Authenticated access to Logic Apps using Azure AD (contd)

I couldn’t get to doing this day-before when I first posted on authenticating to Logic Apps via Azure AD. So this post is a continuation of that.

Today I setup the Logic App to use an App Registration. This is very straighforward, and while not required I wanted a way to limit the Logic App to a group of users.

I created a new App Registration with the following settings:

  • Authentication > Allow Public Flows
  • API permissions > Delegated permissions for Graph User.Read and profile

This is based on the App Registration that got created when I did the same for Azure Functions, the difference being this one is manually created. I went with the profile scope so I get additional details in the ID Token like Object ID, Username (UPN), and Name but this is not needed if you don’t care for those.

Next I enabled Azure AD policies on the Logic App. I went with requiring the Issuer (this is mandatory) being<tenantId>/v2.0 and Audience value being the app Id of the App Registration. This way only tokens intended for the App Registration will be accepted by the Logic App. In my previous post I mentioned too but I decided to skip that the way I was going to get tokens now would be the v2 ones from

After that it’s straight forward to invoke the Logic App via it’s web Uri. All I have to do is get a token and then pass it to the Url while calling it. I am using the Get-MSDeviceToken function I mentioned in the previous post so I invoke it thusly:

Next up I wanted to get the user details. For that I resorted to getting the token from the headers:

Here’s the underlying code view. I had to switch to that to add an extra bit ?['Authorization'] so I extract that from the headers.

Next I split that along the dot – which gives an array of objects – and I extract the second item in the array (which is the body; first part is header, last part is signature). Here’s the code view for that:

What we get here is a base64 string and the next step would be to decode it to a string. When I tried that, however, the Logic App would fail and I saw that it was failing at this decode stage. I had experienced something similar with PowerShell and base64 decoding earlier so I knew just the fix for that. If were PowerShell I’d have done something like this:

The problem is that in base64 every 4 characters are typically converted to 3 bytes. So an entire base64 string must have a length that is a multiple of 4 (though there are some bugs due to which this may not always be the case). What the snippet above thus does is divide the length by 4 to get the remainder. If the remainder is 1 (e.g. the length is 29) that means we need to add 3 characters to get the length divisible by 4 (i.e. make it 32 in this example). And so on for remainders of 2 and 3.

I have to thus do the same in the Logic App to correctly decode the header token. I put the whole thing in a Scope control to keep it neat and tidy:

The orange bit above is the Scope control. Here is its code:

This is probably of no use to anyone else but I spent some time creating this so I figure why not put it on the Interwebs. :) You can’t assign a variable to itself, that’s why I have two set of variables TokenBody and FixedTokenBody with the latter being the one I add padding to if needed. After fixing I decode the base64 and then parse the JSON. The Parse JSON action has this as the input: @decodeBase64(variables('FixedTokenBody')).