Create and run your own code from workflows in Azure Logic Apps by using Azure Functions

When you want to run code that performs a specific job in your logic app workflow, you can create a function by using Azure Functions. This service helps you create Node.js, C#, and F# functions so you don't have to build a complete app or infrastructure to run code. You can also call logic app workflows from inside an Azure function. Azure Functions provides serverless computing in the cloud and is useful for performing certain tasks, for example:

  • Extend your logic app's behavior with functions in Node.js or C#.
  • Perform calculations in your logic app workflow.
  • Apply advanced formatting or compute fields in your logic app workflows.

To run code snippets without using Azure Functions, learn how you can add and run inline code.

Note

Azure Logic Apps doesn't support using Azure Functions with deployment slots enabled. Although this scenario might sometimes work, this behavior is unpredictable and might result in authorization problems when your workflow tries call the Azure function.

Prerequisites

  • An Azure subscription. If you don't have an Azure subscription, sign up for a free Azure account.

  • A function app, which is a container for a function that's created using Azure Functions, along with the function that you create.

    If you don't have a function app, create your function app first. You can then create your function either outside your logic app in the Azure portal, or from inside your logic app in the workflow designer.

  • When working with logic apps, the same requirements apply to function apps and functions whether they are existing or new:

    • Your function app and logic app must use the same Azure subscription.

    • New function apps must use either the .NET or JavaScript as the runtime stack. When you add a new function to existing function apps, you can select either C# or JavaScript.

    • Your function uses the HTTP trigger template.

      The HTTP trigger template can accept content that has application/json type from your logic app. When you add a function to your logic app, the workflow designer shows custom functions that are created from this template within your Azure subscription.

    • Your function doesn't use custom routes unless you've defined an OpenAPI definition (formerly known as a Swagger file).

    • If you have an OpenAPI definition for your function, the workflow designer gives you a richer experience when your work with function parameters. Before your logic app can find and access functions that have OpenAPI definitions, set up your function app by following these steps.

  • The logic app where you want to add the function, including a trigger as the first step in your logic app

    Before you can add actions that run functions, your logic app must start with a trigger. If you're new to logic apps, review What is Azure Logic Apps and Quickstart: Create your first logic app.

Find functions that have OpenAPI descriptions

For a richer experience when you work with function parameters in the workflow designer, generate an OpenAPI definition, formerly known as a Swagger file, for your function. To set up your function app so your logic app can find and use functions that have Swagger descriptions, follow these steps:

  1. Make sure that your function app is actively running.

  2. In your function app, set up Cross-Origin Resource Sharing (CORS) so that all origins are permitted by following these steps:

    1. From the Function Apps list, select your function app. In the right-hand pane, select Platform features > CORS.

      Select your function app > "Platform features" > "CORS"

    2. Under CORS, add the asterisk (*) wildcard character, but remove all the other origins in the list, and select Save.

      Set "CORS* to the wildcard character "*"

Access property values inside HTTP requests

Webhook functions can accept HTTP requests as inputs and pass those requests to other functions. For example, although Logic Apps has functions that convert DateTime values, this basic sample JavaScript function shows how you can access a property inside a request object that's passed to the function and perform operations on that property value. To access properties inside objects, this example uses the dot (.) operator:

function convertToDateString(request, response){
   var data = request.body;
   response = {
      body: data.date.ToDateString();
   }
}

Here's what happens inside this function:

  1. The function creates a data variable and assigns the body object inside the request object to that variable. The function uses the dot (.) operator to reference the body object inside the request object:

    var data = request.body;
    
  2. The function can now access the date property through the data variable, and convert that property value from DateTime type to DateString type by calling the ToDateString() function. The function also returns the result through the body property in the function's response:

    body: data.date.ToDateString();
    

Now that you've created your function in Azure, follow the steps to add functions to logic apps.

Create functions inside logic apps

You can create functions directly from your logic app's workflow by using the built-in Azure Functions action in the workflow designer, but you can use this method only for functions written in JavaScript. For other languages, you can create functions through the Azure Functions experience in the Azure portal. For more information, see Create your first function in the Azure portal.

