Reputation: 92
What service principal is used to authenticate Logic Apps to Azure resources
This question is a bit more academic than practical, but I'm just trying to enhance my knowledge of how Azure authentication works under the hood.
The default way to authenticate managed Logic Apps connections is through an OAuth popup asking you to grant permissions. Based on my reading of the Azure docs, this means that you're granting access to the delegated permissions of a service principal. For connectors that access the Graph API, such a service principal in your tenant with the correct delegated permissions:
However, I'm struggling to find an equivalent service principal for connectors that use the Azure Resource Management API to interact with services like Log Analytics, sentinel, Logic Apps, etc. I do see a service principal called Azure Logic Apps, but it doesn't have any permissions associated with it. My understanding is that it would need to have the delegated permission user_impersonation to access Azure resources:
So my questions here are
- What Service Principal is used for the OAuth connection to the Azure Resource Management API?
- If the
Azure Logic Appsservice principal is used, how is it able to connect to the ARM API without any permissions? Is there some Azure magic happening under the hood here?
Upvotes: 0
Views: 50
Answers (1)
Reputation: 1506
I'll just say what I know. Azure Logic App in Microsoft Entra ID not be related to logic app workflow here.
Microsoft instantiated some sp in Enterprise application, some act as client and some act as resource. Azure Logic App in Enterprise application has the same mechanisms as Microsoft Graph, objectId = 3b78856dd-xxx, act as the resource be invoked by client not the client self (but I not found some examples here.). The client has two types of permissions, self-permission and delegate permision.
In the usual scenario, logicapp sp(or managed identity) used by request is sent using self-permission, which requires you to add the sp corresponding subscription permissions to access the azure resource.
Upvotes: 0
Related Questions
- Using Delegated Permissions with System-Assigned Managed Identity in Logic Apps for shared mail box email Attachments
- How do I add permissions from "Azure Service Management" to my app on powershell?
- How to grant a Service Principal read access to the Active Directory Groups?
- Grant Read access to service principal to get ONLY subscription ids on Azure
- Azure API Management not obtaining resource groups with service principal
- Connect to SharePoint and outlook using Azure Service principal/managed identity
- Azure service principal: Grant an appRoleAssignment for a service principal does update the original permission's status
- Create API Connection for Azure Data Factory with service principal authentication using ARM Template
- Accessing Azure Resource properties from logic apps
- Azure Service Principal cannot access Service Management API