Connecting to an Azure Function using a Logic App Managed Identity

In a previous post I showed how to connect to an Azure Function using Azure AD authentication.

To recap: I have an Azure Function. Using PowerShell. I enabled Azure AD authentication for it. And as of writing I am able to connect to it only if I am authenticated via Azure AD (there’s some changes I made to the App Registration for my specific use case as detailed in the blog post).

Now I want to connect to this Azure Function from a Logic App. I want to run the HTTP action basically to call that endpoint and get the Function to do something.

Would this work?

Of course not, but I wanted to try it to confirm.

The Logic App has its own identity so ideally I can use that to access the Azure Function. There’s even a nice doc with examples (thank you! it’s always great when there are examples and some screenshots) so all I have to do is tell the Logic App to use the Managed Identity.

And that works!

Gotcha! Of course it wouldn’t work. If only things were so simple I wouldn’t have to spend time figuring them or write a blog post. 🙂

After a lot of Googling and trying things I noticed this paragraph in the link I referred to earlier:

Not sure what to put as the audience here but I am think it’s the App Registration. After all I haven’t put that anywhere and that’s the kind of thing you’d have to mention so you get tokens for that.

So I added that:

And it works!

Wow, that was kind of easy. (Not really, I make it sound easy but I did have to Google a bit… but that’s mostly me not knowing anything. I’d like to go with this being super easy to use. Compared to my previous post where I had to exchange tokens and such this one’s a breeze!).

However…

One reason why I didn’t stumble upon this so easily is because by this point I had locked down the App Registration to specific users. You can do that via the Enterprise Application of the App Registration. So I actually had a group that this Application was limited to and I had added the Managed Identity of the Logic App to this group. (A mistake, in retrospect. Although I added it to the group it was getting ignored because you can only assign users or groups to the Application… not Managed Identities).

When the Application is limited to specific users I get a different error even with the Audience filled in:

Bummer.

So what do we have so far: If I aren’t doing any user/ group restrictions then things work perfectly. I can have an Azure Function that requires Azure AD authentication with only users, groups, and Managed Identities from my tenant (because that’s how the App Registration is set) being able to access it. That’s pretty secure. It’s only if I want to lock down that Function to a specific set of users/ groups that I can’t have it also be called from a Logic App as I run into the above error.

Is there a way to restrict the Function to users/ groups and also specific Logic Apps? Yes.

App Roles and all that…

Thanks to this document for what follows. I came across it via another document on adding App Roles.

First thing to do is create the App Role in the App Registration of the Azure Function:

The name and whatever you put in there doesn’t matter. I put a name that has my Logic App’s name in it so I know what it is for later. The Value and Description can be anything too. Be sure to tick the box to enable it.

Note the ID of this App Role.

Now go to the Logic App in Azure AD. It is under Enterprise Applications. (Alternatively go to the Logic App and check its Identity section). Note its Object ID.

Then go the Enterprise Application of the Azure Function App Registration. (That’s a mouthful. I should just start saying Service Principal. The “object” you see in Enterprise Application is the Service Principal. This can be for something in your tenant (in which case it has a component in App Registrations) or another tenant (e.g. the Managed Identity of the Logic App – its Service Principal is from the Microsoft tenant)).

(Update: When I tried this again the above didn’t work and I had to use the Object ID of the Service Principal of the App Registration I had restricted the Azure Function to).

Anyways, go to that and note its Object ID.

 

Now we have to tie in the Logic App’s Managed Identity to the App Role we created. For this we have to use PowerShell:

If you are on macOS or Linux use Cloud Shell in the Portal.

With all this done my Logic App now connects to the Azure Function with no issues! 🙂