access, give that identity role-based access to the target resource. This role lets your logic app authenticate access to the target resource at runtime by using the managed identity’s Azure AD tokens.
In the Azure portal, open your logic app in the Logic App Designer. Add a trigger or action from a connector that supports managed identity authentication and then select an operation.

The above example in this post sets up the Azure Resource Manager action, named Read a resource, to use the logic app's system-assigned managed identity for authentication and read the specified Azure resource.
Create a new connection by selecting Connect with managed identity (preview).

The action now shows the managed identity drop-down list, which includes the managed identity type that's currently enabled on the logic app.

If the managed identity isn't enabled, the following error appears when you try to create the connection.

After successfully creating the connection, the designer can fetch any dynamic values, content, or schema by using managed identity authentication.
Provide the required input for the action that you selected. The connection name appears at the bottom of the action shape.
Add any other actions that your logic app requires to run. When you're done, save the workflow.
To test your logic app, on the designer toolbar, select Run.

How does a connection with a managed identity work at runtime?

Connections that you created to use a managed identity are a special connection type that you can use only with a managed identity.

At runtime, the connection uses the managed identity that’s enabled on the logic app. This configuration is saved in the logic app definition’s parameters object, which contains the $connections property object that includes pointers to the connection’s resource ID, the api’s resource ID and connectionProperties. The authentication property in connectionProperties contains user-assigned identity’s resource id if a user-assigned identity is associated with the logic app. No additional input is required in authentication property object other than type, if a system-assigned identity is associated with the logic app.

During runtime, the Logic Apps service checks whether any managed connector trigger and actions in the logic app are configured to use the managed identity and that all the required permissions are set up to use the managed identity for accessing the target resources that are specified by the trigger and actions. If successful, the Logic Apps service retrieves the Azure AD token that’s associated with the managed identity and uses that token to authenticate to the target resource and perform the configured operation in trigger and actions.

Next steps

We’d like your feedback! Please try the managed identity support managed connections that support Azure AD OAuth and let us know what you think. Stay tuned for managed identity support in more connectors such as SQL Server, Office, Power platform, and other Azure connectors.

Jonathan Lefebvre · ‎Jan 22 2021

It would be really nice this would work with Office 365 Outlook actions too. Maybe I'm missing something, but so far it does not seem like it's possible.

andyinv · ‎Feb 16 2021

Managed Identity, and also Service Principal, seem to have no ability to query subscriptions with Azure Monitor connector, as described here, despite MI being promoted to subscription owner (to test)

https://docs.microsoft.com/en-us/answers/questions/263744/trouble-connecting-to-monitor-log-in-logic...

nidhipathak · ‎Feb 24 2021

Apologies for the delay in response!

@andyinv - We are actively working on investigating the managed identity authentication issues with azure monitor logs connector along with our dependencies. I will update this thread as soon as we have a fix and ready for rollout. Apologies for the inconvenience.

@Jonathan Lefebvre - Managed identity authentication with outlook connector is currently not supported. We are working with outlook team for adding the support in future but unfortunately i don't have an ETA for same as of now.

AvineshwarTexas · ‎Mar 16 2021

Is it correct that the managed identity is not possible for the following API connections:

- Azure Storage Account

?

I need to read/write StorageTable and StorageContainer. The client context is LogicApps (same region as of the storage accounts).

If the above list is current (I assume so since an ARM deployment failed which works for Azure KeyVault/ApiConnectionUsingSystemIdentity), what is the ETA on this?

devinsimoneaux · ‎Mar 25 2021

@AvineshwarTexas it is not currently supported for the connector itself; however, you can use an HTTP action with Managed Identity to connect to storage via REST API as a workaround for now.

manish34124 · ‎Mar 31 2021

@nidhipathak I am not able to use managed identity setup with HTTP connector. It is always throwing - "

WorkflowManagedIdentityNotSpecified. The workflow '<workflow name>' does not have managed identity enabled or the identity has been deleted. If the managed identity of the workflow is updated recently, please wait for 2 minutes and try again. See https://aka.ms/logicapps-msi for details."

