Power Community

Power Community

Managed Identities in Logic Apps to access Microsoft Graph

In this post I’m going through the steps to configure Logic apps to use Managed Identities to access SharePoint sites using Microsoft Graph.

Managed Identities

Within Logic Apps you will see Managed Identities popping up in various places. You can find them in Azure Runbooks within Azure Automation where they are often used to run PowerShell. They also exist within Azure Logic Apps.

If you tried to configure Logic Apps to get 10 sites from SharePoint using Microsoft Graph then you would probably configure an HTTP request like this, if you were to use a client/secret method.

Managed Identities in an HTTP action

However, if you were to use Managed Identities you would get the following configuration.

Managed Identities in Logic Apps to access Microsoft Graph Microsoft Azure image 15

So one of the big benefits here is that we don’t need to include any of the security information inside the Logic Apps or Power Automate flow.

Do make sure that you supply the Audience, as you would get the following error if you don’t

Access token validation failure. Invalid audience

Setup Managed Identities

Well there isn’t much to do here.

In your logic app configuration you will find your Object Id under the section Identities.

Managed Identities in Logic Apps to access Microsoft Graph Microsoft Azure image 16

Take a copy of that id because we will need that later to supply the permissions the Enterprise app for our logic app.

The above Object ID you can use to find an Enterprise Application. You should find that the Managed Identity will have the same name as the Logic App .

Managed Identities in Logic Apps to access Microsoft Graph Microsoft Azure image 17

So far still nothing to setup.

Setup permissions for Managed Identities

The next step is to give our managed Identity permissions to read SharePoint files. We have to use PowerShell to do this.

Where in the past we would have added the Scope Sites.ReadWrite.All to the app registration, our PowerShell will add this to our Managed Identity’s Enterprise Application registration.

$ObjectId = "4a91ffe7-xxxx-xxxx-xxxx-268f0fe8b2da" 
$graphScope = "Sites.ReadWrite.All"
Connect-MgGraph -Scope AppRoleAssignment.ReadWrite.All
$graph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" 
$graphAppRole = $graph.AppRoles | ? Value -eq $graphScope

$appRoleAssignment = @{
    "principalId" = $ObjectId
    "resourceId"  = $graph.Id
    "appRoleId"   = $graphAppRole.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ObjectID -BodyParameter $appRoleAssignment | Format-List
Disconnect-Graph

Once the above steps are completed the Logic App will be able to run the HTTP request and the list of 10 sites is received successfully.

This post was originally published on this site

- Advertisement -spot_img

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement - Advertisement

Latest News

Prompt Like a Pro: Transform your messages with Microsoft Copilot in Teams

Effective and efficient communication is key when it comes to managing your workday. Whether you’re collaborating with colleagues, discussing...

More Articles Like This

- Advertisement -spot_img