Azure Logic App - Start a runbook without using my personal identity

Question

I have made a little solution to check the expiry date of certificates in a keyvault and send an email notification to a channel in Teams if any are due to expire in 7 days.

The solution does what I want it to, but I'm not happy about using my personal identity in the 'Create Job' step, where I call the runbook. It seems like anyone who has access to the Logic App could edit this step to call any runbook using my identity.

For clarity, here's a screenshot of the logic app steps (dont have enough rep to paste directly)

Screenshot of azure logic app steps

The runbook is associated with an automation account and uses this account when inspecting the keyvault (the account has least permissions to do its job). I am selecting this in the Automation Account field of the Create Job task. I don't understand why it was necessary to enter my own personal credentials at all.

Even worse is that now I have added my identity to the Create Job step, I can't seem to remove it - any time I add a new Create Job step in the logic app it is automatically associated with my user account. This is the first time I've used logic apps, so it might be that I'm worrying about nothing

Hi Ian, please refer to the solution I provided below. If it helps your problem, please accept it as answer(click on the check mark beside my answer to toggle it from greyed out to filled in). Thanks in advance~ — Hury Shen

Hury Shen Hury Shen · Accepted Answer · 2020-05-07T03:06:33

In you case, as you mentioned you don't know how to remove your identity, you just need to remove the connection in the same resource group of your logic app (when you use your identity to connect to automation account in logic app, it will generate a connection in the same resource group, something like below screenshot, just delete it).

After delete the connection, when you go back to your logic app and delete the "create job" action, add a new "create job", it will ask you for new connection identity.

If you don't want to use your personal identity in the "create job" step, you can use "Connect with Service Principal".

Before use this feature, we need to create a new app in Azure AD APP registrations, please refer to the steps below:

1. Go to your Azure AD page and click "APP registrations" --> "New registration"(if you want to use an existed app, please ignore the creating app steps).

2. Type a name for the app in the creating page and register it.

3. Go to your new registration app and copy some information from the page (copy the "client id" and "tenant id" to your notepad).

4. Click "Certificates & secrets" tab --> "New client secret" and also copy the new secret to your notepad.

5. Go back to your logic app and click "Connect with Service Principal", then type the "Client ID", "Client Secret", "Tenant" with the three text copied in your notepad, create the connection.

6. Now you create the connection to automation with service principal(registration app) success. But you may not see any subscription and resource group in the drop-down box, you need to set the service principal(registration app) as the owner of your subscription and then you can see the subscription and resource group. Click "All services" on your azure portal and search "subscription", choose your subscription and click "Access control(IAM)". Click "Add" --> "Add role assignment".

Assign "owner" to the app which you registered.

7. Now you can see the subscription and resource group in the drop-down box in your logic app and select your automation account. If you want to use this service principal to do some other work such as keyvault, you also need to give it permissions.

Hope it helps~

Azure Logic App - Start a runbook without using my personal identity

1 Answers