Azure SharePoint Logic App Connector Security

%3CLINGO-SUB%20id%3D%22lingo-sub-2036567%22%20slang%3D%22en-US%22%3EAzure%20SharePoint%20Logic%20App%20Connector%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2036567%22%20slang%3D%22en-US%22%3E%3CP%3EUsing%20the%20SharePoint%20Logic%20App%20connector%2C%20how%20can%20the%20Azure%20Key%20Vault%20be%20leveraged%20in%20place%20of%20a%20hard-coding%20AD%20account%3F%3CBR%20%2F%3E%3CBR%20%2F%3ECurrently%2C%20we%20are%20using%20a%20dedicated%20AD%20account%20to%20authenticate%20with%20SharePoint%2C%20and%20our%20password%20policy%20requires%20we%20update%20the%20password%20every%20X%20months.%26nbsp%3B%20As%20the%20usage%20of%20Azure%20and%20SPO%20grows%2C%20this%20model%20is%20quickly%20becoming%20unmanageable.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2036567%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogic%20App%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2038918%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20SharePoint%20Logic%20App%20Connector%20Security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2038918%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F673374%22%20target%3D%22_blank%22%3E%40nullorempty%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStandard%20KeyVault%20connector%20also%20supports%20Service%20Principals.%20So%20you%20can%20register%20new%20App%20on%20Azure%20AD%2C%20create%20an%20access%20policy%20KeyVault%20for%20that%20principal%20and%20use%20principal's%20ClientId%20and%20Secret%20on%20the%20KeyVault%20connector.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20using%20System%20Managed%20identity%20to%20access%20KeyVault%20from%20Azure%20Logic%20Apps.%20The%20standard%20KeyVault%20connector%20is%20not%20supporting%20it%2C%20so%20I%20needed%20to%20used%20HTTP%20connector.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Enable%20System%20assigned%20identity%20to%20your%20Logic%20App%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-01-07%20074251.png%22%20style%3D%22width%3A%20712px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244694i9E3A62910EBCE4C4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-01-07%20074251.png%22%20alt%3D%22Screenshot%202021-01-07%20074251.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2.%20Create%20access%20policy%20to%20KeyVault%20for%20that%20identity%20with%20needed%20permissions%3C%2FP%3E%3CP%3E3.%20On%20your%20Logic%20App%2C%20URI%20for%20HTTP%20action%20is%20the%20identifier%20of%20your%20key%2Fsecret%2Fcertificate%2C%20which%20you%20get%20from%20KeyVault.%20Remember%20to%20add%20api-version%20to%20queries%20with%20value%202016-10-01.%20For%20authentication%2C%20pick%20Managed%20Identity%20and%20for%20audience%20add%20%3CA%20href%3D%22https%3A%2F%2Fvault.azure.net%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fvault.azure.net%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-01-07%20075108.png%22%20style%3D%22width%3A%20616px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F244695i09783F9AD1CAF680%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-01-07%20075108.png%22%20alt%3D%22Screenshot%202021-01-07%20075108.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHTTP%20action%20returns%20an%20JSON%20object%2C%20where%20returned%20value%20is%20on%20value%20property.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Using the SharePoint Logic App connector, how can the Azure Key Vault be leveraged in place of a hard-coding AD account?

Currently, we are using a dedicated AD account to authenticate with SharePoint, and our password policy requires we update the password every X months.  As the usage of Azure and SPO grows, this model is quickly becoming unmanageable.

1 Reply

Hi @nullorempty 

 

Standard KeyVault connector also supports Service Principals. So you can register new App on Azure AD, create an access policy KeyVault for that principal and use principal's ClientId and Secret on the KeyVault connector.

 

I have been using System Managed identity to access KeyVault from Azure Logic Apps. The standard KeyVault connector is not supporting it, so I needed to used HTTP connector.

 

1. Enable System assigned identity to your Logic App

Screenshot 2021-01-07 074251.png

2. Create access policy to KeyVault for that identity with needed permissions

3. On your Logic App, URI for HTTP action is the identifier of your key/secret/certificate, which you get from KeyVault. Remember to add api-version to queries with value 2016-10-01. For authentication, pick Managed Identity and for audience add https://vault.azure.net

Screenshot 2021-01-07 075108.png

HTTP action returns an JSON object, where returned value is on value property.