office365azure-logic-appsazure-rm-templateoffice365connectors

Failure of office365 API connection authentication/authorization due to cross api connection in logic apps


I am facing issue of re-authentication and authorization issue into logic app deployment using ARM template. I have found several solutions but none of them worked for me. Actually my requirement is slightly different, which I am writing below.

Introduction

We are working for our client and our client do not have office365 complete subscription. We had introduced solution to my client with logic apps.

We have several logic apps in that we are using office365 connectors for notification and upload data on SharePoint, these connector are authenticated with my organization's credentials while this entire logic app is deployed at my client's Azure Cloud. In brief, these logic apps are hybrid logic apps which means logic apps have office365 connector of my company and this logic app deployed in client's Azure cloud environment.

Issue

We are facing issue whenever we deploy logic app's arm template, logic apps ask for the authentication for office365 steps.

I followed following documentations and solutions but didn't worked for me due to hybrid solution.

After hit and try above solutions, I come to know all solutions are correct but it wouldn't work in my case because I am using hybrid connection in a logic app. There are couple of questions also

  1. When MFA enabled. do I need manual authentication in logic app every time after deployment?

  2. When I deploy the arm template via DevOps and perform execution of the logic app then connection says unauthorize and give me following error.

    { "error_description": "Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown." }

Please let me know if anyone has a solution of this issue.


Solution

  • If the execution is failing for the share point online connector, in PowerAutomate or LogicApps scenario, connection is created before it is possible to know what tenant user is going to access so the only option defaults to the user’s home tenant as today. By default, the token generated for authentication will correspond to user’s root site – both audience and tenantId. Later, connector can exchange the token for different audience (for X-Geo scenarios) but tenantId will remain same. That is how it works today and there is no workaround. As of now, there is no way to access non-home tenants from PowerAutomate/LogicApps. We are currently taking this up with the concerned team to check we can get this added in the document