Here is the setup -

Leet me know if required some more info.

Vaman-Kini · ‎Apr 14 2021

@nidhipathak . Does managed identity work with Microsoft Teams. I am trying to have logic app send a message to a specific Teams channel and wanted to see if I could use Managed identity for authentication ?

michal-ml · ‎Apr 20 2021

Hi, ARM deployment to empty RG (using managed ACI connection) returns :

The API connection 'aci' is not configured to support managed identity

LogicApp Identity:

          "identity": {
              "type": "SystemAssigned"
            },

ConnectionProperties (Logic App parm):

 "connectionProperties": {
       "authentication": {
             "type": "ManagedServiceIdentity"
                 }
       }

It deploys ACI API connection, but it is not authorized.

ElliottLW · ‎Jun 15 2021

@michal-ml Did you resolve your issue? I've come across the same problem when trying to enable managed identity from Logic to ACI:

                                "connectionProperties": {
                                    "authentication": {
                                        "type": "ManagedServiceIdentity"
                                    }
                                },

{
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "[variables('APIConnection')]",
            "location": "[parameters('location')]",
            "kind": "V1",
            "properties": {
                "displayName": "[variables('azureinstancename')]",
                "customParameterValues": {},
                "api": {
                    "id": "[concat('/subscriptions/', parameters('subscriptionID'),'/providers/Microsoft.Web/locations/', parameters('location'),'/managedApis/aci')]"
                }
            }
        }

michal-ml · ‎Jun 15 2021

Hi, unfortunately not as excepted. I had to create it manually for the first time. All other deployments with same configuration/properties works after that.

ElliottLW · ‎Jun 16 2021

@michal-ml Thanks for replying, I'll go down that route for now, real shame it doesnt work.

For others that stumble across this heres the error when ran against

'/subscriptions/', parameters('subscriptionID'),'/providers/Microsoft.Web/locations/', parameters('location'),'/managedApis/aci' :

The API connection 'aci' is not configured to support managed identity

Luca_Bovo · ‎Oct 14 2021

@nidhipathak are there any news regarding Azure Monitor Logs connector authentication using Managed Identities or Service Principal?

Do I have to use a normal user dedicated to Logic Apps?
Does it works if user has MFA?

Thanks for your feedback.

Luca

Luca_Bovo · ‎Oct 17 2021

@andyinv I can confirm that using Service Principal it's working!

PatB · ‎Oct 21 2021

Given that this is now in preview for 7+ months, is there anything known about when this will become GA?

I have searched and looked at several blogs and documentation pages, including Azure Updates, but could not find anything hinting at this.

(Using the Key Vault Connector in Logic Apps with System Assigned Managed Indentity.)

D_gigabyte-consultancy · ‎Nov 22 2021

@Vaman-Kini

It seems is not possible unfortunately!

Send chatMessage in a channel or a chat - Microsoft Graph v1.0 | Microsoft Docs

Mocodit · ‎Nov 25 2021

I managed to get this working using managed identity, all you need to do is to pass the following in the API connection

"type": "Microsoft.Web/connections",
"properties": {

"parameterValueType": "Alternative"

You might still need to assign a role to the identity in the resource you are trying to access using the identity

But as mentioned above, you can use service principle and pass their details in the API connection

"type": "Microsoft.Web/connections",
"properties": {

"parameterValues": {
"token:TenantId": "[subscription().tenantId]",
"token:clientId": "[parameters('servicePrincipleId')]",
"token:grantType": "client_credentials",
"token:clientSecret": "[parameters('servicePrincipleSecret')]"

Service principle needs to have the role assigned too

Dean Gross · ‎Mar 29 2022

@nidhipathak has any progress been made with adding support for Outlook?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs