Microsoft Azure

Managed Identities in Logic Apps to access Microsoft Graph

Pieter Veenstra

In this post I’m going through the steps to configure Logic apps to use Managed Identities to access SharePoint sites using Microsoft Graph.

Managed Identities

Within Logic Apps you will see Managed Identities popping up in various places. You can find them in Azure Runbooks within Azure Automation where they are often used to run PowerShell. They also exist within Azure Logic Apps.

If you tried to configure Logic Apps to get 10 sites from SharePoint using Microsoft Graph then you would probably configure an HTTP request like this, if you were to use a client/secret method.

Managed Identities in an HTTP action
Managed Identities in an HTTP action

However, if you were to use Managed Identities you would get the following configuration.

HTTP GetSites MI
HTTP GetSites MI

So one of the big benefits here is that we don’t need to include any of the security information inside the Logic Apps or Power Automate flow.

Do make sure that you supply the Audience, as you would get the following error if you don’t

Access token validation failure. Invalid audience

Setup Managed Identities

Well there isn’t much to do here.

In your logic app configuration you will find your Object Id under the section Identities.

Setup Managed Identities
Setup Managed Identities

Take a copy of that id because we will need that later to supply the permissions the Enterprise app for our logic app.

The above Object ID you can use to find an Enterprise Application. You should find that the Managed Identity will have the same name as the Logic App .

Enterprise Applications
Enterprise Applications

So far still nothing to setup.

Setup permissions for Managed Identities

The next step is to give our managed Identity permissions to read SharePoint files. We have to use PowerShell to do this.

Where in the past we would have added the Scope Sites.ReadWrite.All to the app registration, our PowerShell will add this to our Managed Identity’s Enterprise Application registration.

$ObjectId = "4a91ffe7-xxxx-xxxx-xxxx-268f0fe8b2da" 

$graphScope = "Sites.ReadWrite.All"

Connect-MgGraph -Scope AppRoleAssignment.ReadWrite.All

$graph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" 


$graphAppRole = $graph.AppRoles | ? Value -eq $graphScope


$appRoleAssignment = @{
    "principalId" = $ObjectId
    "resourceId"  = $graph.Id
    "appRoleId"   = $graphAppRole.Id
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ObjectID -BodyParameter $appRoleAssignment | Format-List

Disconnect-Graph

Once the above steps are completed the Logic App will be able to run the HTTP request and the list of 10 sites is received successfully.

Discover more from SharePains

Subscribe to get the latest posts sent to your email.

, ,

Related Posts

Microsoft Power Apps Azure AI Foundry Microsoft Azure Microsoft Power Platform

How to use the Azure AI Foundry connector in Power Apps

Pieter Veenstra
Azure AI Foundry Microsoft Azure

How to use the Azure AI Foundry connector in Power Automate

Pieter Veenstra

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from SharePains

Subscribe now to keep reading and get access to the full archive.

Continue reading