I am deploying a Logic App Consumption that connects to Azure Blob Storage using Managed Identity.
In Bicep, the API Connection resource (Microsoft.Web/connections) no longer supports parameterValueSet, and parameterValues does not expose an authentication property for Managed Identity.
As a result, after deploying the connection the deployment of the logic app fails with: “The API connection 'azureblob' is not configured to support managed identity” - it seems the default option is the Access Key connection.
I tried deploying an Azure Logic App (Consumption) with an Azure Blob Storage connection using Managed Identity via Bicep. In my Bicep template, I defined the API connection with parameterValues, but the deployment failed because the connection resource does not expose authentication as a valid parameter.
I expected to be able to configure the Blob connection to authenticate with the Logic App’s managed identity directly from Bicep, without requiring any manual post-deployment steps.
I ran into the exact same issue and was able to solve it using Bicep only (no manual steps required).
The problem happens because the default Blob connection is created with Access Key authentication, and Bicep doesn’t expose a direct authentication property on parameterValues. Instead, you need to use the parameterValueSet with the managedIdentityAuth option, and assign the Logic App’s system-assigned identity the right role on the storage account.
@description('Name of the Logic App Consumption')
param logicAppName string = 'my-logicapp-consumption'
@description('Name of the Azure Blob connection')
param blobConnectionName string = 'azureblob'
@description('Existing Storage Account name')
param storageAccountName string
@description('Location')
param location string = resourceGroup().location
// Logic App with system-assigned managed identity
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
name: logicAppName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
definition: loadJsonContent('workflow-definition.json')
parameters: {
'$connections': {
value: {
azureblob: {
connectionId: resourceId('Microsoft.Web/connections', blobConnectionName)
connectionName: blobConnectionName
id: subscriptionResourceId(
'Microsoft.Web/locations/managedApis',
location,
'azureblob'
)
connectionProperties: {
authentication: {
type: 'ManagedServiceIdentity'
}
}
}
}
}
}
}
}
// API connection for Azure Blob with Managed Identity
resource blobConn 'Microsoft.Web/connections@2016-06-01' = {
name: blobConnectionName
location: location
properties: {
displayName: 'Azure Blob (Managed Identity)'
api: {
id: subscriptionResourceId(
'Microsoft.Web/locations/managedApis',
location,
'azureblob'
)
}
parameterValueSet: {
name: 'managedIdentityAuth'
values: {}
}
}
}
// Reference existing storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' existing = {
name: storageAccountName
}
// Assign Storage Blob Data Contributor role to the Logic App identity
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(storageAccount.id, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe', logicApp.name)
scope: storageAccount
properties: {
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor
)
principalId: logicApp.identity.principalId
principalType: 'ServicePrincipal'
}
dependsOn: [
logicApp
blobConn
]
}