However, before you can create your function in Azure, you must already have a function app, which is a container for your functions. If you don't have a function app, create that function app first. See Create your first function in the Azure portal.

  1. In the Azure portal, open your logic app in the designer.

  2. To create and add your function, follow the step that applies to your scenario:

    • Under the last step in your logic app's workflow, select New step.

    • Between existing steps in your logic app's workflow, move your mouse over the arrow, select the plus (+) sign, and then select Add an action.

  3. In the search box, enter azure functions. From the actions list, select the action named Choose an Azure function, for example:

    Find functions in the Azure portal.

  4. From the function apps list, select your function app. After the actions list opens, select this action: Create New Function.

    Select your function app

  5. In the function definition editor, define your function:

    1. In the Function name box, provide a name for your function.

    2. In the Code box, add your code to the function template, including the response and payload that you want returned to your logic app after your function finishes running. When you're done, select Create.

    For example:

    Define your function

    In the template's code, the context object refers to the message that your logic app sends through the Request Body field in a later step. To access the context object's properties from inside your function, use this syntax:

    context.body.<property-name>

    For example, to reference the content property inside the context object, use this syntax:

    context.body.content

    The template code also includes an input variable, which stores the value from the data parameter so your function can perform operations on that value. Inside JavaScript functions, the data variable is also a shortcut for context.body.

    Note

    The body property here applies to the context object and isn't the same as the Body token from an action's output, which you might also pass to your function.

  6. In the Request Body box, provide your function's input, which must be formatted as a JavaScript Object Notation (JSON) object.

    This input is the context object or message that your logic app sends to your function. When you click in the Request Body field, the dynamic content list appears so you can select tokens for outputs from previous steps. This example specifies that the context payload contains a property named content that has the From token's value from the email trigger.

    "Request Body" example - context object payload

    Here, the context object isn't cast as a string, so the object's content gets added directly to the JSON payload. However, when the context object isn't a JSON token that passes a string, a JSON object, or a JSON array, you get an error. So, if this example used the Received Time token instead, you can cast the context object as a string by adding double-quotation marks.

    Cast object as string

  7. To specify other details such as the method to use, request headers, or query parameters, or authentication, open the Add new parameter list, and select the options that you want. For authentication, your options differ based on your selected function. See Enable authentication for functions.

Add existing functions to logic apps

To call existing functions from your logic apps, you can add functions like any other action in the workflow designer.

  1. In the Azure portal, open your logic app in the designer.

  2. Under the step where you want to add the function, select New step.

  3. Under Choose an action, in the search box, enter azure functions. From the actions list, select the action named Choose an Azure function, for example:

    Find a function in Azure.

  4. From the function apps list, select your function app. After the functions list appears, select your function.

    Select your function app and function

    For functions that have API definitions (Swagger descriptions) and are set up so your logic app can find and access those functions, you can select Swagger actions.

    Select your function app, "Swagger actions", and your function

  5. In the Request Body box, provide your function's input, which must be formatted as a JavaScript Object Notation (JSON) object.

    This input is the context object or message that your logic app sends to your function. When you click in the Request Body field, the dynamic content list appears so that you can select tokens for outputs from previous steps. This example specifies that the context payload contains a property named content that has the From token's value from the email trigger.

    "Request Body" example - context object payload

    Here, the context object isn't cast as a string, so the object's content gets added directly to the JSON payload. However, when the context object isn't a JSON token that passes a string, a JSON object, or a JSON array, you get an error. So, if this example used the Received Time token instead, you can cast the context object as a string by adding double-quotation marks:

    Cast object as string

  6. To specify other details such as the method to use, request headers, query parameters, or authentication, open the Add new parameter list, and select the options that you want. For authentication, your options differ based on your selected function. See Enable authentication in functions.

Call logic apps from functions

When you want to trigger a logic app from inside a function, the logic app must start with a trigger that provides a callable endpoint. For example, you can start the logic app with the HTTP, Request, Azure Queues, or Event Grid trigger. Inside your function, send an HTTP POST request to the trigger's URL, and include the payload you want that logic app to process. For more information, see Call, trigger, or nest logic apps.

