Authenticate and access resources with managed identities in Azure Logic Apps

To access resources in other Azure Active Directory (Azure AD) tenants and authenticate your identity without signing in, your logic app can use a managed identity (formerly known as Managed Service Identity or MSI), rather than credentials or secrets. Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. This article shows how you can create and use a system-assigned managed identity for your logic app. For more information about managed identities, see What is managed identities for Azure resources?

Note

You can currently have up to 10 logic app workflows with system-assigned managed identities in each Azure subscription.

Prerequisites

Create managed identity

You can create or enable a system-assigned managed identity for your logic app through the Azure portal, Azure Resource Manager templates, or Azure PowerShell.

Azure portal

To enable a system-assigned managed identity for your logic app through the Azure portal, turn on the Register with Azure Active Directory setting in your logic app's workflow settings.

  1. In the Azure portal, open your logic app in Logic App Designer.

  2. Follow these steps:

    1. On the logic app menu, under Settings, select Workflow settings.

    2. Under Managed service identity > Register with Azure Active Directory, choose On.

    3. When you're done, choose Save on the toolbar.

      Turn on managed identity setting

      Your logic app now has a system-assigned managed identity registered in Azure Active Directory with these properties and values:

      GUIDs for principal ID and tenant ID

      Property Value Description
      Principal ID <principal-ID> A Globally Unique Identifier (GUID) that represents the logic app in an Azure AD tenant
      Tenant ID <Azure-AD-tenant-ID> A Globally Unique Identifier (GUID) that represents the Azure AD tenant where your logic app is now a member. Inside the Azure AD tenant, the service principal has the same name as the logic app instance.

Deployment template

When you want to automate creating and deploying Azure resources such as logic apps, you can use Azure Resource Manager templates. To create a system-assigned managed identity for your logic app through a template, add the "identity" element and "type" property to your logic app workflow definition in your deployment template:

"identity": {
   "type": "SystemAssigned"
}

For example:

{
   "apiVersion": "2016-06-01", 
   "type": "Microsoft.logic/workflows", 
   "name": "[variables('logicappName')]", 
   "location": "[resourceGroup().location]", 
   "identity": { 
      "type": "SystemAssigned" 
   }, 
   "properties": { 
      "definition": { 
         "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", 
         "actions": {}, 
         "parameters": {}, 
         "triggers": {}, 
         "contentVersion": "1.0.0.0", 
         "outputs": {} 
   }, 
   "parameters": {}, 
   "dependsOn": [] 
}

When Azure creates your logic app, that logic app's workflow definition includes these additional properties:

"identity": {
   "type": "SystemAssigned",
   "principalId": "<principal-ID>",
   "tenantId": "<Azure-AD-tenant-ID>"
}
Property Value Description
principalId <principal-ID> A Globally Unique Identifier (GUID) that represents the logic app in the Azure AD tenant
tenantId <Azure-AD-tenant-ID> A Globally Unique Identifier (GUID) that represents the Azure AD tenant where the logic app is now a member. Inside the Azure AD tenant, the service principal has the same name as the logic app instance.

Access resources with managed identity

After you create a system-assigned managed identity for your logic app, you can give that identity access to other Azure resources. You can then use that identity for authentication, just like any other service principal.

Note

Both the system-assigned managed identity and the resource where you want to assign access must have the same Azure subscription.

Assign access to managed identity

To give access to another Azure resource for your logic app's system-assigned managed identity, follow these steps:

  1. In the Azure portal, go to the Azure resource where you want to assign access for your managed identity.

  2. From the resource's menu, select Access control (IAM), and choose Add role assignment.

    Add role assignment

  3. Under Add role assignment, select the Role you want for the identity.

  4. In the Assign access to property, select Azure AD user, group, or service principal, if not already selected.

  5. In the Select box, starting with the first character in your logic app's name, enter your logic app's name. When your logic app appears, select the logic app.

    Select logic app with managed identity

  6. When you're done, choose Save.

Authenticate with managed identity in logic app

After you set up your logic app with a system-assigned managed identity and assigned access to the resource you want for that identity, you can now use that identity for authentication. For example, you can use an HTTP action so your logic app can send an HTTP request or call to that resource.

  1. In your logic app, add the HTTP action.

  2. Provide the necessary details for that action, such as the request Method and URI location for the resource you want to call.

  3. In the HTTP action, choose Show advanced options.

  4. From the Authentication list, select Managed Service Identity, which then shows the Audience property for you to set:

    Select "Managed Service Identity"

  5. Continue building the logic app the way you want.

Remove managed identity

To disable a system-assigned managed identity on your logic app, you can follow the steps similar to how you created the identity through the Azure portal, Azure Resource Manager deployment templates, or Azure PowerShell.

When you delete your logic app, Azure automatically removes your logic app's system-assigned identity from Azure AD.

Azure portal

  1. In Logic App Designer, open your logic app.

  2. Follow these steps:

    1. On the logic app menu, under Settings, select Workflow settings.

    2. Under Managed service identity, choose Off for the Register with Azure Active Directory property.

    3. When you're done, choose Save on the toolbar.

      Turn off managed identity setting

Deployment template

If you created the logic app's system-assigned managed identity with an Azure Resource Manager deployment template, set the "identity" element's "type" property to "None". This action also deletes the principal ID from Azure AD.

"identity": {
   "type": "None"
}

Get support