How can I make an Azure Logic App use its Managed Service Identity to Authenticate with a Connector?

0
votes

My Azure Logic App runs as a Managed Service Identity and I am trying to use an Azure AD Connector as a trigger for the App. The connector requires permissions to the Azure AD Graph API and I have verified that the permissions are correct by authenticating as the ServicePrincipal MSI using ClientCredentials using PowerShell and calling the required Azure AD Graph APIs.

However, I can't seem to tell my Logic App's Azure AD Connector (as opposed to a REST call where I can just set the authentication property) to use the Managed Service Identity.

Since there is no documentation for any Logic Apps connectors provided by Microsoft, I can't tell if there is a well known property on the Azure AD Connector that I can use to tell it how to authenticate. I have the following in my ARM template and would guess there is a customParameterValue to set, but I have no idea what it is.

{
    "type": "Microsoft.Web/connections",
    "name": "[parameters('connections_azuread_name')]",
    "apiVersion": "2016-06-01",
    "location": "eastus",
    "scale": null,
    "properties": {
        "displayName": "Azure AD",
        "customParameterValues": {},
        "api": {
            "id": "[concat('/subscriptions####/providers/Microsoft.Web/locations/eastus/managedApis/', parameters('connections_azuread_name'))]"
        }
    },
    "dependsOn": []
}
1
azure-active-directoryazure-logic-appsazure-ad-graph-api
Is this what you want?docs.microsoft.com/en-us/azure/logic-apps/ā€¦ ā€“ George Chen
Not at all. Do you understand what Iā€™m asking? ā€“ Jeff

1 Answers

0
votes

I am a little late to the party, I know, but I have been using Managed Identities (MI) a lot of late and have basically come to the conclusion that they are not ready for mainstream use yet. They are a great concept and I hope they continue to grow but limitations such as most connectors not yet supporting them, and the limitation that you can only have 10 logic apps with identities per subscription, severely limit their use.

I have essentially resorted to having a single logic app with a MI that builds the appropriate authentication block for a service based on some passed values, and getting secrets from a Key Vault. Every other logic app calls that "authentication" logic app to get the details they should then pass to calls to APIs, Azure Functions, etc.

I also need to AAD secure all of my Azure Functions too, so again MIs would have been fantastic for LAs being able to call the authenticated functions but, again, the Azure Function action does not yet support MI (or any authentication really). So, I have to resort to calling FAs using the HTTP connector (with authentication) instead.

Logic Apps are so close to awesome that it's frustrating that they just aren't quite there yet!!

To answer your question though, I have found that some connectors will accept an authentication block such as ...

{
  "audience": "XXXXXXXXXXXX",
  "type": "ManagedServiceIdentity"
}