Enable authentication for functions

Your logic app can use a managed identity (formerly known as Managed Service Identity or MSI), if you want to easily authenticate access to resources protected by Azure Active Directory (Azure AD) without having to sign in and provide credentials or secrets. Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. Learn more about Azure services that support managed identities for Azure AD authentication.

If you set up your logic app to use the system-assigned identity or a manually created, user-assigned identity, the function in your logic app can also use that same identity for authentication. For more information about authentication support for functions in logic apps, see Add authentication to outbound calls.

To set up and use the managed identity with your function, follow these steps:

  1. Enable the managed identity on your logic app, and set up that identity's access to the target resource. See Authenticate access to Azure resources by using managed identities in Azure Logic Apps.

  2. Enable authentication in your function and function app by following these steps:

Set up anonymous authentication in your function

To use your logic app's managed identity in your function, you must set your function's authentication level to anonymous. Otherwise, your logic app throws a "BadRequest" error.

  1. In the Azure portal, find and select your function app. These steps use "FabrikamFunctionApp" as the example function app.

  2. On the function app pane, select Platform features. Under Development tools, select Advanced tools (Kudu).

    Open advanced tools for Kudu

  3. On the Kudu website's title bar, from the Debug Console menu, select CMD.

    From debug console menu, select the "CMD" option

  4. After the next page appears, from the folder list, select site > wwwroot > your-function. These steps use "FabrikamAzureFunction" as the example function.

    Select "site" > "wwwroot" > your function

  5. Open the function.json file for editing.

    Click edit for "function.json" file

  6. In the bindings object, check whether the authLevel property exists. If the property exists, set the property value to anonymous. Otherwise, add that property and set the value.

    Add "authLevel" property and set to "anonymous"

  7. When you're done, save your settings, and then continue to the next section.

Set up Azure AD authentication for your function app

Before you start this task, find and put these values aside for later use:

  • The object ID that's generated for the system-assigned identity that represents your logic app

  • The directory ID for your tenant in Azure Active Directory (Azure AD)

    To get your tenant's directory ID, you can run the Get-AzureAccount PowerShell command. Or, in the Azure portal, follow these steps:

    1. In the Azure portal, find and select your function app.

    2. Find and select your Azure AD tenant. These steps use "Fabrikam" as the example tenant.

    3. On the tenant's menu, under Manage, select Properties.

    4. Copy your tenant's directory ID, for example, and save that ID for later use.

      Find and copy Azure AD tenant's directory ID

  • The resource ID for the target resource that you want to access

    Important

    This resource ID must exactly match the value that Azure AD expects, including any required trailing slashes.

    This resource ID is also the same value that you later use in the Audience property when you set up your function action to use the system-assigned identity.

Now you're ready to set up Azure AD authentication for your function app.

  1. In the Azure portal, find and select your function app.

  2. On the function app pane, select Platform features. Under Networking, select Authentication / Authorization.

    View authentication and authorization settings

  3. Change the App Service Authentication setting to On. From the Action to take when request is not authenticated list, select Log in with Azure Active Directory. Under Authentication Providers, select Azure Active Directory.

    Turn on authentication with Azure AD

  4. On the Azure Active Directory Settings pane, follow these steps:

    1. Set Management mode to Advanced.

    2. In the Client ID property, enter the object ID for your logic app's system-assigned identity.

    3. In the Issuer Url property, enter the https://sts.windows.net/ URL, and append your Azure AD tenant's directory ID.

      https://sts.windows.net/<Azure-AD-tenant-directory-ID>

    4. In the Allowed Token Audiences property, enter the resource ID for the target resource that you want to access.

      This resource ID is the same value that you later use in the Audience property when you set up your function action to use the system-assigned identity.

    At this point, your version looks similar to this example:

    Azure Active Directory authentication settings

  5. When you're done, select OK.

  6. Return to the designer and follow the steps to authenticate access with the managed identity.

Next steps