Calling an Azure Function with authentication from a Logic App using Managed Identities

2
votes

I have a Logic App that is using a Managed Service Identity (MSI). That logic app is attempting to call an Azure Function that has App Service Authentication enabled, and is set up for "Log in with Azure Active Directory".

The logic app keeps getting "Unauthorised" whenever it calls the azure function no matter what rights or roles I give the MSI.

Can anybody answer the simple question "Do logic apps support using their MSI to call azure functions?". If so, can you point me to some information about it. I can find precious little out there.

1
azureazure-functionsazure-logic-apps
What is the Authorization level in the Integrate of your function?Joy Wang-MSFT
It's currently on Function, but I have tried all of them at various stages. The authorisation level seems to mostly determine where the key in the url comes from, or if one is required. As far as I can tell, the AD authorisation happens before this check.Boschy

1 Answers

4
votes

So, for anybody that is interested, the answer is "yes, kind of".

You can not use the Azure Function action as it doesn't support any kind of authentication other than going and getting the right key for you (if you're using keys).

You have to use the standard HTTP connector and wire the URL yourself (including the key in the URL or header if your function needs them). For authentication you can set the method to "Managed Identity", which I had seen and used but failed. What I didn't see was the normally hidden "Audience" parameter in to which you need to place the App Id (from Azure AD) of the function you are calling.

It now works, even if there is more manual wire up involved.