How do you authenticate a call to a logic app (standard) via oAuth2.0?
I'm trying to make a call from Azure API Management to a Logic App (standard) workflow with a manual trigger. I'd like to authenticate with a token using the system-assigned managed identity for APIM instead of using an SAS. I've assigned the Logic App Contributor role to APIM's managed identity for the logic app's scope. I'm trying to use an authentication-managed-identity policy to retrieve the token, but I don't know what the resource should be set to to request the correct scope for the logic app.
I've also tried to configure an app registration in Entra Id with the correct permissions, so that I can use a client credentials flow to get a token for the logic app, but I don't know what permissions the app registration needs for that. I can retrieve a token, but it doesn't have any notable claims since I'm not providing a scope.
I've found a great deal of information on how to use oAuth2.0 with Logic Apps (consumption), but I can't find anything that relates to Logic Apps (standard). I've tried applying the information I've found for Logic Apps (consumption), but I suspect that the scope that I need to request in the token call is different.
This specific use case is for calling from APIM to Logic Apps (standard), but I'm interested in any information on how to call Logic Apps (standard) with oAuth2.0 from any client without an SAS.
In order to call a Standard logic app from APIM, you need to break the Http request URL into 2 parts as illustrated in this blog as direct import is only supported for Consumption logic app for now.
In this case you should be using https://afreeen-la-1.azurewebsites.net:443/api/test/triggers/When_a_HTTP_request_is_received/invoke?api-version=2022-05-01 in APIM as shown below.
1st part - https://afreeen-la-1.azurewebsites.net:443/api/
2nd part - test/triggers/When_a_HTTP_request_is_received/invoke?api-version=2022-05-01
Register a new application in Microsoft Entra ID or use an existing app.
Add the given policy in the inbound section of the above created operation.
<policies>
<inbound>
<base />
<authentication-managed-identity resource="{ClientId of the Entra App}" />
</inbound>
</policies>
Then, navigate to Authentication blade of logic app and add identity provider with the given details.
You can also go for Allow requests from any application option if you don't want to specify the client application id.
Following these steps, I can able to invoke standard logic app in APIM without using SAS.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?